Control system cyber security worries

What do process control system owners worry about? Here are some cyber security concerns sent in by readers in a recent survey.


In the January issue of Control Engineering , there will be an article that examines the results of a recent industrial cyber security survey. One question asked, "Does your organization believe there are threats and risks associated with your information control system that could affect your business? If Yes, what specific risks do you suspect / know exist?" Respondents had the opportunity to write in remarks. Looking at those, the results are very widely scattered, but there are a few that appear with some consistency.

• Typical network troubles, such as viruses, Trojans, spam, worms, spyware, phishing, and other malware are mentioned frequently.

• Internal attacks, either inadvertent or deliberate. The term "disgruntled (ex-)employee" came up a number of times.

• Transfer of malware or proprietary data via a thumb drive or a careless contractor's computer.

• Loss or theft of proprietary information. For example: "Company records, instrumentation values, and status are all at risk." "Loss of intellectual property." "Data safety comes to be a big issue. Many business plans will lose their value if the information is revealed before it's implemented."

• Problems that could disrupt or shut down control systems. For example: "We are not worried about starting, stopping equipment, or changing set points, just unknowingly overloading networks and/or stopping processors." "An intruder could flood the control network with messages such that the control system bogs down." "Spam is a threat as it clogs the information‘superhighway.'" "Outside attacks meant only to snoop a network can stop a processor."

While most responses were brief and general, there were some that were more detailed and specific:

"Significant vulnerabilities within the open systems world based on Microsoft technologies have presented countless risks to the control systems user. This, coupled with a flood of wireless products from vendors that do not seem to place a high priority on cyber security, present today's control system user with enormous risks of an attack on their key plant assets. This is further compounded by vendors' unwillingness to openly document their own vulnerabilities and how to utilize proven countermeasures to minimize your exposure to these risks."

"1. Virus, worms, hackers. 2. Internal or external unauthorized modification or deletion of data. 3. Unauthorized viewing/theft of information. 4. Environment damage or harm to humans. 5. Interruption of normal operation of control system or safety system. 6. Loss or theft of product."

"Internal data or file damage by employees for malicious reasons. If there is a way to get at it, they will. Access to online programming software by unauthorized personnel could cause a machine motion function to occur, causing injury or death to other employees."

"We need remote access to our systems via the Internet. We know that that creates a risk. We need trained people to help us reduce this risk. There are very few people that understand control systems and their networks and the internet along with network security skills."

"Weaknesses in existing operating systems and applications coming from Microsoft are inherent in the architecture and can never be corrected until the architecture is altered in ways that will likely render it incompatible with its application base. Other operating systems fare only somewhat better as they adopt the very same weaknesses to retain interoperability between embedded and server systems."

"1. Possible access to control network. 2. Possible open access at various points in system. 3. Not enough or secure enough firewalls between corporate network and control network 4. Bad password management. 5. Possible back doors through phone modems."

It's clear from the results that many users have a realistic concept of the threats facing industrial control systems. Still, 23.6% of the respondents answered "no" to the question, "Does your organization believe there are threats and risks associated with your information control system that could affect your business?" The fact that so many don't believe there is a risk may, in some ways, be one of the biggest risks in itself.

Read Cyber security for legacy control systems .

Read the Control Engineering industrial cyber security blog .


-Peter Welander, process industries editor,
Control Engineering Process & Advanced Control Monthly eNewsletter
Register here to select your choice of free eNewsletters .

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me