SCADA Systems Vulnerable Despite Risk Awareness, Finds SANS Survey

A survey of nearly 700 SCADA control systems revealed that security risk awareness is at an all-time high but protection is still lacking, according to the SANS (SysAdmin, Audit, Network, Security) Institute.

Because SCADA systems are predicted to be highly targeted during 2013 as a result of cyber war, the survey conducted revealed that proper security measures to prevent cyber-attacks are falling behind.

With state-sponsored malware opening a new age of cyber warfare, SCADA systems were deemed highly vulnerable and likely targeted in future attacks on key infrastructure systems.

“Control system cyber assets are vulnerable, threats are escalating and the industry is aware of these facts,” says survey paper author Matthew Luallen, a senior SANS analyst and SCADA/process control system expert who teaches on this subject at DePaul University. “Stuxnet can be cited for finally raising risk awareness, but some of this awareness is experiential: In the survey, 33% of respondents know or suspect they’ve been breached.”

Mostly focusing on protecting computers operating SCADA devices, such proprietary control systems have little to no security features built-in. The irony is that SCADA systems run “above” protected computers and lack security features.

“This is the first time I have seen a succinct review of the problems faced by all industries using SCADA technologies,” said Barbara Filkins, a SANS analyst, advisor to the survey and healthcare privacy expert. “I’m voluntary president of our mutual water company and our board is considering installing a SCADA system. I will definitely use some of the findings in this survey to help guide our selection.”

Concluding that SCDA systems still lack proper security systems, analysts believe vendors of such solutions should work with security experts to patch vulnerabilities and improve their security.