A View from Martin LaMonica
Cybersecurity Risk High in Industrial Control Systems
Professionals in energy and other industries say design of control systems makes them vulnerable.
If you thought that concerns over the security of the physical infrastructure of the U.S. are overblown, consider what people in industry say. It’s not particularly encouraging, although there are signs that awareness of the issue is rising.
The SANS Institute, a security training company, this week released results of survey from professionals who work with SCADA and process control systems, which are used in utilities, healthcare, transportation, oil and gas, chemical production, among other industries. Concern is growing at the national level over the security of these control systems, which are increasingly linked to computers and networks.
Professionals in the field share that concern. Seventy percent of the nearly 700 respondents said they consider their SCADA systems to be at high or severe risk. One third of them suspect that they have been already been infiltrated.
The main problem is that SCADA control systems are being connected to the Internet or mobile devices, exposing them to risk they were never designed to protect against. A utility worker may set up a wireless access point at a transformer to connect to the company network, for example. But without the right security in place, such as encryption, this sort of practice leaves this piece of grid infrastructure exposed, industry executives said during a presentation of the white paper.
In contrast to computer systems, SCADA and control systems, which can be in place for decades, were not built for frequent patching. Updating the firmware of a control system may require updating the entire firmware, rather than just a patch, and the equipment itself, which may control a water utility’s infrastructure for instance, typically can’t go offline for long periods.
The survey comes at a time of heightened awareness around cybersecurity in the U.S. Earlier this week, the White House released a white paper outlining strategies to combat the theft of intellectual property online.
Also this week, computer security company Mandiant caused a stir by saying that many attacks on U.S. companies originate in a building operated by the Chinese military. (See, Expose of Chinese Data Thieves Reveals Sloppy Tactics.) Meanwhile, a number of high-profile company, including Apple, the New York Times, and Twitter, have publicly talked about recent attempts to penetrate their networks.
The SANS Institute survey found that industrial companies are also showing more willingness to disclose cyberattacks than a few years ago, which is generally considered good for raising awareness of cybercrime. The high-profile cases of Stuxnet and other malware aimed at critical infrastructure helped raised the visibility of the issue at the highest levels of business.
“The reality is that people are aware there is risk in that (control system) space,” Matthew Luallen, president of cybersecurity training company Cybati said during the presentation. “You don’t need to spend a lot of time convincing people.”
The survey showed that a malicious attack along the lines of Stuxnet or Flame is the top “threat vector” of concern. Close behind, though, are internal threats, external threats from hacking activists or nation states, and phishing scams.
The pieces of equipment that are of most concern from attacks are computers and network gear that connect to controllers of industrial systems.
One of the main recommendations of the White House cybersecurity plan is for industry share information to lower the overall risk. The SANS Institute’s paper says businesses should have layered controls, an architecture where security and monitoring are embedded into all levels of a network, rather than only the perimeter. Updating to more modern control systems will also improve security.