Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

If you thought that concerns over the security of the physical infrastructure of the U.S. are overblown, consider what people in industry say. It’s not particularly encouraging, although there are signs that awareness of the issue is rising.

The SANS Institute, a security training company, this week released results of survey from professionals who work with SCADA and process control systems, which are used in utilities, healthcare, transportation, oil and gas, chemical production, among other industries. Concern is growing at the national level over the security of these control systems, which are increasingly linked to computers and networks.

Professionals in the field share that concern. Seventy percent of the nearly 700 respondents said they consider their SCADA systems to be at high or severe risk. One third of them suspect that they have been already been infiltrated. 

The main problem is that SCADA control systems are being connected to the Internet or mobile devices, exposing them to risk they were never designed to protect against. A utility worker may set up a wireless access point at a transformer to connect to the company network, for example. But without the right security in place, such as encryption, this sort of practice leaves this piece of grid infrastructure exposed, industry executives said during a presentation of the white paper.

In contrast to computer systems, SCADA and control systems, which can be in place for decades, were not built for frequent patching. Updating the firmware of a control system may require updating the entire firmware, rather than just a patch, and the equipment itself, which may control a water utility’s infrastructure for instance, typically can’t go offline for long periods.

The survey comes at a time of heightened awareness around cybersecurity in the U.S. Earlier this week, the White House released a white paper outlining strategies to combat the theft of intellectual property online.

Also this week, computer security company Mandiant caused a stir by saying that many attacks on U.S. companies originate in a building operated by the Chinese military. (See, Expose of Chinese Data Thieves Reveals Sloppy Tactics.) Meanwhile, a number of high-profile company, including Apple, the New York Times, and Twitter, have publicly talked about recent attempts to penetrate their networks. 

The SANS Institute survey found that industrial companies are also showing more willingness to disclose cyberattacks than a few years ago, which is generally considered good for raising awareness of cybercrime. The high-profile cases of Stuxnet and other malware aimed at critical infrastructure helped raised the visibility of the issue at the highest levels of business.

“The reality is that people are aware there is risk in that (control system) space,” Matthew Luallen, president of cybersecurity training company Cybati said during the presentation. “You don’t need to spend a lot of time convincing people.”

The survey showed that a malicious attack along the lines of Stuxnet or Flame is the top “threat vector” of concern. Close behind, though, are internal threats, external threats from hacking activists or nation states, and phishing scams.

The pieces of equipment that are of most concern from attacks are computers and network gear that connect to controllers of industrial systems.

One of the main recommendations of the White House cybersecurity plan is for industry share information to lower the overall risk. The SANS Institute’s paper says businesses should have layered controls, an architecture where security and monitoring are embedded into all levels of a network, rather than only the perimeter. Updating to more modern control systems will also improve security. 

2 comments. Share your thoughts »

Tagged: Computing, Energy, cyber security

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me