SCADA vendors can no longer claim their systems are relatively well protected from external attacks because the systems are not directly connected to the Internet. Many are, some aren't. It's time for SCADA vendors to stop downplaying the risk to these systems and start addressing the vulnerabilities in a more expeditious manner than they have demonstrated in the past.
Never mind that security experts and practitioners have long advocated the use of encryption as the most effective way to protect sensitive data. For many enterprises, that's an epiphany they almost always seem to have only after a major data breach. Consider NASA and the South Carolina Department of Revenue. Both organizations last year scrambled to implement enterprise wide data encryption measures after suffering major data losses. Both organizations are almost certainly going to spend a lot more money dealing with the aftermath of those breaches than they would have if they had just encrypted the data in the first place.
Encryption may not always be convenient. But most of the excuses for not using the technology have gone. Most security experts agree that encryption tools have gotten cheaper to use, are easier to implement and relatively straightforward to manage. Many state regulations and industry regulations such as the Payment Card Industry Data Security Standard mandate the encryption of certain types of data. Companies that encrypt data also often have safe harbor from breach disclosure laws and liability issues. There really is no real reason for companies to keep deferring encryption until there are forced to do it anyway because of a breach.
Passwords, as a security technology have been seriously failing for some time now. It's the reason why the federal government has mandated the use of two-factor authentication for remote access to its systems. Yet the private sector as a whole has continued to drag its feet on the issue. A Verizon data breach study last year last year showed that attacks exploiting weak passwords are especially endemic in the retail and hospitality industries. Over the past few years, cyber thieves operating mostly from outside the U.S. have stolen hundreds of millions of dollars from online banking accounts belonging to small and medium businesses and others mostly by exploiting weak user authentication credentials. Numerous technologies, many of them relatively inexpensive, are available to enterprises today. While integrating such technologies may not be always easy, companies absolutely should be using multi-factor authentication to control access to non-trivial assets at this stage of the game, according to analysts.
Jaikumar Vijayan is the Senior Editor covering information secutiry and data privacy issues for ComputerWorld.
Sign up for Computerworld eNewsletters.