Control system cyber security worries

What do process control system owners worry about? Here are some cyber security concerns sent in by readers in a recent survey.

12/22/2009


In the January issue of Control Engineering , there will be an article that examines the results of a recent industrial cyber security survey. One question asked, "Does your organization believe there are threats and risks associated with your information control system that could affect your business? If Yes, what specific risks do you suspect / know exist?" Respondents had the opportunity to write in remarks. Looking at those, the results are very widely scattered, but there are a few that appear with some consistency.

• Typical network troubles, such as viruses, Trojans, spam, worms, spyware, phishing, and other malware are mentioned frequently.

• Internal attacks, either inadvertent or deliberate. The term "disgruntled (ex-)employee" came up a number of times.

• Transfer of malware or proprietary data via a thumb drive or a careless contractor's computer.

• Loss or theft of proprietary information. For example: "Company records, instrumentation values, and status are all at risk." "Loss of intellectual property." "Data safety comes to be a big issue. Many business plans will lose their value if the information is revealed before it's implemented."

• Problems that could disrupt or shut down control systems. For example: "We are not worried about starting, stopping equipment, or changing set points, just unknowingly overloading networks and/or stopping processors." "An intruder could flood the control network with messages such that the control system bogs down." "Spam is a threat as it clogs the information‘superhighway.'" "Outside attacks meant only to snoop a network can stop a processor."

While most responses were brief and general, there were some that were more detailed and specific:

"Significant vulnerabilities within the open systems world based on Microsoft technologies have presented countless risks to the control systems user. This, coupled with a flood of wireless products from vendors that do not seem to place a high priority on cyber security, present today's control system user with enormous risks of an attack on their key plant assets. This is further compounded by vendors' unwillingness to openly document their own vulnerabilities and how to utilize proven countermeasures to minimize your exposure to these risks."

"1. Virus, worms, hackers. 2. Internal or external unauthorized modification or deletion of data. 3. Unauthorized viewing/theft of information. 4. Environment damage or harm to humans. 5. Interruption of normal operation of control system or safety system. 6. Loss or theft of product."

"Internal data or file damage by employees for malicious reasons. If there is a way to get at it, they will. Access to online programming software by unauthorized personnel could cause a machine motion function to occur, causing injury or death to other employees."

"We need remote access to our systems via the Internet. We know that that creates a risk. We need trained people to help us reduce this risk. There are very few people that understand control systems and their networks and the internet along with network security skills."

"Weaknesses in existing operating systems and applications coming from Microsoft are inherent in the architecture and can never be corrected until the architecture is altered in ways that will likely render it incompatible with its application base. Other operating systems fare only somewhat better as they adopt the very same weaknesses to retain interoperability between embedded and server systems."

"1. Possible access to control network. 2. Possible open access at various points in system. 3. Not enough or secure enough firewalls between corporate network and control network 4. Bad password management. 5. Possible back doors through phone modems."

It's clear from the results that many users have a realistic concept of the threats facing industrial control systems. Still, 23.6% of the respondents answered "no" to the question, "Does your organization believe there are threats and risks associated with your information control system that could affect your business?" The fact that so many don't believe there is a risk may, in some ways, be one of the biggest risks in itself.

Read Cyber security for legacy control systems .

Read the Control Engineering industrial cyber security blog .

 

-Peter Welander, process industries editor, PWelander@cfemedia.com
Control Engineering Process & Advanced Control Monthly eNewsletter
Register here to select your choice of free eNewsletters .





No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
Control Engineering Leaders Under 40 identifies and gives recognition to young engineers who...
Learn more about methods used to ensure that the integration between the safety system and the process control...
Adding industrial toughness and reliability to Ethernet eGuide
Technological advances like multiple-in-multiple-out (MIMO) transmitting and receiving
Virtualization advice: 4 ways splitting servers can help manufacturing; Efficient motion controls; Fill the brain drain; Learn from the HART Plant of the Year
Two sides to process safety: Combining human and technical factors in your program; Preparing HMI graphics for migrations; Mechatronics and safety; Engineers' Choice Awards
Detecting security breaches: Forensic invenstigations depend on knowing your networks inside and out; Wireless workers; Opening robotic control; Product exclusive: Robust encoders
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
News and comments from Control Engineering process industries editor, Peter Welander.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
Anthony Baker is a fictitious aggregation of experts from Callisto Integration, providing manufacturing consulting and systems integration.
Integrator Guide

Integrator Guide

Search the online Automation Integrator Guide
 

Create New Listing

Visit the System Integrators page to view past winners of Control Engineering's System Integrator of the Year Award and learn how to enter the competition. You will also find more information on system integrators and Control System Integrators Association.

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.