ICS cyber insecurity: Not if, but when

Think Again: A major cyber security incident will happen to industrial control systems (ICS): not if, but when. Are you and your coworkers ready? Is your organization ready? Do you have the technologies, processes, and procedures ready at every level?


Hackers are knocking at the door daily of facilities with industrial control systems, whether you choose to acknowledge it or not. When someone lets them in, how will you and your organization, customers, partners, and supply chain respond?

Some experts equate today's cyber security maturity level to where plant floor safety was before OSHA. Ignoring risk will NOT make it go away. Get cyber security help, make multi-layered plans and policies for defense in depth, invest in technologies to promote defense by design, talk about it with employees, and encourage them to talk among themselves. Cyber security advice flowed readily at ARC Forum 2015, February in Orlando, Fla., in multiple sessions and in question-and-answer sessions. 

Ignorance is not an answer

Stephen Biller, PhD, chief manufacturing scientist, GE, talking about Internet of Things (IoT) and cyber security, said, "Companies don't have a choice. They have to invest in IoT; otherwise, they will be out of business. Doing nothing is a much higher risk. Cyber security has to be at the highest level."

Many cyber security technologies are available. To name a few discussed at ARC Forum:

  • Cisco, Shell, and Yokogawa announced a collaborative effort to provide cyber security solutions for about 50 Shell facilities.
  • Bedrock Automation showed a defense by design automation system, with hardened backplane, I/O modules, power supplies, and programmable logic controller (PLC).
  • Skkynet introduced its Secure Cloud Service to enable bidirectional supervisory control, integration, and sharing of data with multiple users, and real-time access to selected data sets in a web browser. That service can securely handle more than 50,000 data changes per second, per client.

But think again if you consider technology investments enough. 

People are trusting

Computer crimes and fraud often enter via social engineering; the weakest points often are the people behind the computers, according to David E. Nelson, FBI special agent with its cyber division. Part of his job is to help companies with intrusion detection testing in person, over the phone, and via computer; 85% of the time he's successful. It's hardly as spectacular as "CSI: Cyber."

Mark T. Hoske, content manager, Control EngineeringIn such a test, Nelson often starts with a receptionist, like this: "This is Joe with IT. I just started last week and have been working with Larry Smith. We patched the computers last night, and yours didn't take for some reason. I'll send you a patch link where you can enter your username and password so we can get this taken care of right away." Nelson said while that sounds ridiculously easy, it often works.

Another useful ploy: "I can go anywhere on site as a Verizon employee and am never questioned." And if he were, a fake ID and believable story would be easy to produce. 

Vulnerability assessment: Never?!

Despite all the discussion and education, it doesn't seem like we're ready for cyber security threats. A recent poll at www.controleng.com asked, "When is the last time your organization performed any type of a cyber security vulnerability assessment?" About half (as of Feb. 21) said, "Within past 6 months," but a stunning one-third said, "Never," 10% said, "Within the past 2 years," and 6% said, "Within the past year."

Are people in your organization discussing cyber security? Michael Siegel, MIT Sloan School of Management, principal research scientist, suggested companies track and acknowledge cyber security breaches to raise awareness, like with industrial safety.

When a cyber security breach happens to you, is your response plan ready?

- Mark T. Hoske, content manager, CFE Media, Control Engineering, mhoske@cfemedia.com.

ONLINE extra

Learn more via Control Engineering Cyber Security Research at www.controleng.com/ce-research.

This article online contains more cyber security advice, tips, and discussions from the 2015 ARC Forum linked below.

Control Engineering cyber security channel 

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Make Big Data and Industrial Internet of Things work for you, 2017 Engineers' Choice Finalists, Avoid control design pitfalls, Managing IIoT processes
Engineering Leaders Under 40; System integration improving packaging operation; Process sensing; PID velocity; Cybersecurity and functional safety
Mobile HMI; PID tuning tips; Mechatronics; Intelligent project management; Cybersecurity in Russia; Engineering education; Road to IANA
This article collection contains several articles on the Industrial Internet of Things (IIoT) and how it is transforming manufacturing.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

SCADA at the junction, Managing risk through maintenance, Moving at the speed of data
Flexible offshore fire protection; Big Data's impact on operations; Bridging the skills gap; Identifying security risks
The digital oilfield: Utilizing Big Data can yield big savings; Virtualization a real solution; Tracking SIS performance
click me