So SCADA are Supervisory Control and Data Acquisition systems.
They are a form of Industrial Control Systems (ICS) that monitor and control major industrial processes from power generation, transmission, and distribution, to water treatment, chemical production, air traffic control, traffic lights, building controls, and more.
These are part of our nation's critical infrastructure.
In the lab, we are able to use tools to capture and analyze communication packets and edit and re-use them to:
- Turn on and off lights
- Open/close perimeter gates
- Control water and gas pipelines
- And even open and close a bridge
This was very scary!
No one, unauthorized, should be able to do this in real life, in the physical world.
This is a major security vulnerability for our nation:
- SCADA systems should not be openly available online, and instead they should be able to be controlled only either locally or remotely through an encrypted virtual private network (VPN).
- SCADA systems should not be available without proper access controls--there must be credentials for user id and passwords, and even two-step authentication required.
No one but vetted, cleared, authorized, and trained personnel should be able to monitor and control our critical infrastructure--otherwise, we are giving them the keys to disrupt it, destroy it, and use it for terror.
We owe our nation and families better, much better.
(Source Photos from lab: Andy Blumenthal)