Vulnerability of SCADA Systems to Cybersecurity Attacks
Many different organizations and companies use SCADA/ICS (Supervisory Control and Data Acquisition/Industrial Control Systems) systems in various ways in their primary (production) processes or products. This includes manufacturing companies, control of bridges and locks, electric cars, equipment in intensive care units, as well as pacemakers and wireless insulin pumps. IoT (Internet of Things) is also playing an increasingly significant role in this context.
The key difference compared to risks in office automation is that the risk of incorrect control of these devices, such as through hacking, can lead to actual casualties. The question is not whether there will be casualties as a result of a cyberattack but when. This is what my vision "where the physical and digital worlds meet" advocates. No more downtime of office computers or data loss, but real risks related to the deliberate incorrect control of physical machines where casualties can occur. I expect that this will happen sooner rather than later.
In practice, we see that there is still much work to be done to secure SCADA environments better. The global ransomware attack that disrupted cargo handling systems in the Port of Rotterdam is still fresh in our memories. Last week, an article in Binnenlands Bestuur reported that the security of locks and pumping stations in water boards leaves much to be desired.
Many parties lack an understanding of the complexity of the issue. They also often do not know which steps to take to efficiently address the threats to SCADA environments.
From our own practical experience, we have recognized this issue and developed a poster that can serve as a visual aid for discussing cybersecurity in SCADA environments. The poster provides an overview of the risks associated with SCADA and their consequences for the organization, along with a set of straightforward steps to mitigate these risks. Lastly, the poster offers insights into future developments so that parties can proactively prepare with appropriate security measures.
The poster incorporates practical experiences we have gained from working with various organizations. One of these organizations is Rijkswaterstaat, which we supported in the IMPAKT project over the past three years to enhance cybersecurity for bridges, locks, barriers, traffic control centers, and tunnels.
In several follow-up blogs, I will further explore the various elements included in the Highberg SCADA Cybersecurity Poster.