Control Systems Vulnerable, Experts Say
Businesses and government agencies must re-examine the growing threat of cyber-terrorism to automated computer systems running power grids, dams and other industrial facilities, security experts said at the Instrumentation, Systems and Automation Society’s annual conference in October.
From 1982 until about 2000, problems with such systems usually were associated with internal accidents or inappropriate employee behavior, said Eric Byres, manager of Critical Infrastructure Security Research at the British Columbia Institute of Technology.
In researching the problem, Byres examined 13 incidents of industrial intrusion between the years 1982 and 2000. The results showed that incidents were almost evenly split between accidental, internal, and external sources, with only 31 percent of the events being generated from outside the company. Accidents, inappropriate employee activity, and disgruntled employees accounted for most of the problems.
Analysis of the same events for the 2001 to 2003 period revealed that externally generated incidents accounted for 70 percent of all events, indicating a change in threat source.
“A control system is a very complex system that has a lot of back doors,” he says. “We have to re-evaluate the way we protect our systems.”
Byres had no definite answers, but there are a few possibilities to explain the impact on industrial control systems. First the emergence of automated worm attacks starting with Code Red in July 2001 have meant that many of the intrusions have become nondirected and automated. The control system has become just a target of opportunity rather than a target of choice.
Second, Lowe and Byres said, common operation systems (e.g., Windows 2000 or Linux) and applications (e.g., SQL Server) now dominate the Human Machine Interface (HMI), engineering workstation, and data historian systems. These often come configured more appropriately to business requirements and are vulnerable to a wide variety of common IT attacks and viruses.
David Sanders, director of critical infrastructure cyber security with the National Cyber Security Division at the Department of Homeland Security, told The Associated Press that hackers or terrorists can break into automated control systems by having companies violate their own security policies, spreading viruses or through software errors.
To educate the country on the growing problem and how to protect itself, Sanders said Homeland Security has created a strategy to help the industry build its own self-sustaining security culture.