Cybersecurity incidents in industrial control systems on the rise

Published 16 April 2010

The good news is that only about 10 percent of U.S. industrial control systems are actually connected to the Internet; the bad news is that even with minimal Internet access, malware and breaches are increasingly occurring in utility, process control systems; cybersecurity incidents in petroleum and petrochemical control systems have declined significantly over the past five years — down more than 80 percent — but water and wastewater have increased 300 percent, and power/utilities by 30 percent

Only about 10 percent of industrial control systems are actually connected to the Internet, but these systems, which run water, wastewater, and utility power plants, have suffered an increase in cybersecurity incidents over the past five years.

Dark Reading’s Kelly Jackson Higgins writes that a new report based on data gathered by the Repository of Industrial Security Incidents (RISI) database provides a rare look at trends in malware infections, hacks, and insider attacks within these traditionally cloistered operations. Cybersecurity incidents in petroleum and petrochemical control systems have declined significantly over the past five years — down more than 80 percent — but water and wastewater have increased 300 percent, and power/utilities by 30 percent, according to the 2009 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems.

The database logs security incidents in process control, SCADA, and manufacturing systems, and gathers voluntary submissions from victim companies as well as from news or other reports. Nearly half of all security incidents were due to malware infections — viruses, worms, and Trojans, according to the report. With only a fraction of control systems connected to the Internet, these infections are occurring in other ways: “A lot of control systems are connected to their business networks which in turn may be connected to the Internet. It’s several layers removed, but once there’s a virus [on the business network], it finds its way into the control systems,” says John Cusimano, executive director of the Security Incidents Organization, which runs the RISI database. “And you see USB keys bringing in malware” to the SCADA systems, for instance, or via an employee’s infected laptop, he says.

Doug Preece, senior manager for smart energy services at Capgemini, says another entry point for malware are those process control system platforms that are based on Windows. “Some of these platforms have evolved over time to lower-cost, more open, Windows-based stuff,” Preece says. “It’s not connected to the Internet, so the ability to receive patches at the OS level is hampered. The management of these systems is not as closely monitored as it is at the enterprise OS level.”

That leaves unpatched, out-of-date software running on the systems, which leaves them prone to attacks. “Out-of-date patching [makes] a highly vulnerable platform,” Preece says. All it takes is an infected USB stick or floppy drive to be popped into one of these machines and it’s infected, he says.

Higgins writes