SCADA system operators are keenly aware of the risk to their systems, according to a survey of nearly 700 participants conducted by SANS Institute. In it, 70% consider the risks to their systems to be high to severe, and 33% suspect they may have had incidents. This comes as no surprise to SANS and this survey's sponsors. SCADA and process control systems are opening multiple connections to external networks and the Internet, and are being administered over handheld mobile devices owned by system administrators. SCADA devices were never intended to be operated remotely and over the Internet, and therefore have little or no native security. Because of the sensitive nature of these systems' operations, patching, updating and securing these systems and their underlying operating systems is difficult.
In other words, without protection, these systems are sitting ducks. Indeed, numerous reports reveal SCADA systems are under increasing attack, and demonstrate multiple vulnerabilities. The US ICS-CERT responded to 198 reported cyber incidents against control systems in fiscal year 2012-41% of those against the energy sector. Of those incidents, 23 were the results of a targeted industrial control system (ICS) spear-phishing campaign, while some were the result of infected USBs in use by system administrators. The report also indicated that numerous control systems with IP addresses connected directly to the Internet were riddled with vulnerabilities exploitable from the web.
To find out how organizations are dealing with this risk, SANS has just completed an in-depth survey to determine their risk awareness and security practices. Download the document for the full report.