Process Control Certification | Industrial Cyber Security

Supervisory Control and Data Acquisition and industrial control systems, with their traditional reliance on proprietary networks and hardware, have long been considered immune to the cyber attacks suffered by corporate information systems. Unfortunately, both academic research and in-the-field experience indicate misplaced confidence.The move to open standards such as Ethernet,TCP/IP, and web technologies allows hackers and virus writers to take advantage of the control industry's ignorance.The result is a growing number of unpublicised cyber-based security events that are affecting critical infrastructure and manufacturing industries. Eric Byres,David Leversage and Nate Kube

In making the case against complacency about control system security, this report summarises the incident information collected in the Industrial Security Incident Database (ISID). It describes a number of events that have directly affected process control systems indicating that the number of cyber incidents against SCADA and control systems worldwide has increased significantly since 2001. The majority of these incidents are coming from the Internet by way of opportunistic viruses, Trojan horses, and worms, but a surprisingly large number are directed acts of sabotage. In addition, the analysis indicates that many SCADA/process control networks (PCN) have poorly documented points of entry that provide secondary pathways into the system.

Historically, the industrial control and SCADA systems that are responsible for monitoring and controlling our critical infrastructures and manufacturing processes have operated in isolated environments. These control systems and devices communicated with each other almost exclusively, and rarely shared information with systems outside their environment.

As more components of control systems become interconnected with the outside world using IP-based standards, the probability and impact of a cyber attack will heighten. In fact, there is increasing concern among both government officials and control systems experts about potential cyber threats to the control systems that govern critical infrastructures. Even the flaws in SCADA specific technologies have become general knowledge - detailed presentations on how to exploit SCADA vulnerabilities have been given at black hat public gatherings.What is lacking is good historical data to either back up or dismiss these concerns. Event data collected over the past five years by ISID could provide objective, relevant statistical data for security decisions.