Martin LaMonica

A View from Martin LaMonica

Cybersecurity Risk High in Industrial Control Systems

Professionals in energy and other industries say design of control systems makes them vulnerable.

  • February 22, 2013

If you thought that concerns over the security of the physical infrastructure of the U.S. are overblown, consider what people in industry say. It’s not particularly encouraging, although there are signs that awareness of the issue is rising.

The SANS Institute, a security training company, this week released results of survey from professionals who work with SCADA and process control systems, which are used in utilities, healthcare, transportation, oil and gas, chemical production, among other industries. Concern is growing at the national level over the security of these control systems, which are increasingly linked to computers and networks.

Professionals in the field share that concern. Seventy percent of the nearly 700 respondents said they consider their SCADA systems to be at high or severe risk. One third of them suspect that they have been already been infiltrated. 

The main problem is that SCADA control systems are being connected to the Internet or mobile devices, exposing them to risk they were never designed to protect against. A utility worker may set up a wireless access point at a transformer to connect to the company network, for example. But without the right security in place, such as encryption, this sort of practice leaves this piece of grid infrastructure exposed, industry executives said during a presentation of the white paper.

In contrast to computer systems, SCADA and control systems, which can be in place for decades, were not built for frequent patching. Updating the firmware of a control system may require updating the entire firmware, rather than just a patch, and the equipment itself, which may control a water utility’s infrastructure for instance, typically can’t go offline for long periods.

The survey comes at a time of heightened awareness around cybersecurity in the U.S. Earlier this week, the White House released a white paper outlining strategies to combat the theft of intellectual property online.

Also this week, computer security company Mandiant caused a stir by saying that many attacks on U.S. companies originate in a building operated by the Chinese military. (See, Expose of Chinese Data Thieves Reveals Sloppy Tactics.) Meanwhile, a number of high-profile company, including Apple, the New York Times, and Twitter, have publicly talked about recent attempts to penetrate their networks. 

The SANS Institute survey found that industrial companies are also showing more willingness to disclose cyberattacks than a few years ago, which is generally considered good for raising awareness of cybercrime. The high-profile cases of Stuxnet and other malware aimed at critical infrastructure helped raised the visibility of the issue at the highest levels of business.

“The reality is that people are aware there is risk in that (control system) space,” Matthew Luallen, president of cybersecurity training company Cybati said during the presentation. “You don’t need to spend a lot of time convincing people.”

The survey showed that a malicious attack along the lines of Stuxnet or Flame is the top “threat vector” of concern. Close behind, though, are internal threats, external threats from hacking activists or nation states, and phishing scams.

The pieces of equipment that are of most concern from attacks are computers and network gear that connect to controllers of industrial systems.

One of the main recommendations of the White House cybersecurity plan is for industry share information to lower the overall risk. The SANS Institute’s paper says businesses should have layered controls, an architecture where security and monitoring are embedded into all levels of a network, rather than only the perimeter. Updating to more modern control systems will also improve security. 

The latest Insider Conversation is live! Listen to the story behind the story.

Subscribe today
Already a Premium subscriber? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.