By the numbers…

-- Control Engineering, 11/1/2007

89 percent of control networks are connected to the enterprise which in turn is interconnected to the Internet, according to Paul Dorey in “Security Management in Process Control: The 3 Waves of Adoption,” Process Control Systems Forum Spring 2006 Conference; www.pcsforum.org; https://www.pcsforum.org/events/2006/spring/briefings/Dorey,%20Paul%20Keynote%20final.pdf

$100+ billion is the size of the global market for cyber-crime, as estimated and cited by Cyber security and Communications Assistant Secretary Greg Garcia at the National Cyber Security Awareness Month Kick-Off Summit in October 2007; http://www.dhs.gov/xnews/releases/pr_1191270671928.shtm

2,000 to 3,000 is the estimated number of industrial cyber security incidents that are probably occurring per year to Fortune 500 companies alone, according to an estimate cited in “Security Incidents and Trends in the SCADA and Process Industries: A statistical review of the Industrial Security Incident Database (ISID),” prepared by:Eric Byres, David Leversage, Nate Kube for Symantec; www.symantec.com

63 percent of respondents in Deloitte and Touche’s latest (2007) Global Security Survey say they have established a security strategy. Download the complete report at www.deloitte.com/dtt/cda/doc/content/us_fsi-DeloitteGlobalSecuritySurvey2007.pdf 
20 years—or more—that many automation systems have been in place, using older technology and having been designed before systems were exposed to outside threats, according to ARC Advisory Group in a report for Siemens Energy & Automation on IT Security for Process Control; www.arcweb.com; www.sea.siemens.com/industrialsecurity.

99 designation given to the Instrumentation, Systems, and Automation (ISA) Society’s standard on manufacturing and control systems security. ISA SP-99, a work in progress, says its mission, in part, is to define procedures for implementing electronically secure manufacturing and control systems and security practices and assessing electronic security performance; www.isa.org/standards

100 security incidents a year or more are experienced by industry according to the British Columbia Institute of Technology (BCIT) industrial cyber security incident database. This and other statistics are noted in the BCIT report on “The Myths and Facts behind Cyber Security Risks for Industrial Control Systems;” www.bcit.ca/appliedresearch/security/publications.shtml

10 control system security threats identified by the North American Electric Reliability Corp. in its report: “10 Top Vulnerabilities of Control Systems and Their Associated Mitigations.” Download the latest (2007) version at ftp://www.nerc.com/pub/sys/all_updl/cip/2007_Top_10_Final_Approved_by_CIPC.pdf; www.nerc.com

21 steps to improving cyber security of SCADA networks, according to a U.S. Department of Energy report. Download the PDF at www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf

8 reliability standards on cyber security adopted by NERC, the North American Electric Reliability Corp.; www.nerc.com/cip.html

Additional resources

Here are U.S. government and private agencies that offer excellent resources for learning more about industrial cyber security and infrastructure protection:

British Columbia Institute of Technology (Burnaby, BC, Canada) Technology Center includes an Industrial Cyber Security section. See the Publications link for a variety of resources. (www.bcit.ca/appliedresearch/security)

Business publications and trade journals such as Control Engineering (www.controleng.com) provide articles and resources on the security of control systems, SCADA systems, and more. Search security and SCADA on their home pages.

US-CERT (United States Computer Emergency Readiness Team; www.us-cert.gov), a partnership between the Department of Homeland Security and the public and private sectors formed in 2003 to protect the nation’s Internet infrastructure. This agency has an excellent self assessment tool that can help begin a security dialog in a company. This website contains a wealth of information including a library of references, standards, recommended practices, and  training.

Also see CERT (Computer Emergency Readiness Team; www.cert.org), located at Carnegie Mellon University’s Software Engineering Institute. It studies Internet security vulnerabilities, researches long-term changes in networked systems, and develops information and training to help improve security. CERT is the home of the CERT Coordination Center (www.cert.org/certcc.html) which addresses risks and the software and system level.

Department of Homeland Security (www.dhs.gov) includes a variety of programs including the Homeland Security Institute and the National Critical Infrastructure Protection and Development Plan.

Federal Energy Regulatory Commission (www.ferc.gov) regulates and oversees energy industries of the American public, including cyber security in the bulk power system.

Idaho National Labs (www.inl.gov). The mission of the INL is to ensure U.S. energy security with safe, competitive, and sustainable energy systems and unique national and homeland security capabilities.

National Institute of Standards and Technology (www.nist.gov) includes materials on infrastructure protection and cyber security within its Technologies for Public Safety and Security Information for Industry section.

North American Electric Reliability Corp. (www.nerc.com) is dedicated to improving the reliability and security of the bulk power system in North America.

PCSF (Process Control Systems Forum; www.pcsforum.com) is a collaboration of representatives from government and academia; industry users, owner/operators, systems integrators; and members of the vendor community who work to advance the design, development, and deployment of more secure control and legacy systems.

Sandia National Laboratories (www.sandia.gov) develops science-based technologies that support U.S. national security. Areas of focus include homeland security and energy and infrastructure assurance.

SANS Institute (www.sans.org) is a source for information security training, certification, and research. Topics covered include firewall protection, hacking, and intrusion detection.

System and software vendors offer a selection of generic and product-related information on their Websites. For example Siemens Energy & Automation at www.sea.siemens.com/industrialsecurity provides guidelines and recommendations for creating a secure architecture using SIMATIC PCS 7. 

U.S. Department of Energy (www.energy.gov) offers information on matters of national security, including cyber security and facility security.