How the Internet of Things Puts SCADA Systems at Risk

Since operational technology was built pre-Internet and is goal-oriented, its security is not always a top priority

by Kayla Nick-Kearney, Techwire / April 20, 2017
Shutterstock

As the Internet of Things (IoT) becomes more pervasive in everyday life, more industrial systems are connected to the Internet, which creates risk to the operational technology (OT) involved in running those systems.

That was one of the takeaway messages during a symposium on Thursday that discussed security issues surrounding “supervisory control and data acquisition” (SCADA) systems and the Industrial Internet of Things (IIoT). The event was organized by Techwire parent company e.Republic and sponsored by ForeScout, Intel Security and Dyntek.

Operational technology refers to all technology that’s involved in real-world and time-sensitive processes, and its associated SCADA controls pipelines, HVAC systems and factories.

"It's very important that IT folks know that there are major differences between the IT system and the ramifications if they go down versus what will happen if a system goes down on the SCADA side of the house," said Intel Security's Senior Cyber Security Consultant Khaled Brown during the panel discussion.

Since OT is technology that was built pre-Internet and is goal-oriented, its security is not always a top priority, Brown said. Others agreed.

"I think it's still sort of a nascent field which is ironic because industrial systems, operational systems are from a past era," said Alex Eisen, a security researcher for ForeScout. Eisen later continued, "Think about trains, iron, mechanical engineering, electrical engineering and now we find ourselves in this modern world, information age, where a lot of these hard skills and experience is sort of tucked away."

The panel discussed risks to assuming OT and IT systems are not connected. Brown went on to describe multiple attacks that have happened because of unknown entanglement between the two systems.

The panelists — which included representatives from SMUD, the Sacramento Regional County Sanitation District, security companies, and others — discussed how OT systems can be protected:

1. Checking vulnerability updates — IT employees can keep up to date on OT vulnerabilities by checking in with vendors and drawing attention to concerns.

2. Third-party​ patching — The OT vendor must have approved the patch since any applications could shut down while patches are being made. Even virus protection could shut down the system because the system regularly creates and deletes new files to fulfill its function.

3. Physical security — This means knowing who handles hardware while in transit, giving background checks to those ​handling hardware and maintaining security cameras, on a separated network, that can watch for hardware that should not be connected to the OT system.

4. Updating interfaces — Maintaining up-to-date maps and lists of where hardware is working. Not knowing where things are means they cannot be secured.

5. Standards compliance — Understanding the standards that apply to an industry and whether or not a patch will meet those requirements will allow operators to assess the patch's worth and plan risk assessment.

6. Meeting regularly with OT — Building relationships with OT operators allows for a more in-depth understanding of the system and employee concerns.

This article was originally published on Techwire.