1

Adam Throne

Module 5 Paper

Systems dedicated to controlling machinery and industrial infrastructure have existed for

centuries, but only recently have computers begun to control them. In the past, operators manually

adjusted each machine in a system. A central manager would moderate communication between

operators, and there was little opportunity for external interference. Today though, most processes are

controlled by a computer system known as SCADA. Under this framework, a central command

center is able to control each aspect of an entire system. This has streamlined the control process but

also developed a security issue. As the StuxNet attack demonstrates, it is possible for external actors

to infiltrate SCADA and cause physical damage. The potential for cyber attacks against SCADA

should pressure individuals to reevaluate their dependencies on computers.

SCADA is designed to allow precise adjustment to systems remotely from computers, control

panels, and networks. This system was designed to standardize the control of most industrial

processes. Ideally, someone with SCADA experience in California, for example, is capable of

running any SCADA system on the globe with basic training. Diagram 1 illustrates the general flow

of SCADA. At the top, organization computers monitor output, schedule changes, and organize

production strategies. Below, the firewall is designed to limit unauthorized access to closed-network

computers. This is generally fairly effective, but advanced hackers are capable of finding loopholes.

On the next level, command computers contain the operator control screens where individual

workers can make changes to machinery. SCADA on these computers allows users to both monitor

and control machinery. On the lower level, PLCs and RTUs take signals from the SCADA software

and apply them into physical machinery. Some PLCs and RTUs have direct control panels and

computers. Finally, at the bottom is machinery itself. Nearly all industrial, infrastructure, and
 2

manufacturing systems in developed countries use SCADA. Unfortunately, despite increasing

efficiency, this system poses a serious threat.

It is fairly difficult to infiltrate a SCADA-controlled system, but it is easy to cause significant

damage once an attack is executed. The simplest way to abuse SCADA is by convincing an operator

to manually use command computers to cause damage. SCADA systems are designed to automate

the control process, but there is still a human aspect. In the past, multiple workers would have needed

to collaborate to damage a system. However, with SCADA, a single individual has the capability to

manipulate an entire system. Using traditional covert action techniques, it is fairly easy to turn an

individual against a target. Additionally, SCADA itself can be targeted in a cyber attack. Computers

above the firewall are fairly easy to hack into, because they are generally connected to unprotected

external networks. Since these computers do not control any machinery though, the only benefit of

infiltrating them is access to personal information about potential agents. Some basic SCADA

systems either do not have firewalls or have very weak firewalls. In these circumstances, it may be

possible for external hackers to influence PLCs and RTUs directly. However, high-profile targets are

far more secure. Therefore, the most efficient way to directly target SCADA is through hardware.

Malware must be written, planted, and executed in order to impact PLCs and RTUs. One possible

way to achieve success in these areas is by writing a self-starting code on a thumb drive and

uploading it onto a control computer. Alternatively, an actor may infiltrate PLC or RTU production

facilities to plant malware on these computers before they are installed in a specific target. If

executed cleanly, these strategies may never be discovered.

Once planted and executed, malware targeting SCADA software can cause significant

damage in a short amount of time. To start, there is already software in place to control machinery.

Rather than writing entire new modes of action, cyber attackers only have to control SCADA. The

funds and time that would be spent on developing this delivery mechanism can instead be spent on
 3

ensuring efficiency and deniability. Additionally, SCADA’s vulnerabilities provide cyber attackers a

rare opportunity to cause physical damage against adversaries. Typically, cyber attackers are

restricted to attacks on society, economics, and information. The StuxNet attack demonstrated that a

well-executed attack was capable of causing an explosion within Iran’s nuclear facility. The

possibilities are endless for the damage that could be completed by targeting SCADA systems. Oil

lines can be destroyed, power generators can be stopped, heat in military bases can be shut off, or

Subways can be held in place. These countless opportunities are advantageous for state actors and

individual actors alike. Yes, many of these attacks could also be completed with a bomb or a missile.

However, the advantage of targeting SCADA with cyber attacks is the element of plausible

deniability. If the United States were to launch a missile at North Korea’s nuclear research facility,

regional nations including North Korea, China, and Russia would retaliate. However, if North

Korea’s nuclear research facility mysteriously self-imploded at the hands of a carefully protected

SCADA attack, these nations would not have sufficient evidence to respond violently. SCADA

allows anonymous cyber attackers to inflict damage that only state militaries would be able to

produce through traditional means.

In conclusion, although SCADA streamlines the industrial workflow, its vulnerabilities pose

a significant security risk. Through direct covert action or hardware attacks, SCADA can be ordered

to self-destruct the very systems which it controls. Many high profile targets utilize this system, so

the effects of widespread SCADA attacks could be catastrophic. These networks allow the deniability

of cyber warfare to be combined with the physical damage of conventional war. I recommend that the

United States reevaluate its dependence upon automated devices for everyday tasks and develop

frameworks for responding to future SCADA attacks.