T4QI
T4QI

SCADA

20 May 2025 • 4 min read

What is SCADA?

SCADA systems are the “command centres” of industrial operations. They act as the bridge between human operators and the machines doing the work. Think of SCADA as the nervous system of a factory—it senses what’s happening, processes that information, and sends commands to make things happen.

TBFC uses a SCADA system to oversee its entire drone delivery operation. Without it, operators would have no way to monitor hundreds of drones, manage inventory, or ensure packages reach the right destinations. It’s the invisible orchestrator of Christmas logistics.

Components of a SCADA System

A SCADA system typically consists of four key components:

  1. Sensors & actuators: These are the eyes and hands of the system. Sensors measure real-world conditions, such as temperature, pressure, position, and weight. Actuators perform physical actions—motors turn, valves open, robotic arms move. In TBFC’s warehouse, sensors detect when a package is placed on the conveyor belt, and actuators control the robotic arms that load drones.
  2. PLCs (Programmable Logic Controllers): These are the brains that execute automation logic. They read sensor data, make decisions based on programmed rules, and send commands to actuators. A PLC might decide: If the package weight matches a chocolate egg AND the destination is Zone 5, load it onto Drone 7. We’ll explore PLCs in detail in the next task.
  3. Monitoring systems: Visual interfaces like CCTV cameras, dashboards, and alarm panels where operators observe physical processes. TBFC’s warehouse has security cameras on port 80 that show real-time footage of the packaging floor. These monitoring systems provide immediate visual feedback—you can literally watch what the automation is doing.
  4. Historians: Databases that store operational data for later analysis. Every package loaded, every drone launched, every system change gets recorded. This historical data helps identify patterns, troubleshoot problems, and—in incident response scenarios like ours—reconstruct what an attacker did.

SCADA in the Drone Delivery System

TBFC’s compromised SCADA system manages several critical functions:

  • Package type selection: The system decides whether to load Christmas gifts, chocolate eggs, or Easter baskets onto each drone. This selection is controlled by a simple numeric value that determines which conveyor belt activates.
  • Delivery zone routing: Each package must reach the correct neighbourhood. Zones 1-9 represent different districts of Wareville, while Zone 10 is reserved for disposal (the ocean—a failsafe for damaged goods, but also a perfect target for sabotage).
  • Visual monitoring: The CCTV camera feed provides real-time observation of the warehouse floor. Operators can view which items are being loaded, verify system behaviour, and identify anomalies. This visual layer is crucial during incident response.
  • Inventory verification: Before loading a package, the system can check whether the requested item actually exists in stock. When this verification is disabled, the system blindly follows commands—even if those commands are malicious.
  • System protection mechanisms: Security features designed to prevent unauthorised changes. When enabled, these protections monitor for suspicious modifications and can trigger defensive responses. Unfortunately, King Malhare has weaponised these very protections as part of his trap.
  • Audit logging: Every configuration change, every operator login, every system modification should be recorded. Attackers often turn off logging to cover their tracks—and that’s precisely what happened here.

Why SCADA Systems Are Targeted

Industrial control systems, such as SCADA, have become increasingly attractive targets for cybercriminals and nation-state actors. Here’s why:

  • They often run legacy software with known vulnerabilities. Many SCADA systems were installed decades ago and never updated. Security patches that exist for modern software don’t exist for these ageing systems.
  • Default credentials are commonly left unchanged. Administrators prioritise keeping systems running over changing passwords. In industrial environments, the mentality is often “if it works, don’t touch it”—a recipe for security disasters.
  • They’re designed for reliability, not security. Most SCADA systems were built before cyber security was a significant concern. They were intended for closed networks that were presumed safe. Authentication, encryption, and access controls were afterthoughts at best.
  • They control physical processes. Unlike attacking a website or stealing data, compromising SCADA systems has real-world consequences. Attackers can cause blackouts, contaminate water supplies, or—in our case—sabotage Christmas deliveries.
  • They’re often connected to corporate networks. The myth of “air-gapped” industrial systems is largely fiction. Most SCADA systems connect to business networks for reporting, remote management, and data integration. This connectivity provides attackers with entry points.
  • Protocols like Modbus lack authentication. Many industrial protocols were designed for trusted environments. Anyone who can reach the Modbus port (502) can read and write values without proving their identity.

In early 2024, the first ICS/OT malware,  FrostyGoop , was discovered. The malware can directly interface with industrial control systems via the Modbus TCP protocol, enabling arbitrary reads and writes to device registers over TCP port 502.

King Malhare has weaponised these same tactics, not to cause blackouts, but to sabotage Christmas deliveries by directly manipulating the control system through the Modbus protocol. In the next task, we’ll explore the PLC—the component he’s actually compromised.

Start searching

Enter keywords to search articles.

↑↓ Navigate
Select
ESC Close
CtrlK Shortcut