SCADA system security in the internet era

This Washinton Post article on a SCADA failure at a US nuclear power plant was noted in Slashdot, but not much elsewhere.

Specifically, experts worry that vulnerabilities were introduced into the systems that regulate the electrical grid as power companies transferred control of generation and distribution equipment from internal networks to supervisory control and data acquisition, or SCADA, systems that can be accessed through the Internet or by phone lines, according to consultants and government reports.

The article also discusses an earlier nuclear power plant software failure caused by message overload when two pumps failed.  The fundamental problem is that SCADA software is being written to two very different but completely inadequate standards: standards coming from the embedded software business where software is still an afterthought and standards coming from the PC/Server world where functionality is king and security/time-guarantees/robustness etc. are competing for a distant second place.

As we move into an era where there are many distributed power sources connected to the grid, and where machinery that uses power does so under ever more sophisticated software control, the potential for cascading failures is quite real and unanticipated interactions between business software and control software is one good source of failure injection.