In the past, if your industrial control system suffered an electronic attack, the odds favored an inside job. But if your company is still operating under that assumption, Eric Byres has got news for you.
“This was a shock for me,” says Byres, a research faculty member at the British Columbia Institute of Technology (BCIT), which maintains a database of cyber security incidents that directly affect industrial control systems and processes. “All of the sudden, our threat sources have changed. It’s no longer coming from the inside. It’s coming from the outside.”
Byres, who heads up cyber security research at BCIT, in Burnaby, British Columbia, Canada, delivered his comments during a forum on cyber security at ISA Expo 2004, Oct. 5-7, in Houston, sponsored by the Instrumentation, Systems and Automation Society.
Historically, more than two thirds of cyber security incidents affecting Supervisory Control and Data Acquisition (SCADA) systems have resulted either from accidents, acts by disgruntled employees or other inappropriate employee activity, Byres told the ISA audience. “This is something I’ve seen reported over and over again, and that I always agreed with, that 70 percent of our problem is internal, and that 30 percent is external.” The assumption, he said, was that if industrial companies dealt effectively with their inside cyber security issues, that most of their SCADA security problems would go away.
Outside attackers
But when Byres recently began examining data compiled over the past several years at BCIT, he discovered a changing scenario. Compared to the period from 1982 through 2000, when 31 percent of reported control system security incidents came from outside of companies, the number of externally generated incidents jumped to 70 percent for those reported from 2001 through 2003 (see accompanying chart: "Industrial Cyber Incidents").
Among other things, Byres attributes the shift to a wider use of common Information Technology (IT) standards such as Ethernet, Microsoft Windows and Web Services within industrial control systems, more links between control system networks and business networks, and a growing awareness of control system vulnerabilities by cyber criminals and others. “The hacking community is starting to wake up. Before, they didn’t know how to spell SCADA,” he said, but now they do.
Byres said that a majority of external attacks are still general, IT-style attacks that are virus or “malware” driven, posing a threat to the overall IT infrastructure of a company, including its plant control systems. “But we’re also seeing more incidents that are definitely aimed at the processing floor environment,” he noted.
Additionally, there are indications that more attacks may be directed at embedded factory systems. These attacks “won’t be IT specific. They won’t impact the Windows box, but will be going after the embedded systems that are underlying our actual control systems,” said Byres. “Most of it is chatter right now, but we’ve seen a few actual incidents.”
Terrorist intent
The same vulnerabilities available to hackers could also be exploited by terrorists, noted Dave Sanders, director of the Control System Security Center at the U.S. Department of Homeland Security, who also spoke at the ISA forum. Compared to hackers, “there’s no difference in the way that terrorists are going to get into your networks,” said Sanders. “The real difference is going to be the intent and the payload, and maybe even the consequences. The intent will be specifically directed at targets within your critical infrastructure—your control system, or possibly even a substation,” Sanders warned, in reference to the power and electrical industry.
A BCIT analysis of 24 recent control system security incidents involving external sources revealed, not surprisingly, that 36 percent came in through the Internet, said Byres. “But an awful lot are coming in through other ways, including dial-up modems, VPN (virtual private network) connections, remote wireless systems and trusted third party connections,” he added (see accompanying chart: "How They Get In"). For example, the BCIT database shows that the so-called “Slammer Worm” had at least four different infiltration paths into control systems it impacted, Byres said. These included a contractor’s T1 line, a VPN, an employee’s home laptop computer and a dial-up modem. In at least three of these cases, Internet firewalls were in place.
Given the complexity of modern SCADA and control systems and the many “back doors” available, a firewall alone is no longer enough, Byres told ISA attendees. With the threat model changing from primarily insiders to sophisticated outsiders, companies need to re-evaluate the boundary security of their control systems, considering all possible intrusion points, he advised. And they also need to beef up security on the equipment and systems on the plant floor to better withstand possible attacks, he added.
“We really need to harden that whole perimeter, and then once we’re inside the perimeter, we actually have to harden the control system itself,” Byres concluded. “We can no longer afford to have our control systems be crunchy on the outside but soft on the inside.”
