ICS cyber insecurity: Not if, but when

Think Again: A major cyber security incident will happen to industrial control systems (ICS): not if, but when. Are you and your coworkers ready? Is your organization ready? Do you have the technologies, processes, and procedures ready at every level?


Hackers are knocking at the door daily of facilities with industrial control systems, whether you choose to acknowledge it or not. When someone lets them in, how will you and your organization, customers, partners, and supply chain respond?

Some experts equate today's cyber security maturity level to where plant floor safety was before OSHA. Ignoring risk will NOT make it go away. Get cyber security help, make multi-layered plans and policies for defense in depth, invest in technologies to promote defense by design, talk about it with employees, and encourage them to talk among themselves. Cyber security advice flowed readily at ARC Forum 2015, February in Orlando, Fla., in multiple sessions and in question-and-answer sessions. 

Ignorance is not an answer

Stephen Biller, PhD, chief manufacturing scientist, GE, talking about Internet of Things (IoT) and cyber security, said, "Companies don't have a choice. They have to invest in IoT; otherwise, they will be out of business. Doing nothing is a much higher risk. Cyber security has to be at the highest level."

Many cyber security technologies are available. To name a few discussed at ARC Forum:

  • Cisco, Shell, and Yokogawa announced a collaborative effort to provide cyber security solutions for about 50 Shell facilities.
  • Bedrock Automation showed a defense by design automation system, with hardened backplane, I/O modules, power supplies, and programmable logic controller (PLC).
  • Skkynet introduced its Secure Cloud Service to enable bidirectional supervisory control, integration, and sharing of data with multiple users, and real-time access to selected data sets in a web browser. That service can securely handle more than 50,000 data changes per second, per client.

But think again if you consider technology investments enough. 

People are trusting

Computer crimes and fraud often enter via social engineering; the weakest points often are the people behind the computers, according to David E. Nelson, FBI special agent with its cyber division. Part of his job is to help companies with intrusion detection testing in person, over the phone, and via computer; 85% of the time he's successful. It's hardly as spectacular as "CSI: Cyber."

Mark T. Hoske, content manager, Control EngineeringIn such a test, Nelson often starts with a receptionist, like this: "This is Joe with IT. I just started last week and have been working with Larry Smith. We patched the computers last night, and yours didn't take for some reason. I'll send you a patch link where you can enter your username and password so we can get this taken care of right away." Nelson said while that sounds ridiculously easy, it often works.

Another useful ploy: "I can go anywhere on site as a Verizon employee and am never questioned." And if he were, a fake ID and believable story would be easy to produce. 

Vulnerability assessment: Never?!

Despite all the discussion and education, it doesn't seem like we're ready for cyber security threats. A recent poll at www.controleng.com asked, "When is the last time your organization performed any type of a cyber security vulnerability assessment?" About half (as of Feb. 21) said, "Within past 6 months," but a stunning one-third said, "Never," 10% said, "Within the past 2 years," and 6% said, "Within the past year."

Are people in your organization discussing cyber security? Michael Siegel, MIT Sloan School of Management, principal research scientist, suggested companies track and acknowledge cyber security breaches to raise awareness, like with industrial safety.

When a cyber security breach happens to you, is your response plan ready?

- Mark T. Hoske, content manager, CFE Media, Control Engineering, mhoske@cfemedia.com.

ONLINE extra

Learn more via Control Engineering Cyber Security Research at www.controleng.com/ce-research.

This article online contains more cyber security advice, tips, and discussions from the 2015 ARC Forum linked below.

Control Engineering cyber security channel 

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me