By the numbers…

89 percent of control networks are connected to the enterprise which in turn is interconnected to the Internet, according to Paul Dorey in “Security Management in Process Control: The 3 Waves of Adoption,” Process Control Systems Forum Spring 2006 Conference. $100 + billion is the size of the global market for cyber-crime, as estimated by DHS Cyber Security and Communications Assist...

11/01/2007


89 percent of control networks are connected to the enterprise which in turn is interconnected to the Internet, according to Paul Dorey in “Security Management in Process Control: The 3 Waves of Adoption,” Process Control Systems Forum Spring 2006 Conference; www.pcsforum.org ; https://www.pcsforum.org/events/2006/spring/briefings/Dorey,%20Paul%20Keynote%20final.pdf

$100+ billion is the size of the global market for cyber-crime, as estimated and cited by Cyber security and Communications Assistant Secretary Greg Garcia at the National Cyber Security Awareness Month Kick-Off Summit in October 2007; www.dhs.gov/xnews/releases/pr_1191270671928.shtm

2,000 to 3,000 is the estimated number of industrial cyber security incidents that are probably occurring per year to Fortune 500 companies alone, according to an estimate cited in “Security Incidents and Trends in the SCADA and Process Industries: A statistical review of the Industrial Security Incident Database (ISID),” prepared by:Eric Byres, David Leversage, Nate Kube for Symantec; www.symantec.com

63 percent of respondents in Deloitte and Touche’s latest (2007) Global Security Survey say they have established a security strategy. Download the complete report at www.deloitte.com/dtt/cda/doc/content/us_fsi-DeloitteGlobalSecuritySurvey2007.pdf
20 years—or more—that many automation systems have been in place, using older technology and having been designed before systems were exposed to outside threats, according to ARC Advisory Group in a report for Siemens Energy & Automation on IT Security for Process Control; www.arcweb.com ; www.sea.siemens.com/industrialsecurity .

99 designation given to the Instrumentation, Systems, and Automation (ISA) Society’s standard on manufacturing and control systems security. ISA SP-99, a work in progress, says its mission, in part, is to define procedures for implementing electronically secure manufacturing and control systems and security practices and assessing electronic security performance; www.isa.org/standards

100 security incidents a year or more are experienced by industry according to the British Columbia Institute of Technology (BCIT) industrial cyber security incident database. This and other statistics are noted in the BCIT report on “The Myths and Facts behind Cyber Security Risks for Industrial Control Systems;” www.bcit.ca/appliedresearch/security/publications.shtml

10 control system security threats identified by the North American Electric Reliability Corp. in its report: “10 Top Vulnerabilities of Control Systems and Their Associated Mitigations.” Download the latest (2007) version at ftp://www.nerc.com/pub/sys/all_updl/cip/2007_Top_10_Final_Approved_by_CIPC.pdf ; www.nerc.com

21 steps to improving cyber security of SCADA networks, according to a U.S. Department of Energy report. Download the PDF at www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf

8 reliability standards on cyber security adopted by NERC, the North American Electric Reliability Corp.; www.nerc.com/cip.html

Additional resources

Here are U.S. government and private agencies that offer excellent resources for learning more about industrial cyber security and infrastructure protection:

British Columbia Institute of Technology (Burnaby, BC, Canada) Technology Center includes an Industrial Cyber Security section. See the Publications link for a variety of resources. ( www.bcit.ca/appliedresearch/security )

Business publications and trade journals such as Control Engineering ( www.controleng.com ) provide articles and resources on the security of control systems, SCADA systems, and more. Search security and SCADA on their home pages.

US-CERT (United States Computer Emergency Readiness Team; www.us-cert.gov ), a partnership between the Department of Homeland Security and the public and private sectors formed in 2003 to protect the nation’s Internet infrastructure. This agency has an excellent self assessment tool that can help begin a security dialog in a company. This website contains a wealth of information including a library of references, standards, recommended practices, and

Also see CERT (Computer Emergency Readiness Team; www.cert.org ), located at Carnegie Mellon University’s Software Engineering Institute. It studies Internet security vulnerabilities, researches long-term changes in networked systems, and develops information and training to help improve security. CERT is the home of the CERT Coordination Center ( www.cert.org/certcc.html ) which addresses risks and the software and system level.

Department of Homeland Security ( www.dhs.gov ) includes a variety of programs including the Homeland Security Institute and the National Critical Infrastructure Protection and Development Plan.

Federal Energy Regulatory Commission ( www.ferc.gov ) regulates and oversees energy industries of the American public, including cyber security in the bulk power system.

Idaho National Labs ( www.inl.gov ). The mission of the INL is to ensure U.S. energy security with safe, competitive, and sustainable energy systems and unique national and homeland security capabilities.

National Institute of Standards and Technology ( www.nist.gov ) includes materials on infrastructure protection and cyber security within its Technologies for Public Safety and Security Information for Industry section.

North American Electric Reliability Corp. ( www.nerc.com ) is dedicated to improving the reliability and security of the bulk power system in North America.

PCSF (Process Control Systems Forum; www.pcsforum.com ) is a collaboration of representatives from government and academia; industry users, owner/operators, systems integrators; and members of the vendor community who work to advance the design, development, and deployment of more secure control and legacy systems.

Sandia National Laboratories ( www.sandia.gov ) develops science-based technologies that support U.S. national security. Areas of focus include homeland security and energy and infrastructure assurance.

SANS Institute ( www.sans.org ) is a source for information security training, certification, and research. Topics covered include firewall protection, hacking, and intrusion detection.

System and software vendors offer a selection of generic and product-related information on their Websites. For example Siemens Energy & Automation at www.sea.siemens.com/industrialsecurity provides guidelines and recommendations for creating a secure architecture using SIMATIC PCS 7.

U.S. Department of Energy ( www.energy.gov ) offers information on matters of national security, including cyber security and facility security.





No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
Control Engineering Leaders Under 40 identifies and gives recognition to young engineers who...
Learn more about methods used to ensure that the integration between the safety system and the process control...
Adding industrial toughness and reliability to Ethernet eGuide
Technological advances like multiple-in-multiple-out (MIMO) transmitting and receiving
Virtualization advice: 4 ways splitting servers can help manufacturing; Efficient motion controls; Fill the brain drain; Learn from the HART Plant of the Year
Two sides to process safety: Combining human and technical factors in your program; Preparing HMI graphics for migrations; Mechatronics and safety; Engineers' Choice Awards
Detecting security breaches: Forensic invenstigations depend on knowing your networks inside and out; Wireless workers; Opening robotic control; Product exclusive: Robust encoders
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
News and comments from Control Engineering process industries editor, Peter Welander.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
Anthony Baker is a fictitious aggregation of experts from Callisto Integration, providing manufacturing consulting and systems integration.
Integrator Guide

Integrator Guide

Search the online Automation Integrator Guide
 

Create New Listing

Visit the System Integrators page to view past winners of Control Engineering's System Integrator of the Year Award and learn how to enter the competition. You will also find more information on system integrators and Control System Integrators Association.

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.