SCADA: Security vulnerabilities in utility systems (even without Internet)

What is it: http://www.sandia.gov/scada/history.htm

how it’s vulnerable:

http://www.automationworld.com/news-957

http://www.theregister.co.uk/2008/09/08/scada_exploit_released/

http://www.networkworld.com/news/2008/040908-rsa-hack-power-grid.html

If you read enough of these you can piece together that the SCADA systems don’t have to have a direct connection to the Internet for an attack to occur. Many of the existing utility systems have SCADA systems connected to dial-up modems and/or private radio networks. At least one penetration testing toolkit (Metasploit) contains code which can be used to attack a SCADA host if a dial-up or radio connection has been made.

examples of real SCADA attacks:

Australian hacker exploits ODBC vulnerability to dump millions of gallons of sewage.

http://www.computerworld.com/s/article/108735/Utility_hack_led_to_security_overhaul

Illinois teenager hacks a Caterpillar system to dump 65,000 gallons of oil sludge into Des Plaines river.

http://www.nytimes.com/2009/02/09/us/09chicago.html?_r=1

http://blog.afcyber.us/2009/02/08/desplainesriver.aspx

During a controlled test, Homeland security uses electronic attack to physically destroy a diesel generator.

http://www.datacenterknowledge.com/archives/2009/11/09/power-grid-hacking-back-in-the-news/

Who is working on fixing this: http://www.inl.gov/scada/resources.shtml

Leave a comment Cancel reply