SCADA Plus Smartphone Equals Insecure Utilities

What if cyber-criminals or enemy nations could take over the computer control systems that run electric utilities, water systems, or traffic control systems for traffic lights and commuter trains.  The effects could be disastrous.

We have written about these systems before.  These are known as SCADA (supervisory control and data acquisition) or ICS (industrial control systems).  One of the claims of the industries that use SCADA systems is that they are inherently secure because these information networks are “air-gapped” or not directly connected to the Internet.  In order to breach a SCADA network, the attacker would need to have physical access to the network.  Breaking into the buildings where these networks are located is supposed too be quite difficult.  Watch the video (below) from RedTeam Security of St. Paul to see just how difficult it really is.

SCADA and ICS systems are being connected to the Internet all the time now using a familiar and popular tool – the smartphone app.  In a rush to deliver useful features to SCADA  and OCS management personnel, smartphone apps are being developed and deployed without proper regard for security issues.  Recent tests by IOActive Labs and Embedi of 34 apps from Google Play found 147 security vulnerabilities.  These vulnerabilities include:

  • 32 apps (out of 34) had no root or code protection.
  • 20 used poor authorization.
  • 20 used insecure data storage.
  • 18 lacked protection from reverse engineering the computer code.

    12 exhibited poor-quality coding.

  • 11 used insecure and unencrypted communication channels.
  • 8 used poor or no cryptography.
  • 7 apps exposed vulnerabilities on back-end servers, such as SQL injection or cross-site scripting (XSS).
  • 6 had insecure authentication.

These are vulnerabilities that a foreign cyber warrior or cyber criminal could exploit to take critical utilities and infrastructure out of service or hold it for ransom.  Unfortunately, the major industrial manufacturers who build utility systems and other critical infrastructure have not been as receptive to improving and properly securing the software applications that run them.  The inclusion of smartphone apps in the management and control stack are just making the problem worse.

Since companies seem unwilling to regulate themselves in this regard, it would fall to the government to legislate proper security controls and provide administrative oversight and inspection.  But this is not going to happen either, since the players in this space have the ability to make major campaign contributions.

We will probably keep kicking this can down the road until after some terrifying breach takes place.  And then it will be two years of finger pointing, blaming, and Congressional hearings before anything useful happens.  I just hope there is something left to secure when it is over.

And for your entertainment – the following video.  This is a legal hack by professional penetration testers.


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.