Cyber Security and Control Networks: From Business Risks to Safety Risks

New cybersecurity threats are in the news every week, but an alarming trend is just starting to get attention: instead of only impacting the internal operations of computers and networks, attacks are now actually creating serious physical damage.  Starting with the “STUXNET” cyber-attack against Iran’s nuclear program aimed at damaging centrifuges, all the way up to recent reports of a cyber-attack causing massive damage to a German steel mill. This shift has serious implications.  When malicious hackers cross into controlling physical systems, the danger goes beyond physical damage to machines, and the potential loss of human life starts to become a reality.

These threats are real, and run the gamut from the most sophisticated hacking groups in the world with seemingly unlimited resources and access to zero-day exploits—perhaps coming from the governments funding these activities—to hacktivists looking to make political statements, to often the most dangerous threat: the disgruntled employee.

The risk to physical systems is growing due to the combination of two factors.  First, there is an explosion in the Industrial Internet of Things; everything is getting connected to IP networks, and traditional industrial control systems (ICS) – comprised of things like distributed control systems (DCS), programmable logic controllers (PLC), and sensors are all joining the same types of networks that we all use everyday to connect to the Internet.  This Industrial Internet of Things is just one part of the overall Internet of Things that can include everything from smart meters to smart coffee makers—research firm IDC estimates there will be over 28 billion IoT devices installed by 2020.

Although these control networks are kept separated from the typical corporate network and are generally not directly connected to the Internet, there are many possibilities that can allow someone with malicious intent to “jump” across those barriers or find a hole in the barriers that allow them access to these devices.  Once attackers have gained access they can do things like adjust the speed that centrifuges spin in order to damage a nuclear program, or increase the pressure in a system to extreme levels while disabling the monitors that would alert an operator to that dangerous condition.

Second, hackers are getting much more intelligent and sophisticated about how to attack industrial control systems.  In the past, most attacks targeted standard Windows PCs and Unix servers, and software from vendors like Microsoft  was often one of the biggest targets.  Now, hackers have set new targets and devices from vendors like Siemens & Rockwell are being studied to find holes.  ICS-CERT, a team within the US Department of Homeland Security, published nearly 100 new advisories last year about new vulnerabilities in industrial control systems.

Atomik Research recently conducted a survey on the “Enterprise Internet of Things” within the energy industry that examined the impact of these emerging security threats.  The findings indicate there is a great deal of concern about these issues today.    Over half the respondents said IoT devices had the potential to become the biggest security risk in their organization.  80% of survey respondents were “very” or “somewhat” concerned with the security risks of connecting IoT devices to their networks, but only 48% expected to receive any additional budget to protect these IoT devices.

The risk is real, and the industry is now recognizing that risk, so now the question is what can we do about it?   Assessing the risk is an important first step.  The industry is in a difficult position right now because although there is a constant stream of attacks going on against IT systems, for most organizations the attacks against industrial systems are still more of an impending problem than one they are already seeing today.   But ensuring the next risk assessment or safety assessment your organization conducts incorporates cyber-security attacks against industrial control systems as part of the plan will lay the groundwork for taking action.

A good place to start from a technology perspective is to put in place systems to monitor for cyber-attacks on control networks.  Since many attacks that happen go undetected for weeks or months, early detection can help reduce the impact and give you time to respond before an attack turns into a catastrophic problem.  Some of the most high-profile attacks in the news, both against industrial systems like STUXNET, and against retailers like Target, created massive damage mainly because the attackers were able to stay undetected for an extended period of time.

These cyber attacks are coming, will you be prepared?