For too long, the software running America’s critical facilities has been known to be vulnerable to tampering. Now engineers and officials are doing something about it.

Late one night, a small group of men drove out from the city, finding their way to a two-lane dirt road, which brought them to a remote substation owned by a large southwestern electric utility. Without even leaving their vehicle, they spotted a wireless network antenna. Plugging in their wireless local area network cards, they fired up two notebook computers.

Within five minutes, without once needing to provide passwords, they had gained entry into the substation’s informational control system. Within 10 minutes, they had a detailed schematic map of every piece of equipment in the facility at their fingertips and over the next five minutes had established communication with, and were effectively in control of, every piece of equipment in the operational control network and were able to relay commands to remote terminal units sprinkled throughout the grid, which regulated power flow. In just a few more minutes, without ever having to leave their car, they’d easily accessed detailed specifications of the most heavily loaded transmission lines and even obtained dial-in ports to the most critical substations in the power grid and had the ability to manipulate settings to trigger a power outage affecting many—perhaps all—of the utility’s 4 million customers.

Fortunately, this drive-by team had no malicious intent. In fact, as recounted in a mechanical engineering journal, they were researching network system vulnerabilities at the behest of the utility in question. But their exercise highlighted the alarmingly limited means one or more people who do intend damage would need to effectively “pop the hood” of the utility control system, seriously disrupting normal operations or worse.

A legacy of insecurity

Why were they able to do all this? The reason was that they’d uncovered some of the all too common vulnerabilities in what many experts increasingly see as the Achilles’ heel of America’s critical infrastructure cybersecurity, which is SCADA—or Supervisory Control and Data Acquisition protocol, the venerable system on which most of America’s vital infrastructure operations still run.

Ubiquitously used by utilities and industries, SCADA systems provide automated control and remote human monitoring of the ongoing processes that keep oil and natural gas, electric power, rail transportation, water and wastewater systems working.

Even among a public increasingly conversant with the technological arcane, SCADA, though far older than more fashionable protocols like Ethernet IP, Bluetooth and Wi-Fi, has remained largely unknown outside tiny engineering circles. Indeed, obscurity was the whole idea.

“When SCADA systems first appeared during the late 1960s and early 1970s, platforms were largely mainframe computers operating proprietary systems all then still based on closed operating systems in a closed proprietary environment,” Alfonso Valdes, senior computer scientist at Menlo Park, Calif.-based SRI International, a nonprofit research institute that has done extensive research and development for government agencies on SCADA system vulnerabilities, told HSToday. “SCADA operating information was siloed off or, as we called it, ‘air gapped.’ None of it was exchanged with, or made available to, groups outside of operations. It remained completely disconnected from wider business systems, much less communications networks which interfaced outside the enterprise.”

For this reason, security for SCADA was traditionally an afterthought at best, and more commonly not even that. “It’s amazing, looking at it from the perspective of 2008, how utterly devoid of any concern for security these systems operated. It just wasn’t a factor,” Valdes said.

With SCADA systems out of sight and mostly out of mind for information technology (IT) managers, the assumption, now archaic, was that these systems couldn’t and wouldn’t ever be accessed through corporate networks or from remote access points. Password protocols universal in the world of IT were therefore not applied.

“It’s always been typical for SCADA passwords to be shared among multiple users,” Valdes explained. Further, he said, “the SCADA system was set up to perform without interruptions, so most of these systems were never upgraded or patched, nor were such now-common tools as access control and intrusion detection ever deployed. For many decades these systems have been run by and for engineers for whom developing and maintaining state-of-the-art security has never been a priority.”

Control systems exposed

Within the industrial world, SCADA has steadily moved out of the shadows in the past decade. These days, process control systems frequently use an enterprise local area network (LAN) and Internet protocols (IP). In addition, process control traffic may be commingled with Web pages, e-mail, P2P (peer-to-peer) traffic or VoIP (voice-over-Internet protocol).

“There’s been a remorseless logic moving forward to open up data that used to be completely obscure,” said Jennifer Depot, manager of critical infrastructure systems at Albuquerque, NM-based Sandia Laboratories, an engineering and science research institute that houses the national Center for SCADA Security. “The operations control piece of technology used to be completely specialized and separate, but there’s been a big push to integrate more control systems into business networks which have a far more public interface.”

Compelling as the logic of integration and efficiency is, it has increasingly exposed the inner controls of critical infrastructure systems.

SCADA systems are potentially vulnerable to viruses, worms, and other malware, for instance. In late 2006, a foreign hacker penetrated security at a water filtering plant near Harrisburg, Pa., planting malicious software capable of affecting the plant’s water treatment operations. The hacker tried to covertly use the computer system as its own distribution system for e-mails or pirated software.

Another danger is “inside jobs” by disgruntled workers who know the system. A famous example of this occurred in Australia in April 2000, when Vitek Boden, a former contractor, took control of the SCADA system controlling the sewage and water treatment system at Queensland’s Maroochy Shire. Using a wireless connection and a stolen computer, Boden released millions of gallons of raw sewage and sludge into creeks, parks and a nearby hotel.