“The exposure of these systems to malicious actors in cyberspace is greater than in the past, because these systems are more often connected to the Internet,” Purdy said in an interview with SecurityFocus.
Because SCADA and other types of control systems regulate real world activity, such as the amount of water flowing though a dam or the electricity flowing through a transformer, their lack of security has worried experts for some time. Yet, in the past few years, attacks by external sources, such as online attackers, have jumped to 70 percent of incidents involving SCADA systems, up from 31 percent of incidents recorded between 1980 and 2001, according to a paper published by the British Columbia Institute of Technology. Sources interviewed for this article maintained that there have been SCADA system attacks, but such incidents are almost never made public. And U.S. authorities investigated online reconnaissance of U.S. critical infrastructure systems by attackers thought to be linked to al Qaeda in Pakistan, Saudia Arabia and Indonesia. However, other breaches have happened and the industry has paid the price for secrecy, said Lori Dustin, vice president of marketing and services for control system maker Verano.
Nearly 1,700 of the 3,200 power utilities have some sort of SCADA system in place, according to a recent survey by industry researcher Newton-Evans. The older networks of control systems have not adapted well to the needs of a deregulated power industry, Samuel Varnado, director of the Information Operations Center at Sandia National Labs stated in written testimony to the Congressional subcommittee. Sandia has demonstrated a way to use SCADA system vulnerabilities to turn out the lights in most major cities, Varnado told the subcommittee last week.
In 2006, the DHS plans on releasing a document outlining the best practices for control-system operators through the Cybersecurity Protection Framework.
http://www.securityfocus.com/news/11351