ICS cyber insecurity: Not if, but when

Think Again: A major cyber security incident will happen to industrial control systems (ICS): not if, but when. Are you and your coworkers ready? Is your organization ready? Do you have the technologies, processes, and procedures ready at every level?

03/17/2015


Hackers are knocking at the door daily of facilities with industrial control systems, whether you choose to acknowledge it or not. When someone lets them in, how will you and your organization, customers, partners, and supply chain respond?

Some experts equate today's cyber security maturity level to where plant floor safety was before OSHA. Ignoring risk will NOT make it go away. Get cyber security help, make multi-layered plans and policies for defense in depth, invest in technologies to promote defense by design, talk about it with employees, and encourage them to talk among themselves. Cyber security advice flowed readily at ARC Forum 2015, February in Orlando, Fla., in multiple sessions and in question-and-answer sessions. 

Ignorance is not an answer

Stephen Biller, PhD, chief manufacturing scientist, GE, talking about Internet of Things (IoT) and cyber security, said, "Companies don't have a choice. They have to invest in IoT; otherwise, they will be out of business. Doing nothing is a much higher risk. Cyber security has to be at the highest level."

Many cyber security technologies are available. To name a few discussed at ARC Forum:

  • Cisco, Shell, and Yokogawa announced a collaborative effort to provide cyber security solutions for about 50 Shell facilities.
  • Bedrock Automation showed a defense by design automation system, with hardened backplane, I/O modules, power supplies, and programmable logic controller (PLC).
  • Skkynet introduced its Secure Cloud Service to enable bidirectional supervisory control, integration, and sharing of data with multiple users, and real-time access to selected data sets in a web browser. That service can securely handle more than 50,000 data changes per second, per client.

But think again if you consider technology investments enough. 

People are trusting

Computer crimes and fraud often enter via social engineering; the weakest points often are the people behind the computers, according to David E. Nelson, FBI special agent with its cyber division. Part of his job is to help companies with intrusion detection testing in person, over the phone, and via computer; 85% of the time he's successful. It's hardly as spectacular as "CSI: Cyber."

Mark T. Hoske, content manager, Control EngineeringIn such a test, Nelson often starts with a receptionist, like this: "This is Joe with IT. I just started last week and have been working with Larry Smith. We patched the computers last night, and yours didn't take for some reason. I'll send you a patch link where you can enter your username and password so we can get this taken care of right away." Nelson said while that sounds ridiculously easy, it often works.

Another useful ploy: "I can go anywhere on site as a Verizon employee and am never questioned." And if he were, a fake ID and believable story would be easy to produce. 

Vulnerability assessment: Never?!

Despite all the discussion and education, it doesn't seem like we're ready for cyber security threats. A recent poll at www.controleng.com asked, "When is the last time your organization performed any type of a cyber security vulnerability assessment?" About half (as of Feb. 21) said, "Within past 6 months," but a stunning one-third said, "Never," 10% said, "Within the past 2 years," and 6% said, "Within the past year."

Are people in your organization discussing cyber security? Michael Siegel, MIT Sloan School of Management, principal research scientist, suggested companies track and acknowledge cyber security breaches to raise awareness, like with industrial safety.

When a cyber security breach happens to you, is your response plan ready?

- Mark T. Hoske, content manager, CFE Media, Control Engineering, mhoske@cfemedia.com.

ONLINE extra

Learn more via Control Engineering Cyber Security Research at www.controleng.com/ce-research.

This article online contains more cyber security advice, tips, and discussions from the 2015 ARC Forum linked below.

Control Engineering cyber security channel 



No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Big Data and IIoT value; Monitoring Big Data; Robotics safety standards and programming; Learning about PID
Motor specification guidelines; Understanding multivariable control; Improving a safety instrumented system; 2017 Engineers' Choice Award Winners
Selecting the best controller from several viewpoints; System integrator advice for the IIoT; TSN and real-time Ethernet; Questions to ask when selecting a VFD; Action items for an aging PLC/DCS
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Big Data and bigger solutions; Tablet technologies; SCADA developments
SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
click me