Cybersecurity incidents in industrial control systems on the rise
that at the time the report was published late last month, the database contained 175 confirmed incidents in the database, and Security Incidents Organization’s Cusimano says the database averaged three- to four new incident reports per month.
Security experts say attacks targeting the power grid are likely to rise and intensify during the next twelve months, as smart grid research and pilot projects advance. So far, the RISI database has only logged a single smart grid incident, but such incidents are likely to increase, experts say.
Higgins quotes Cusimano to say that the sole smart grid incident basically involved an HVAC system that knocked out service to thousands of residents in one community. “With the [federal] stimulus money, there are a lot of smart grid projects going in this year,” he says. “The good news is that security” has been part of the equation from the get-go with these next-generation power grid systems, so it’s not an afterthought, he says.
Even so, there are concerns that smart grid projects are moving forward a bit too fast, without allowing time for properly securing them, he says. Cusimano, whose day job is working with an automation consulting firm, says his company is working on a U.S. Department of Energy-funded smart grid project that has a tight timeline. “We have a very short deadline to prepare the security model,” he says.
Higgins notes that, meanwhile, the RISI report’s findings of a major drop in chemical and petroleum security incidents may be the result of consolidated facilities and closed refineries, for instance, Capgemini’s Preece says.
Water plant and wastewater plant incidents may be higher because they are typically required to issue press releases of incidents to their communities, notes Cusimano.
Overall, 25 percent of the security incidents in process control systems were intentional, directed attacks, where an outside attacker or an insider breached the system, according to the report. Of the remaining 75 percent, half were malware-borne, and half where equipment breakdowns or failures of some sort. Insider attacks rose 30 percent over the last five years.
Cusimano noted that there was an improvement in the number of viruses infiltrating control systems: the number of malware incidents has dropped by 83 percent in the past five years. “Largely, companies are doing a better job at firewalling their control systems and using anti-virus protection,” he says. If companies were to address their accidental incidents, most of them would also be protected from most targeted attacks, he says.
Higgins quotes the report to say that the financial impact of these incidents on the organizations is rising: over the past five years, twice as many incidents added up to $10,000 to $100,000 in losses. The majority of incidents occurred in the United States.
The industrial process control sector remains largely unconvinced that they face major cybersecurity threats, Cusimano says. “There’s a lot of skepticism that there’s a real problem, particularly when it comes to doomsday scenarios like when the press talks about China or Russia breaking into a chemical plant to blow it up,” he says.
Like the IT versus security dynamic in many enterprises, there’s often a disconnect between the IT department and the SCADA group in process control, according to Cusimano. “The control system engineering department in control of the control systems and the plant’s IT department have yet to find a way to work well together,” he says. While the IT department looks at control systems as any other asset, it prioritizes confidentiality, then integrity, and then availability. “But the control systems department’s priorities are reversed: availability is paramount, then integrity and confidentiality.”