SCADA Plus Smartphone Equals Insecure Utilities

What if cyber-criminals or enemy nations could take over the computer control systems that run electric utilities, water systems, or traffic control systems for traffic lights and commuter trains.  The effects could be disastrous.

We have written about these systems before.  These are known as SCADA (supervisory control and data acquisition) or ICS (industrial control systems).  One of the claims of the industries that use SCADA systems is that they are inherently secure because these information networks are “air-gapped” or not directly connected to the Internet.  In order to breach a SCADA network, the attacker would need to have physical access to the network.  Breaking into the buildings where these networks are located is supposed too be quite difficult.  Watch the video (below) from RedTeam Security of St. Paul to see just how difficult it really is.

SCADA and ICS systems are being connected to the Internet all the time now using a familiar and popular tool – the smartphone app.  In a rush to deliver useful features to SCADA  and OCS management personnel, smartphone apps are being developed and deployed without proper regard for security issues.  Recent tests by IOActive Labs and Embedi of 34 apps from Google Play found 147 security vulnerabilities.  These vulnerabilities include:

  • 32 apps (out of 34) had no root or code protection.
  • 20 used poor authorization.
  • 20 used insecure data storage.
  • 18 lacked protection from reverse engineering the computer code.

    12 exhibited poor-quality coding.

  • 11 used insecure and unencrypted communication channels.
  • 8 used poor or no cryptography.
  • 7 apps exposed vulnerabilities on back-end servers, such as SQL injection or cross-site scripting (XSS).
  • 6 had insecure authentication.

These are vulnerabilities that a foreign cyber warrior or cyber criminal could exploit to take critical utilities and infrastructure out of service or hold it for ransom.  Unfortunately, the major industrial manufacturers who build utility systems and other critical infrastructure have not been as receptive to improving and properly securing the software applications that run them.  The inclusion of smartphone apps in the management and control stack are just making the problem worse.

Since companies seem unwilling to regulate themselves in this regard, it would fall to the government to legislate proper security controls and provide administrative oversight and inspection.  But this is not going to happen either, since the players in this space have the ability to make major campaign contributions.

We will probably keep kicking this can down the road until after some terrifying breach takes place.  And then it will be two years of finger pointing, blaming, and Congressional hearings before anything useful happens.  I just hope there is something left to secure when it is over.

And for your entertainment – the following video.  This is a legal hack by professional penetration testers.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.