One of the first ever global reports into industrial cyber security, The Myths and Facts behind Cyber Security Risks for Industrial Control Systems, reveals a tenfold increase in successful cyber attacks on process and supervisory control and data acquisition (SCADA) systems since 2000.
Many of the attacked systems were responsible for the operation of critical services such as electricity, petroleum production, nuclear power, water, transportation and communications.
The report was produced jointly by security experts at the British Columbia Institute of Technology (BCIT) and PA Consulting Group (PA).
The writers of the report say that its findings will shock many in the engineering and IT community. Process control and automation systems have traditionally been seen as immune to external attack, as systems were based on proprietary technologies and isolated from other IT systems.
But the 10 reported cyber attacks in 2003 are likely to be just the tip of the iceberg, as few companies are willing to report such incidents for fear of attracting further attack or negative publicity. Industry estimates indicate that between 100 and 500 unreported industrial cyber attacks occur every year.
The study also highlights the significant safety, environmental, reputational and financial risks that organisations are running every day, by failing to adequately address the threat of cyber attack on their plants and factories. Of those organisations that put a figure on the impact of cyber attacks on their process control and automation systems, 50% experienced financial losses of more than $1 million.
Analysis shows that the increase in successful industrial cyber attacks is the result of three factors: an increasing alignment of process control and corporate IT systems, the fact that corporate IT security measures often cannot be applied to process control systems and increasingly powerful and malicious cyber threats, such as worms, viruses and hackers.
Research was based on data collated in the BCIT Industrial Security Incident Database, dating back to 1981. The sharp increase in cyber attacks since 2000 prompted a full study into the changing trends in industrial cyber security, the impacts, and what organisations can do to prevent attack and the potentially disastrous outcomes. Recent examples of such attacks include the Slammer Worm infiltration of an Ohio nuclear plant and several power utilities, and a wireless attack on a sewage system in Australia.
“The results were a surprise to us because they indicate that industry has been focusing their security efforts in the wrong direction. The real threat is coming from outside the organisation, rather than from within, as most of us originally believed. The variety and complexity of the different attack vectors is also a big concern. We can’t just throw in a firewall and hope all our security problems will be solved. It is going to require a disciplined, multi-layer defence if we are going to get the security our critical infrastructures under control,” said BCIT researcher Eric Byres.
“All organisations that are reliant on process control and automation systems need to sit up and listen to the results of this study. Industrial cyber security incidents cannot be ignored – they are occurring more frequently, are more destructive and have serious business impacts. Organisations need to engage with both their engineering and IT employees, to undertake security risk assessments of all their control systems and ensure effective protection measures are deployed,” added Justin Lowe from PA Consulting Group.
The results of the study were previewed at the ISA Expo 2004 in Houston on October 5.
The full findings will be presented between October 18 to 20 at the VDE Congress in Berlin, Germany.