Subscribe to CIO Magazine »

Who is scared of SCADA?

Rob Livingstone
Rob is a respected and experienced CIO, with more than three decades of industry and ICT experience. Over the last 16 years he has held the CIO role at several multinationals, most recently Ricoh. He is the owner of Rob Livingstone Advisory and a Fellow of University of Technology, Sydney. Rob delivers the Pathways Advanced and Business ICT leadership programs in conjunction with the CIO Executive Council.

Wearing embedded technology may just stop you dead in your tracks. Could the same happen if you adopt it in your business?

If you wear an implanted medical device such as a pacemaker, insulin pump or cardiac defibrillator, you should be aware there are known vulnerabilities that could trigger a remote wireless attack on them from up to a kilometre away. Therefore, the recent admission from past US vice-president, Dick Cheney, that his defibrillator was modified to prevent remote hacking comes as no surprise, as the documented vulnerabilities of wireless-enabled embedded monitoring and control systems being actively exploited are on the rise.

These embedded technologies fall under the category of what are termed SCADA (Supervisory Control and Data Acquisition) systems. For the most part, these specialised computer networks and devices work in concert to monitor and control key processes involved in managing physical items including machinery, equipment and facilities. SCADA systems are used to control some of our country’s most critical infrastructure as well as day-to-day jobs such as traffic management, electricity and other utilities and building systems.

SCADA systems are most often used in manufacturing, which has declined in Australia from its peak of 25 per cent of the economy in the 1960s to below 10 per cent. Given this drop-off, it is not surprising mainstream IT discussions in Australia seem to ignore SCADA systems.

In addition, CIOs working in the financial services, legal or government sectors are unlikely to encounter SCADA systems given they are removed from ‘physical’ systems.

But the mission-critical nature of SCADA systems in other industries means an attack has the potential to cause, either directly or indirectly, financial losses (through data theft or actual physical damage or destruction), environmental disasters, service interruption and even loss of life.

Increasingly, these have been connected to enterprise networks and the Internet for all the right reasons including lowering operating cost, allowing remote management and monitoring. However, this also increases the surface area of cyber-attack.

Cloud + SCADA = risk

In the report A Survey of SCADA and Critical Infrastructure Incidents, Bill Miller and Dale C Rowe of Brigham Young University compiled data on 15 SCADA cyber-attacks using a range of methods. Stuxnet (2010), Night Dragon (2011) and Flame (2012) are some of the other better known and publicised attacks on SCADA. So as a CIO, what could or should you do?

In order to make sure your organisation is aware of the risks of network attached SCADA systems, here are a few pointers to help start the conversation:

1. Identify which of your executives is ultimately accountable for SCADA systems, security, and ensure they are fully informed around the technical and systemic risks to the organisation from an inappropriate security posture.

2. Ensure your inventory of network capable SCADA and embedded technologies is accurately maintained.

3. Identify where, if at all, network enabled or cloud-based ‘command and control’ capabilities exist over your SCADA systems, and seek evidence of the effectiveness of the information security management processes.

In summary, ensuring the effective management over SCADA and other embedded systems should form a key element of your enterprise’s information security management system. If not, you may find your organisation in the intensive care ward.



Post new comment

Users posting comments agree to the CIO comments policy.

Login or register to link comments to your user profile, or you may also post a comment without being logged in.

rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Salary Calculator

Supplied by

View the full Peoplebank ICT Salary & Employment Index

Recent comments