Let’s get hacking: Why SCADA systems need improved

December 13, 2011 by Kara Manon · Leave a Comment

There have been a couple stories in the news recently about hacking. I personally know very little on the subject. I’ve seen Live Free or Die Hard but I’m not sure that helps at all. Although, after reading about the utility company hacking in Springfield, Illinois, the “fire sale” concept doesn’t seem as unrealistic. According to Wired.com, a hacker was discovered on November 8th by a water company when the SCADA (Supervisory Control and Data Acquisition) system was shutting on and off, causing a water pump to burn out. The article also states that the hacker stole user names and passwords of customers, possibly even signing in to the system with them for a few months before anyone caught on. Within a week of the news breaking, the FBI and DHS denied that there is any evidence that a hacker caused the water pump failure.

This is disturbing to say the least. SCADA is employed in a number of different systems to monitor and control things like utilities and medical devices. Back in August, a security researcher, Jerome Radcliffe, figured out how to hack his own wireless SCADA insulin pump. According to Radcliffe, he intercepted the wireless signals, reversed them and was able to insert fake data which he sent back to the pump. He was able to increase and decrease the amount of insulin without any warning from the pump. In essence, some evil-doer could kill a diabetic using their own insulin pump. A similar situation was found with wireless Pacemakers a few years ago. The study states that the researchers were able to reverse engineer the device’s communication protocols through an unauthorized channel and retrieve unencrypted information about the patient (name and diagnosis) and their treatment plan. They could even revise the therapies the patient was receiving through the device.

Some fixes are simple, like encryption, but other solutions can be very costly. I assume that’s why they weren’t implemented in the first place. We can all hope that no one would hack someone’s insulin pump or pacemaker but that doesn’t mean SCADA systems shouldn’t be more secure. Our utility infrastructure should be a major concern with these outdated systems in place.