There is a lot of talk in the cybersecurity world about Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems that run the US power grid, water utilities, gas piplines, oil refineries, and countless factories. We discussed how all this might play out in the electrical grid when I reviewed Ted Koppel’s new book Lights Out.
We saw the kind of damage that an IoT botnet could achieve when the Mirai botnet took large chunks of the Internet offline for part of a day. Do ICS and SCADA systems represent the same sort of risk?
The answer is: not likely. And the principle reason makes sense. It is true that many of these ICS and SCADA systems were designed for private wide area networks, and never designed to be connected to the Internet. Nevertheless, this is happening. The good news is that the industrial controls marketplace are dominated by a few very large players such as General Electric, Honeywell, and Siemens. These companies are not driven by the same rush to market forces that the little IoT manufacturers are. More importantly, there are competitive advantages to these ICS manufacturers to provide better security systems than their competition. Additionally, their large size and long presence in the market means they are more likely to be designing security in from the start, rather than as an afterthought.
They are also likely to know exactly who has what product and where it is located. So in the event that there is a major firmware or software update, they can get it out quickly to the companies who need it. Their customers are also mostly large and technically sophisticated companies who are able to handle these sort of upgrades without an serious issue.
But lets not forget that Stuxnet was designed expressly to attack a very specific Siemens industrial controller. So the risk is very real. ICS and SCAD systems need to be secured as well, if not better, than other automated systems. For the most part, these security systems are in place where they are needed.Share