Ever-growing Industrial Cyber-risk in ICS and SCADA Environments
Industrial cyber-risk such as SCADA attacks have increased dramatically. Furthermore, Penemon Institute’s 2014 study; Critical Infrastructure: Security Preparedness and Maturity reports 67% of companies surveyed had suffered at least one cyber attack on their ICS/SCADA systems in that past year, and 78% said they were expecting a successful attack within the next two years.
No longer are data and dollars the only things at risk in cyber-attacks. More and more, hackers are creating industrial cyber-risk to critical infrastructure with the potential to disrupt operations and cause physical damage.
The World Energy Council’s annual report released last month also highlighted the problem of industrial cyber-risk. It is now ranked as the number one issue in terms of ‘uncertainty’ facing the industry in the UK. “Since the last report, UK energy security has seen a marked refocusing on to non-industry-related external threats such as those from terrorism and cyber-attacks, whether individual or state-sponsored.”
So what’s causing the upsurge? For one, more industrial control systems are being connected to the Internet. For companies to be more efficient, it’d be tough to ignore the promises of the Industrial Internet of Things (IIoT): improved efficiency, increased productivity, lowered costs, enhanced automation, and, even superior safety. Lurking behind all the bright and shiny positives Internet connectivity can bring remain the many vulnerabilities that are inherent to the IT world.
In a sense, industrial control environments are fragile, slow-paced, and not great with changes. Traffic in these environments is exceedingly low compared to a regular IT network and, for the most part, the technology has been in place for more than 10 years and was not developed with Internet connectivity in mind, let alone cybersecurity. Systems were physically isolated and security measures revolved around policy, air gapping, and preventing outside exposure. Connecting these systems to the outside world has the potential to quickly wreak havoc.
By definition, only not being connected to the Internet is safe, that’s easy. No doubt, hacking experts would advise on maintaining air gaps and not connecting to the Internet, but there’s considerable debate over whether this advice is feasible. Indeed, can business and industrial networks really remain separate?
Even unconnected systems are vulnerable to infected USB flash drives or malicious, careless, or baffled insiders. Hackers used spear-phishing to infiltrate the German steel mill and prevent a blast furnace from shutting down. Google dorking got the alleged Iranian hackers into the New York dam control system and, had a certain sluice valve not been disconnected for maintenance, it might have meant flood gates opening.
Jon Geater, CTO at cybersecurity firm Thales e-Security, argued that it’s vital robust security is put in place to safeguard critical infrastructure. “As ‘software eats the world’ and everything becomes data driven – even those things made of concrete, steel and flesh – we need to adapt our data protection strategies to fit the nuanced needs of these newly digital industries,” he added.
“To achieve the future smart and green connected cities that we want at the speed we want them they must reuse what the IT industry has already provided, both on premise or increasingly in the cloud. That means that without expert adaptation they get the same kinds of problems we’ve been seeing for years in IT, but more worryingly – in this example – with more serious repercussions if things go wrong.”