Professionals concerned with securing the systems that run water and electric utilities, dams, railways and other critical infrastructures are gathering this week in Florida to understand better the challenges facing them and learn how to defend their systems.Called the Process Control and SCADA (supervisory control and data acquisition) Security Summit, the event is hosted by The SANS Institute, is paid for by the Departments of Energy and Homeland Security, and targets professionals involved with automated industrial control systems.These systems are fundamentally different from IT networks because, instead of being focused on storing, sharing and securing data, they are designed to maximize the availability and reliability of the railroad or energy plants they run, says Rob Hoffman, manager of the cybersecurity research department at the Department of Energy’s Idaho National Laboratory, who spoke during a Webcast last week about the conference.As organizations begin linking these control systems to their IT networks, however, they are opening the systems to the same types of security threats suffered by data-centric systems, Hoffman says. “[SCADA] systems are generally stand-alone and were built to meet one need: automation,” he says. “They’re only being connected to back-end corporate [networks] after they’ve already been deployed, so security is at best an add-on, and quite often never designed in.”For example, an organization running a control system linked to its IT system running Windows NT has its control system open to all the vulnerabilities found in Microsoft’s operating system, Hoffman says. Compounding the issue is that control systems are difficult to patch, Hoffman says. “Downtime is not scheduled every week from 1 to 4 a.m., so it makes it very difficult to respond in a rapid fashion with patches to the vulnerabilities.”In addition, many SCADA systems are the targets of not just hackers but terrorists or even nation states, Hoffman adds. He defines five types of potential SCADA system attackers: recreational hackers looking for a challenge; disgruntled engineers; activists with environmental or business concerns; terrorists; and nation states that want to access a control device and stay resident in case of future need.“The thing that keeps me up at night is a bad guy who understands pressure volume and temperature relationships knowing the right valves and pumps to operate and is able to operate them,” says a security professional at a large energy company who asked not to be named. Related content news Mainframe modernization gets a boost from Kyndryl, AWS collaboration Kyndryl and AWS have expanded their partnership to help enterprise customers simplify and accelerate their mainframe modernization initiatives. By Michael Cooney Nov 30, 2023 4 mins Mainframes Cloud Computing Data Center news AWS and Nvidia partner on Project Ceiba, a GPU-powered AI supercomputer The companies are extending their AI partnership, and one key initiative is a supercomputer that will be integrated with AWS services and used by Nvidia’s own R&D teams. By Andy Patrizio Nov 30, 2023 3 mins CPUs and Processors Generative AI Supercomputers news VMware stung by defections and layoffs after Broadcom close Layoffs and executive departures are expected after an acquisition, but there's also concern about VMware customer retention. By Andy Patrizio Nov 30, 2023 3 mins Virtualization Data Center Industry news US will take decades for supply chain independence in chips: Nvidia CEO Jensen Huang pointed out that Nvidia’s latest AI servers have 35,000 parts from all over the world, including Taiwan. By Sam Reynolds Nov 30, 2023 4 mins CPUs and Processors Technology Industry Podcasts Videos Resources Events NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe