Cybersecurity Incidents Rise in Industrial Control Systems

2010-04-15

Kelly Jackson Higgins, Dark Reading, reveals that a report based on data gathered by the Repository of Industrial Security Incidents (RISI) shows that while only 10% of industrial control systems are actually connected to the Internet, these systems that run water, wastewater, and utility power plants have suffered an increase in cybersecurity incidents over the past five years.

While this industry remains skeptical that it's at risk, the '2009 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems' shows that in the past 5 years water and wastewater cybersecurity incidents have increased 300% and power/utilities incidents have increased by 30%.

The RISI database logs security incidents in process control, SCADA, and manufacturing systems, and gathers voluntary submissions from victim companies as well as from news or other reports and shows that nearly half of all security incidents were due to malware infections - viruses, worms and Trojans.

The article features a quote by John Cusimano, executive director of the Security Incidents Organization, which runs the RISI database, who says "A lot of control systems are connected to their business networks which in turn may be connected to the Internet. It's several layers removed, but once there's a virus [on the business network], it finds its way into the control systems and you see USB keys bringing in malware to the SCADA systems, for instance, or via an employee's infected laptop".

Higgins writes that Doug Preece, senior manager for smart energy services at Capgemini, said another entry point for malware are those process control system platforms that are based on Windows. "Some of these platforms have evolved over time to lower-cost, more open, Windows-based stuff," Preece says. "It's not connected to the Internet, so the ability to receive patches at the OS level is hampered. The management of these systems is not as closely monitored as it is at the enterprise OS level."

Cusimano says "There's a lot of skepticism that there's a real problem, particularly when it comes to doomsday scenarios like when the press talks about China or Russia breaking into a chemical plant to blow it up."

He also states that there is often a disconnect between the IT department and the SCADA group in process control, "The control system engineering department in control of the control systems and the plant's IT department have yet to find a way to work well together." Most IT departments look at control systems as any other asset, it prioritizes confidentiality, then integrity, and then availability. "But the control systems department's priorities are reversed: availability is paramount, then integrity and confidentiality".

The article states that security experts say attacks targeting the power grid are likely to rise and intensify during the next 12 months, as smart grid research and pilot projects advance.