What's the deal with SCADA & Smart Grid?

I have to admit that I don't have any background in SCADA or Smart Grid, nor have I done any research into the topic. That being said, I'd have to be blind to not notice all the references in infosec these past few years to these systems. Shoot, just in the past couple weeks Siemens SCADA network was having issues with a new 0-day of malware (related to LNK files).

Why are SCADA systems connected to the Internet? I just don't see the upside. At all. It seems like these systems were designed to be closed, and that there's not really any good reason for that status to have been changed. So, what am I missing? 10 years ago the hubris-drenched response from energy companies was that we needn't worry as their systems weren't Internet-connected. Now, it seems, we're at the other extreme, with what seems to be no appreciable improvements to infrastructure security.

And then there's Smart Grid. Supposedly there are better security measures in place, but they can't be too good from what I've heard. This one actually completely blows my mind, because if I were to design a networked system like this from scratch, I think I'd start with FIPS-compliant, tamper-proof crypto modules that securely generate and store keys, and then build out from there such that the entire system is based on encrypted channels. I'd leverage IPv6 and IPSEC, hardware-accelerate as much of the crypto as possible, and even make sure that the devices only could run an encrypted and signed firmware. I guess I'm guess crazy that way.

As per usual, it seems that the more things change, the more they stay the same. It's a pity, really, as we've made considerable improvements over the years. Of course, if the financial services industry isn't doing a good job protecting ATMs, then I guess there's no reason to hope that the energy industry would protect the grid. *sigh*

About this Entry

This page contains a single entry by Ben Tomhave published on July 31, 2010 12:28 PM.

Speaking at ISSA International Conference was the previous entry in this blog.

Dear People, Enough With the One-Time Code Tokens is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives


  • about
Powered by Movable Type 6.3.7