There is a lot of talk in the cybersecurity world about Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems that run the US power grid, water utilities, gas piplines, oil refineries, and countless factories. We discussed how all this might play out in the electrical grid when I reviewed Ted Koppel’s new book Lights Out.
We saw the kind of damage that an IoT botnet could achieve when the Mirai botnet took large chunks of the Internet offline for part of a day. Do ICS and SCADA systems represent the same sort of risk?
The answer is: not likely. And the principle reason makes sense. It is true that many of these ICS and SCADA systems were designed for private wide area networks, and never designed to be connected to the Internet. Nevertheless, this is happening. The good news is that the industrial controls marketplace are dominated by a few very large players such as General Electric, Honeywell, and Siemens. These companies are not driven by the same rush to market forces that the little IoT manufacturers are. More importantly, there are competitive advantages to these ICS manufacturers to provide better security systems than their competition. Additionally, their large size and long presence in the market means they are more likely to be designing security in from the start, rather than as an afterthought.
They are also likely to know exactly who has what product and where it is located. So in the event that there is a major firmware or software update, they can get it out quickly to the companies who need it. Their customers are also mostly large and technically sophisticated companies who are able to handle these sort of upgrades without an serious issue.
But lets not forget that Stuxnet was designed expressly to attack a very specific Siemens industrial controller. So the risk is very real. ICS and SCAD systems need to be secured as well, if not better, than other automated systems. For the most part, these security systems are in place where they are needed.Share
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com