SCADA Security and Terrorism: We're Not Crying Wolf! presented at BlackHatDC 2006

by David Maynor, Robert Graham,


Summary : Many are beginning to believe the FUD about SCADA is merely the cyber-security industry employing scare tactics. This presentation will erase all doubt. Understanding SCADA security is easy: there is none. The back end networks that control our power, oil/gas, manufacturing, water, and transportation systems have no security. In most cases, the systems themselves don't support authentication, encryption, or even the most basic validation protocols. The few systems that do support these protocols are usually run with security features disabled.
Under contract with our customers, Internet Security Systems has pen-tested many of the worlds most important national SCADA networks and can confirm that the cyber-security fears are justified. The destruction hurricane Katrina caused in the Gulf Coast area demonstrated the severe effects of a regional infrastructure disruption on the nation (and indeed the world). Through these unsecured back end networks, which are increasingly connected to the Internet, hackers anywhere in the world can easily target and disrupt national infrastructure using everything from a WAP-enabled cell phone to an Excel spreadsheet. Law makers in Washington are rightly concerned that this lack of security could easily lead to a major cyber-terrorist incident. Attendees to the session will: learn what the black-hats know about SCADA, hear anecdotes from our pen-tests and witness our live demo.