Most SCADA protocols do not use encryption or authentication, and they don't have access control built into them or into the device itself. This means that when a PLC has a web server, and is connected to the internet, anyone who can discover the internet protocol (IP) address can send commands to the device, and the commands will be performed.
If that RTU or PLC has large motors connected to it, pumping out water or chemicals, the equipment could be turned off. If it was a substation and the power re-closer switches were closed, we could break it open and create an [electricity] outage for an entire area or city. The bottom line is you could cause physical damage to whatever is connected to that PLC.
While SCADA security has been an issue for decades, as legacy systems have been connected to the internet and remote technologies have emerged, with the emergence of Stuxnet, a worm that spreads via holes in Windows, but specifically targets Siemens SCADA systems and uses other sophisticated methods. Experts theorise that Stuxnet was designed to sabotage Iran's nuclear development program.
However, Stuxnet has raised awareness in the general public and within companies running critical infrastructure systems, and scared some of them enough to beef up their security. Stuxnet created an interest in the community to learn more about vulnerabilities and SCADA systems. We've seen direct impact in our customers being able to get funding to secure their SCADA systems.
While Stuxnet appears to have run its course and had minimal impact, SCADA systems are at risk from vulnerabilities and exploits in general, the US ICS-CERT (Industrial Control System Computer Emergency Response Team).
Not only are Supervisory Control and Data Acquisition (SCADA) systems used to run power plants and other critical infrastructure lacking many security precautions to keep hackers out, operators also sometimes practically advertise their wares on Google search, according to a demo held yesterday during a Black Hat conference workshop.