Beating the hackers

The very different worlds of industry and the computer hacker are on a collision course, cyber security experts warn. The problem is knowing the scale of this threat as few companies are willing to discuss, let alone admit, failures of their security systems that might expose them to attacks, loss of revenue and reputation, and legal action.

Among those tracking the situation is the British Columbia Institute of Technology (BCIT) in Canada, which maintains an industrial security incident database (ISID). This garners information about attacks on process control networks and SCADA systems on a confidential basis from 22 major companies in the energy, oil & gas, food and water industries worldwide.

By spring 2006, the ISID had recorded 135 incidents, said Eric Byres, who helped develop the database and is now director, industrial security at Wurldtech Analytics.

In a presentation to Honeywell's User Group conference, held 13-16 Nov, in Sevillle, Spain, Byres suggested that this figure could be extrapolated to 400-500 incidents on control systems in the US alone, adding that the real number could be an order of magnitude or two higher.



While, he noted that the frequency of incidents has been tapering off since a sudden spike in 2001, Byres warned that incidents are becoming more serious.

At the end of 2001 the typical incident profile was 58% accidental, 15% internal and 27% external. Three months later external attacks suddenly leapt up to represent 61% of incidents, compared with 32% accidental, 2% internal and 5% others.

According to Byres, the main factors behind this change were the development of viruses and automated worms that didn't require the computer users to activate them and the widespread adoption of the Industrial Ethernet. He also believes that the publicity following the 9/11 terrorist attacks in the US put SCADA and other industrial control systems on the hacker's radar.

The ISID has also tracked the nature of cyber attacks, with the current profile showing malware 68%, system penetration 13% and sabotage 13%. Almost two-thirds of the external incidents involved viruses, Trojans and worms, while the ISID recorded over a dozen incidents with significant control impacts that were initiated by simple network scans.

But, while 53% of external attacks are via the Internet, industrial companies offer hackers many other areas of vulnerability.

Byres cited incidents such as that at the Davis-Besse nuclear plant in Ohio in 2004 when the Slammer worm penetrated the network via an interconnected contractor's network. Likewise, he noted attacks on a power company via a VPN and a petroleum company system via a laptop. More common though, he added, was the chemical plant knocked out when an operator brought in a PC for games and gave it the same IP as the control system.

Evidence of hacker activity in the industrial environments can also be picked up at Black Hat events — conferences where hackers, security experts, government officials, network administrators and others discuss computer security issues. A recent conference in Birmingham, for example, included a presentation — How safe is a glass of water? — on how to break into the UK water system.

Hacking, said Byres, "is no longer for fun", with organised professional criminals carrying out custom-built attacks to extort money from organisations. Such activities "are today focused on the banking industry, but moving into our sector" he warned.

How alert is the process industry to these apparent risks?

According to Richard Tamworth, research programme manager at Frost & Sulllivan, the "super majors", particularly in the oil & gas sector, are driving industry response to this issue.

Citing a recent F&S industry survey of end-user perceptions of cyber security issues, Tamworth said the leading multinationals were taking steps such as integrating IT and DCS technologies, drawing up statements of priorities and initiating security strategies with their suppliers.

By contrast, Tamworth said, there was much less acceptance of responsibilities among SMEs and only a limited understanding of these issues by their managements. This is despite the fact that the degree of risk is as big, if not bigger, for smaller companies who have, proportionally, much more to lose from a cyber security incident.

The response to cyber security issues is very much company-specific rather than being addressed at industrial level, continued Tamworth.

The F&S study found that there were even discrepancies within companies. Most IT specialists were giving the matter a lot of attention but their senior managers had much more variable levels of understanding and willlingness to approve resource investments, said Tamworth.

For his part, Byers linked such attitudes to some common misconceptions. These, he said, range from the belief that not much has changed so "we're safe" to the view that hackers don't understand control technologies such as SCADA and DSC and that these systems are intrinsically safe anyway.

The good news is that the process industry is becoming much more alert to these issues and that there is now a range of test solutions and products coming out onto the market. There is also continuing progress with initiatives to develop security certification and standards in areas such as PLC and DCS vulnerability testing.

"You can secure a control system but it takes concerted effort," said Byres. "Plant floor cyber security needs to be as universal as plant floor safety and the next 10 years will see a culture develop."

Industry can use about 90% of what's been learned in the IT world but must identify and address the other 10% that doesn't work on the plant floor, said Byres. For example, password systems that lock you out after three invalid entries might be okay in IT, but not for a mission-critical oil & gas operation.

'In the IT world you can put patches in and have firewall software, anti-virus software and encryption. But you cannot do that with controls, so it is essential to add a controller in front that does all the heavy lifting when it comes to security," said Byres.

Firewalls should be designed for the industrial environment. Off-the-shelf firewalls are not industrially hardened and it is really difficult to manage hundreds of firewalls around a plant. Industrial firewalls should also be able to learn what type of devices it is testing, for example, by having electronic data sheets for devices.

Also, "staff operating and maintaining critical control systems are highly trained control systems specialists and not IT or security specialists. An electrician can't afford to worry about creating access control lists for firewalls or configuring encryption certificates," Byres concluded.