back to article New report warns of SCADA CYBERGEDDON*

The industrial control system fright machine is getting another kick along today, via a survey by Russian vendor Positive Technologies. The company’s study makes some startling claims: 40 percent of SCADA systems “available from the Internet” can be easily hacked, half of the vulnerabilities the company found allow the …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Its no surprise they're vulnerable

    When these things were designed, nobody thought any customer in their right mind would ever expose them to the Internet.

    Then they started going online using good VPNs to firewall.

    Anybody who puts this kind of kit out naked on the Internet is clearly asking for trouble - yet it happens.

    Although Stuxnet got in by compromising the programming PCs then going the last mile to the SCADA systems via sneakernet, and I don't think there's anything the likes of Siemens et al can really do against that route.

  2. cyberdemon Silver badge


    40% "Of those available to the internet" are vulnerable.

    Then don't make them available to the internet? Surely the proportion of SCADAs that ARE available to the internet is extremely low (and decreasing!!). If anyone has any sense, they keep their process controllers as disconnected as they possibly can, for when the Cylons attack, right?

    1. Nameless Faceless Computer User

      Re: 40%


      1) Don't connect SCADA's to the Internet.

      2) Don't buy SCADA software written by Microsoft.

      1. Anonymous Coward
        Anonymous Coward

        Re: Microsoft

        I see you have a hard time thinking about security vulnerabilities and resisting the urge to bash MS.

        I feel it would be pertinent to point out that Microsoft do not write SCADA software.

    2. Cupboard

      Re: 40%

      it can be extremely useful for remote support if something connected to the system can be accessed over the internet, even if that's just an HMI, for support purposes. If I get a text from a machine at work, I can often fix it without having to get out of bed. We have a rather bodged system using remote desktop but somewhere with more significant plant would probably have a better way of doing it.

      Nuke: well, worst case scenario?

  3. Anonymous Coward

    A whole SCADA problems, then?

  4. Anonymous Coward
    Anonymous Coward

    "Then don't make them available to the internet? Surely the proportion of SCADAs that ARE available to the internet is extremely low"

    Here's three ...

  5. Anonymous Coward

    Big country differences

    Looking at the linked report, it's intriguing to see the big differences between the percentage of accessible systems by country. So the UK economy is very similar in size to Italy and France, yet the UK has 1.4% of the sample of accessible SCADA systems, Italy has 6.8%, France 3.9%. The US economy is about five times the size of the UK, yet they have over 20x more accessible systems. Bear in mind that we're talking about SCADA, which mostly isn't not rocket science, so you'd expect the volume of gear (and thus vulnerabilies) to broadly track the size of the economy.

    China's looks to be doing very well, although from the vendor names it would appear that the authors focused on Western SCADA brands.

    So, IT security types, do these country differences mean anything? Is the UK doing as well (or less badly) as the report suggests, or is the report talking tosh?

    1. Anonymous Coward
      Anonymous Coward

      Re: "isn't not"

      Double negatives really went out of vogue after Shakespeare's time, man. Try to keep up...

      1. Anonymous Coward

        Re: "isn't not"

        That's called a "typo". But good of you to raise this important point - slack day at the ranch?

        1. Anonymous Coward
          Anonymous Coward

          Re: "typo"

          There's also this arcane technique called "reading" that I think it would be valuable for you to employ.

  6. Robert Helpmann??

    Percent Online vs. Total Numbers

    The company’s study makes some startling claims: 40 percent of SCADA systems “available from the Internet can be easily hacked”

    These numbers are for systems that have an internet connection, presumably the easiest set to patch. If 60% of these machines are patched, it seems reasonable to assume that a much smaller percentage of those that are not interwebbed are patched. I would therefor guess that these un-surveyed machines utilize the crab system of security (a hard shell on the outside, with nothing but soft flesh once an attacker is past the initial defense). Logically, if my assumptions are correct, the majority of SCADA systems are vulnerable to anything that touches them from the outside world, especially if they grew up inside a bubble.

    Kaspersky would do well to get a move on (

This topic is closed for new posts.

Other stories you might like