Industrial Controls Susceptible To Attacks - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

05:03 PM
Connect Directly

Industrial Controls Susceptible To Attacks

Once protected by proprietary technology, industrial controls face increased security threats, a report says.

Industrial process control and Scada (supervisory control and data acquisition) systems may soon face the same security woes that plague business IT systems, warns a recent report from the British Columbia Institute of Technology and PA Consulting Group, a management, systems, and technology consulting firm.

Industrial control systems have been largely immune to network attacks because of their reliance on proprietary technology. That began to change around 2000 as adoption of Ethernet, TCP/IP networking, and Windows grew.

"I don't want to make it sound as if the sky is falling," says Eric Byres, co-author of the report and research manager for critical infrastructure security at the British Columbia Institute of Technology. "But my concern is it will one day unless we do something. The hackers are waking up [to the vulnerability of these systems]."

The report found that between 1982 and 2000, only 31% of security incidents against industrial control systems were initiated from outside the affected organization. During the 2001 to 2003 period, external events accounted for 70% of security incidents.

"We've been so concerned about insiders causing us trouble," Byres says. "It was a shock to everyone [involved with the report] that so many outside events get in. And really what that's saying is that our systems are like Swiss cheese."

Increased use of standard technologies on the plant floor leaves them much more susceptible to attack, Byres says. Proprietary communications technologies "are less susceptible to your average Windows worm," he says.

The advent of non-E-mail-based worms also has contributed to the problem. "Most of the attacks that we saw up until 2001 were largely E-mail-driven," Byres says. "And that doesn't impact control systems. But all of a sudden when you go to non-E-mail driven worms like Code Red, you don't have to have anyone checking their E-mail [to launch a worm] and you're in trouble."

"It's absolutely a risk that needs to be understood better," says Mike Assante, chief information security officer at American Electric Power Co., the nation's largest electricity generator.

One reason the security risks are not well publicized is because there's significant sensitivity around critical infrastructure applications, Assante says. "A lot of the industries where these technologies are in place are regulated industries. So it doesn't behoove people to make it very public that there was a major security incident using these technologies and these control systems."

That tight-lipped demeanor extends to control system vendors. "I've seen a real hesitance from the vendor perspective in terms of really addressing security," Assante observes. Vendors say buyers are prioritizing cost, connectivity, and plug-and-play compatibility over security features, he says.

But Assante has seen signs of change among vendors and buyers of process control equipment, such as increased interest in adding encryption to industrial control systems.

There is more awareness of the problem in the federal government, Byres says. The Clinton administration's Presidential Directive 63 on critical infrastructure protection in May 1998 addressed the risks in general terms. The Bush administration's National Strategy to Secure Cyberspace, published in September 2002 specifically mentions the need to better secure industrial control systems.

But Byres points to the recent resignation of Amit Yoran as head of the National Cyber Security Division in the Department of Homeland Security as a sign that not everyone in government considers critical infrastructure security with the same degree of seriousness. News reports suggest that Yoran left out of frustration over what he considered the neglect of his department. Byres contends that whoever heads cybersecurity should report directly to Secretary of Homeland Defense Tom Ridge, rather than three levels down.

The government should use its procurement clout to force vendors to make control system security a priority, Assante argues. He also hopes to see corporate security officers force the issue. "There's an awareness campaign that needs to happen in the engineering disciplines of these companies," he says. "Security officers need to lead that charge." He adds that making security risk assessment part of industrial control system purchases or upgrades would also send a message to vendors.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll