SCADA Stories to Tell in the Dark
Alright, campers, gather ‘round. Have you ever heard of the acronym SCADA? It stands for “Supervisory Control and Data Acquisition”. SCADA is pretty important stuff; it encompasses all the systems that control our cities. Our electrical grids, our traffic control lights, our water supply and sanitation systems, even our power plants.
So now — the sun has set, there’s a chill in the air and it’s almost Halloween. Huddle up to the warm glow of your computer monitors and I’ll tell you all a ghost story…
In fact, you may have already heard this one. It’s the one about a hacker who created a sophisticated self-replicating computer program that could spread itself — completely undetected — into the controller hardware for nuclear facilities around the world. It was beyond stealthy, even deleting itself if necessary. It would spread virulently, but become totally inert on systems that didn’t meet its exacting requirements, waiting for further opportunity to infect other hosts. Once inside a desired nuclear reactor host computer, it could dangerously modify the operation of the reactor equipment while at the same time sending bogus statistics back to the operator’s terminal, telling him everything was fine, until it was too late…
The scariest part, though? This actually happened. The worm I’m referring to was known as Stuxnet. There have actually been several versions of the Stuxnet worm, but the one I described was used to attack Iranian nuclear power plants. Stuxnet never caused any meltdowns, not that it couldn’t have with the level of control it was able to achieve, but because it was programmed not to.
But why make Stuxnet in the first place? No one can say for sure, since no one knows specifically who made the software, though it’s likely that the development of the software was funded by a government; the software is so sophisticated and requires such a deep understanding of the targeted systems, it would have required an incredible amount of time and effort to create. What’s worse, analysis of the spread of the worm seems to indicate that the initial release and spread of that strain of Stuxnet was unintentional. A programming error caused that version of Stuxnet to spread beyond the targeted plant, and go on to infect nearly sixty percent of all the computers in Iran. The worm has even been found on a small percentage of computers in the US. To top it all off, there have even been reports of software very similar to Stuxnet being sold on the black market.
Here’s a video that goes into more detail about Stuxnet if you’re interested. It’s really a fascinating story.
Situations like Stuxnet are quickly revealing how truly insecure so much of our technology and infrastructure is. Stuxnet targeted Iranian nuclear power plants, but those are far from the only vulnerable SCADA systems in operation today. Stuxnet was likely developed by a highly-skilled team over the course of several years, but as software and technology progresses, the skill barrier that once stood in the way of a task like Stuxnet will begin to evaporate. Even now, you can use a simple search engine to locate potentially vulnerable SCADA interfaces on the internet.
All of this means that, in the coming years, there is going to be a steady increase in the demand for security professionals to design and implement more secure systems; so if that seems like something you would be interested in doing as a career, you might want to look into Network Security as a major… before it’s too late!
Entry filed under: Uncategorized.