ICS cyber insecurity: Not if, but when

Think Again: A major cyber security incident will happen to industrial control systems (ICS): not if, but when. Are you and your coworkers ready? Is your organization ready? Do you have the technologies, processes, and procedures ready at every level?

By Mark T. Hoske March 17, 2015

Hackers are knocking at the door daily of facilities with industrial control systems, whether you choose to acknowledge it or not. When someone lets them in, how will you and your organization, customers, partners, and supply chain respond?

Some experts equate today’s cyber security maturity level to where plant floor safety was before OSHA. Ignoring risk will NOT make it go away. Get cyber security help, make multi-layered plans and policies for defense in depth, invest in technologies to promote defense by design, talk about it with employees, and encourage them to talk among themselves. Cyber security advice flowed readily at ARC Forum 2015, February in Orlando, Fla., in multiple sessions and in question-and-answer sessions. 

Ignorance is not an answer

Stephen Biller, PhD, chief manufacturing scientist, GE, talking about Internet of Things (IoT) and cyber security, said, "Companies don’t have a choice. They have to invest in IoT; otherwise, they will be out of business. Doing nothing is a much higher risk. Cyber security has to be at the highest level."

Many cyber security technologies are available. To name a few discussed at ARC Forum:

  • Cisco, Shell, and Yokogawa announced a collaborative effort to provide cyber security solutions for about 50 Shell facilities.
  • Bedrock Automation showed a defense by design automation system, with hardened backplane, I/O modules, power supplies, and programmable logic controller (PLC).
  • Skkynet introduced its Secure Cloud Service to enable bidirectional supervisory control, integration, and sharing of data with multiple users, and real-time access to selected data sets in a web browser. That service can securely handle more than 50,000 data changes per second, per client.

But think again if you consider technology investments enough. 

People are trusting

Computer crimes and fraud often enter via social engineering; the weakest points often are the people behind the computers, according to David E. Nelson, FBI special agent with its cyber division. Part of his job is to help companies with intrusion detection testing in person, over the phone, and via computer; 85% of the time he’s successful. It’s hardly as spectacular as "CSI: Cyber."

In such a test, Nelson often starts with a receptionist, like this: "This is Joe with IT. I just started last week and have been working with Larry Smith. We patched the computers last night, and yours didn’t take for some reason. I’ll send you a patch link where you can enter your username and password so we can get this taken care of right away." Nelson said while that sounds ridiculously easy, it often works.

Another useful ploy: "I can go anywhere on site as a Verizon employee and am never questioned." And if he were, a fake ID and believable story would be easy to produce. 

Vulnerability assessment: Never?!

Despite all the discussion and education, it doesn’t seem like we’re ready for cyber security threats. A recent poll at www.controleng.com asked, "When is the last time your organization performed any type of a cyber security vulnerability assessment?" About half (as of Feb. 21) said, "Within past 6 months," but a stunning one-third said, "Never," 10% said, "Within the past 2 years," and 6% said, "Within the past year."

Are people in your organization discussing cyber security? Michael Siegel, MIT Sloan School of Management, principal research scientist, suggested companies track and acknowledge cyber security breaches to raise awareness, like with industrial safety.

When a cyber security breach happens to you, is your response plan ready?

– Mark T. Hoske, content manager, CFE Media, Control Engineering, mhoske@cfemedia.com.

ONLINE extra

Learn more via Control Engineering Cyber Security Research at Home.

This article online contains more cyber security advice, tips, and discussions from the 2015 ARC Forum linked below.

Control Engineering cyber security channel 

Author Bio: Mark Hoske has been Control Engineering editor/content manager since 1994 and in a leadership role since 1999, covering all major areas: control systems, networking and information systems, control equipment and energy, and system integration, everything that comprises or facilitates the control loop. He has been writing about technology since 1987, writing professionally since 1982, and has a Bachelor of Science in Journalism degree from UW-Madison.