SCADA (supervisory control and data acquisition) is to engineers what a life support system is to surgeons. But unfortunately poor development and operating practices makes security a little shaky, writes Phil Kernick.
Engineers – myself included – are long-term thinkers who design robust and resilient systems to be used over many decades. A bolt is a bolt and a truss is a truss. These don’t change often, and this is the way things are taught at university.
The area where this mindset causes grief is when we put computerised things in the middle of it and SCADA is a prime example. Unfortunately in the IT world the system is secure and fit for purpose when it is deployed, but it won’t be in the following weeks or months, and the system might just fall over at some point in future.
Safety bypasses security
Engineering safety is thought out well, except when it comes to IT and cyber security. We don’t have the equivalent of “cyber high visibility shirts” when it comes to engineering and while we would never think of running something physical in an unsafe way, we don’t think about this level of safety from a cyber perspective.
When we’re building a bridge, we have to remember there is someone always trying to saw the bolts.
Software and IT systems can be treated the same way as a physical systems and that is the key issue we need to get into engineering schools. Let’s stop thinking in timeframes of decades, or even years, but rather the here and now. It is hard to get this through in an operating environment when people are not taught this.
When working with engineers I have often found someone has designed and built a very functional system and then walked away from it. Unfortunately commercial software systems are not secure by design and SCADA is no exception.
SCADA is a 20 year old software system and it won’t operate securely in future. When something wasn’t designed for the threat it can’t be resilient against it. We can think about physical operating conditions and we can design for those, for example a temperature range is thought about from an engineering perspective, but now that is changing and we have to think about changing adversaries.
Sites can continue to operate even if they have been compromised and many engineering systems are not designed to be operated while connected to the Internet. These days every SCADA environment is connected to something, be it radio, 4G, or a corporate environment as we want to know about the efficiency of our factories.
Education key to SCADA protection
There isn’t a disconnected SCADA system in world but they are treated and designed as if they are so we need to educate our young engineers on the importance of connected industry.
Imagine if you were at an airport and your bags don’t appear as some malware routed the bags to another terminal or airport. Many of these industrial systems weren’t designed to be resilient and I wonder if they are even fit for purpose.
A lot of SCADA systems are not designed by engineers and in many cases they are managed by trade staff without an understanding of software engineering, let alone skilled in the art of how to keep things safe. In every other way they are trained in safety from the ground up, but their cyber education is sorely lacking.
I spent a year going to every SCADA conferences I could find and in many cases it seemed as though IT and operational technology (OT) people were throwing rocks at each other. It is clear we need more education and cooperation to keep our critical infrastructure secure and operational.
When building a bridge over a desert we can’t use the same design for an oil rig. We would never do that in the physical engineering world as they are different environments, but this is this massive blind spot with SCADA.
I wish more people, including software engineers, thought like engineers, but I can see problems in the path we are on with the merger of IT and OT. Cyber security folks also need to help people understand what is going on with persistent threats.
There isn’t a SCADA engineering degree yet, but there is no reason why there shouldn’t be one as this is just as important as engineering design.
The government can also help by enhancing training and getting the curriculum of SCADA security started early, not after it’s too late.
Phil Kernick is the Chief Technology Officer of CQR Consulting.
This article was originally published as “Staying SCADA secure” in the November 2018 edition of create.