Once protected by proprietary technology, industrial controls face increased security threats, a report says.
Industrial process control and Scada (supervisory control and data acquisition) systems may soon face the same security woes that plague business IT systems, warns a recent report from the British Columbia Institute of Technology and PA Consulting Group, a management, systems, and technology consulting firm.
Industrial control systems have been largely immune to network attacks because of their reliance on proprietary technology. That began to change around 2000 as adoption of Ethernet, TCP/IP networking, and Windows grew.
"I don't want to make it sound as if the sky is falling," says Eric Byres, co-author of the report and research manager for critical infrastructure security at the British Columbia Institute of Technology. "But my concern is it will one day unless we do something. The hackers are waking up [to the vulnerability of these systems]."
The report found that between 1982 and 2000, only 31% of security incidents against industrial control systems were initiated from outside the affected organization. During the 2001 to 2003 period, external events accounted for 70% of security incidents.
"We've been so concerned about insiders causing us trouble," Byres says. "It was a shock to everyone [involved with the report] that so many outside events get in. And really what that's saying is that our systems are like Swiss cheese."
Increased use of standard technologies on the plant floor leaves them much more susceptible to attack, Byres says. Proprietary communications technologies "are less susceptible to your average Windows worm," he says.
The advent of non-E-mail-based worms also has contributed to the problem. "Most of the attacks that we saw up until 2001 were largely E-mail-driven," Byres says. "And that doesn't impact control systems. But all of a sudden when you go to non-E-mail driven worms like Code Red, you don't have to have anyone checking their E-mail [to launch a worm] and you're in trouble."
"It's absolutely a risk that needs to be understood better," says Mike Assante, chief information security officer at American Electric Power Co., the nation's largest electricity generator.
One reason the security risks are not well publicized is because there's significant sensitivity around critical infrastructure applications, Assante says. "A lot of the industries where these technologies are in place are regulated industries. So it doesn't behoove people to make it very public that there was a major security incident using these technologies and these control systems."
That tight-lipped demeanor extends to control system vendors. "I've seen a real hesitance from the vendor perspective in terms of really addressing security," Assante observes. Vendors say buyers are prioritizing cost, connectivity, and plug-and-play compatibility over security features, he says.
But Assante has seen signs of change among vendors and buyers of process control equipment, such as increased interest in adding encryption to industrial control systems.
There is more awareness of the problem in the federal government, Byres says. The Clinton administration's Presidential Directive 63 on critical infrastructure protection in May 1998 addressed the risks in general terms. The Bush administration's National Strategy to Secure Cyberspace, published in September 2002 specifically mentions the need to better secure industrial control systems.
But Byres points to the recent resignation of Amit Yoran as head of the National Cyber Security Division in the Department of Homeland Security as a sign that not everyone in government considers critical infrastructure security with the same degree of seriousness. News reports suggest that Yoran left out of frustration over what he considered the neglect of his department. Byres contends that whoever heads cybersecurity should report directly to Secretary of Homeland Defense Tom Ridge, rather than three levels down.
The government should use its procurement clout to force vendors to make control system security a priority, Assante argues. He also hopes to see corporate security officers force the issue. "There's an awareness campaign that needs to happen in the engineering disciplines of these companies," he says. "Security officers need to lead that charge." He adds that making security risk assessment part of industrial control system purchases or upgrades would also send a message to vendors.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.