Once protected by proprietary technology, industrial controls face increased security threats, a report says.

Thomas Claburn, Editor at Large, Enterprise Mobility

October 14, 2004

3 Min Read

Industrial process control and Scada (supervisory control and data acquisition) systems may soon face the same security woes that plague business IT systems, warns a recent report from the British Columbia Institute of Technology and PA Consulting Group, a management, systems, and technology consulting firm.

Industrial control systems have been largely immune to network attacks because of their reliance on proprietary technology. That began to change around 2000 as adoption of Ethernet, TCP/IP networking, and Windows grew.

"I don't want to make it sound as if the sky is falling," says Eric Byres, co-author of the report and research manager for critical infrastructure security at the British Columbia Institute of Technology. "But my concern is it will one day unless we do something. The hackers are waking up [to the vulnerability of these systems]."

The report found that between 1982 and 2000, only 31% of security incidents against industrial control systems were initiated from outside the affected organization. During the 2001 to 2003 period, external events accounted for 70% of security incidents.

"We've been so concerned about insiders causing us trouble," Byres says. "It was a shock to everyone [involved with the report] that so many outside events get in. And really what that's saying is that our systems are like Swiss cheese."

Increased use of standard technologies on the plant floor leaves them much more susceptible to attack, Byres says. Proprietary communications technologies "are less susceptible to your average Windows worm," he says.

The advent of non-E-mail-based worms also has contributed to the problem. "Most of the attacks that we saw up until 2001 were largely E-mail-driven," Byres says. "And that doesn't impact control systems. But all of a sudden when you go to non-E-mail driven worms like Code Red, you don't have to have anyone checking their E-mail [to launch a worm] and you're in trouble."

"It's absolutely a risk that needs to be understood better," says Mike Assante, chief information security officer at American Electric Power Co., the nation's largest electricity generator.

One reason the security risks are not well publicized is because there's significant sensitivity around critical infrastructure applications, Assante says. "A lot of the industries where these technologies are in place are regulated industries. So it doesn't behoove people to make it very public that there was a major security incident using these technologies and these control systems."

That tight-lipped demeanor extends to control system vendors. "I've seen a real hesitance from the vendor perspective in terms of really addressing security," Assante observes. Vendors say buyers are prioritizing cost, connectivity, and plug-and-play compatibility over security features, he says.

But Assante has seen signs of change among vendors and buyers of process control equipment, such as increased interest in adding encryption to industrial control systems.

There is more awareness of the problem in the federal government, Byres says. The Clinton administration's Presidential Directive 63 on critical infrastructure protection in May 1998 addressed the risks in general terms. The Bush administration's National Strategy to Secure Cyberspace, published in September 2002 specifically mentions the need to better secure industrial control systems.

But Byres points to the recent resignation of Amit Yoran as head of the National Cyber Security Division in the Department of Homeland Security as a sign that not everyone in government considers critical infrastructure security with the same degree of seriousness. News reports suggest that Yoran left out of frustration over what he considered the neglect of his department. Byres contends that whoever heads cybersecurity should report directly to Secretary of Homeland Defense Tom Ridge, rather than three levels down.

The government should use its procurement clout to force vendors to make control system security a priority, Assante argues. He also hopes to see corporate security officers force the issue. "There's an awareness campaign that needs to happen in the engineering disciplines of these companies," he says. "Security officers need to lead that charge." He adds that making security risk assessment part of industrial control system purchases or upgrades would also send a message to vendors.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights