Industrial Cyber Security | Scada Security

The good news is that while events have increased significantly since 2001, the rate appears to have levelled off in the past few years and may actually have decreased slightly in 2005/2006. It is likely that trends experienced in the critical infrastructure industries are following similar trends found in the overall IT world. According to a report written by IBM’s Global Security Intelligence team, ‘the global IT threat landscape is going through a fundamental shift, or evolution, in cyber crime from pervasive global outbreaks to smaller, stealthier attacks targeted at specific organisations’2. As IT networks are becoming increasingly more secure, it is anticipated that many of these attacks will target the most vulnerable access point within a company or organisation, which could easily be the SCADA or process control system.

Discussions with operators of traditional business crime reporting databases indicate that a typical incident database collects no better than one in ten of the actual events occurring. Twenty nine incidents were collected for 2003 and 23 for 2004, so it is likely that industry is experiencing at least 200 incidents per year at the present time. However, this number is probably several orders of magnitude low, due to the fact that of the 197 companies listed in the Fortune 500 with significant manufacturing or critical infrastructure operations, only 14 currently report to ISID and several of these are rather sporadic in their reporting. Thus it is probable that 2000 to 3000 industrial cybersecurity incidents are occurring per year to Fortune 500 companies alone.

If this estimate is accurate, then it also indicates that even given the increasing acceptance of ISID, companies are still reluctant to provide information about security breaches. Intuitively one can expect that companies do not want disclosure of problems with their network. This is also consistent with research conducted by Katherine Campbell et al that found reports of security breaches can adversely affect a firm’s stock price3.

Finally, the companies that do report to ISID tend to be on the leading edge of industrial cybersecurity preparedness and thus are likely experiencing lower incident rates as compared to the other companies. If nothing else more quantative, these statistics indicate a continuing security incident problem, and it may be more widespread than most control systems professionals believe.