Control system cyber security worries

What do process control system owners worry about? Here are some cyber security concerns sent in by readers in a recent survey.

12/22/2009


In the January issue of Control Engineering , there will be an article that examines the results of a recent industrial cyber security survey. One question asked, "Does your organization believe there are threats and risks associated with your information control system that could affect your business? If Yes, what specific risks do you suspect / know exist?" Respondents had the opportunity to write in remarks. Looking at those, the results are very widely scattered, but there are a few that appear with some consistency.

• Typical network troubles, such as viruses, Trojans, spam, worms, spyware, phishing, and other malware are mentioned frequently.

• Internal attacks, either inadvertent or deliberate. The term "disgruntled (ex-)employee" came up a number of times.

• Transfer of malware or proprietary data via a thumb drive or a careless contractor's computer.

• Loss or theft of proprietary information. For example: "Company records, instrumentation values, and status are all at risk." "Loss of intellectual property." "Data safety comes to be a big issue. Many business plans will lose their value if the information is revealed before it's implemented."

• Problems that could disrupt or shut down control systems. For example: "We are not worried about starting, stopping equipment, or changing set points, just unknowingly overloading networks and/or stopping processors." "An intruder could flood the control network with messages such that the control system bogs down." "Spam is a threat as it clogs the information‘superhighway.'" "Outside attacks meant only to snoop a network can stop a processor."

While most responses were brief and general, there were some that were more detailed and specific:

"Significant vulnerabilities within the open systems world based on Microsoft technologies have presented countless risks to the control systems user. This, coupled with a flood of wireless products from vendors that do not seem to place a high priority on cyber security, present today's control system user with enormous risks of an attack on their key plant assets. This is further compounded by vendors' unwillingness to openly document their own vulnerabilities and how to utilize proven countermeasures to minimize your exposure to these risks."

"1. Virus, worms, hackers. 2. Internal or external unauthorized modification or deletion of data. 3. Unauthorized viewing/theft of information. 4. Environment damage or harm to humans. 5. Interruption of normal operation of control system or safety system. 6. Loss or theft of product."

"Internal data or file damage by employees for malicious reasons. If there is a way to get at it, they will. Access to online programming software by unauthorized personnel could cause a machine motion function to occur, causing injury or death to other employees."

"We need remote access to our systems via the Internet. We know that that creates a risk. We need trained people to help us reduce this risk. There are very few people that understand control systems and their networks and the internet along with network security skills."

"Weaknesses in existing operating systems and applications coming from Microsoft are inherent in the architecture and can never be corrected until the architecture is altered in ways that will likely render it incompatible with its application base. Other operating systems fare only somewhat better as they adopt the very same weaknesses to retain interoperability between embedded and server systems."

"1. Possible access to control network. 2. Possible open access at various points in system. 3. Not enough or secure enough firewalls between corporate network and control network 4. Bad password management. 5. Possible back doors through phone modems."

It's clear from the results that many users have a realistic concept of the threats facing industrial control systems. Still, 23.6% of the respondents answered "no" to the question, "Does your organization believe there are threats and risks associated with your information control system that could affect your business?" The fact that so many don't believe there is a risk may, in some ways, be one of the biggest risks in itself.

Read Cyber security for legacy control systems .

Read the Control Engineering industrial cyber security blog .

 

-Peter Welander, process industries editor, PWelander@cfemedia.com
Control Engineering Process & Advanced Control Monthly eNewsletter
Register here to select your choice of free eNewsletters .





No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Learn how to create value with re-use; gain productivity with lean automation and connectivity, and optimize panel design and construction.
Go deep: Automation tackles offshore oil challenges; Ethernet advice; Wireless robotics; Product exclusives; Digital edition exclusives
Lost in the gray scale? How to get effective HMIs; Best practices: Integrate old and new wireless systems; Smart software, networks; Service provider certifications
Fixing PID: Part 2: Tweaking controller strategy; Machine safety networks; Salary survey and career advice; Smart I/O architecture; Product exclusives
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Look at the basics of industrial wireless technologies, wireless concepts, wireless standards, and wireless best practices with Daniel E. Capano of Diversified Technical Services Inc.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.