05:46 PM
Connect Directly

Security Incidents Rise In Industrial Control Systems

Even with minimal Internet access, malware and breaches are increasingly occurring in utility, process control systems

While only about 10 percent of industrial control systems are actually connected to the Internet, these systems that run water, wastewater, and utility power plants have suffered an increase in cybersecurity incidents over the past five years.

A new report based on data gathered by the Repository of Industrial Security Incidents (RISI) database provides a rare look at trends in malware infections, hacks, and insider attacks within these traditionally cloistered operations. Cybersecurity incidents in petroleum and petrochemical control systems have declined significantly over the past five years--down more than 80 percent-- but water and wastewater have increased 300 percent, and power/utilities by 30 percent, according to the 2009 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems.

The database logs security incidents in process control, SCADA, and manufacturing systems, and gathers voluntary submissions from victim companies as well as from news or other reports.

Nearly half of all security incidents were due to malware infections -- viruses, worms, and Trojans, according to the report. With only a fraction of control systems connected to the Internet, these infections are occurring in other ways: "A lot of control systems are connected to their business networks which in turn may be connected to the Internet. It's several layers removed, but once there's a virus [on the business network], it finds its way into the control systems," says John Cusimano, executive director of the Security Incidents Organization, which runs the RISI database. "And you see USB keys bringing in malware" to the SCADA systems, for instance, or via an employee's infected laptop, he says.

Doug Preece, senior manager for smart energy services at Capgemini, says another entry point for malware are those process control system platforms that are based on Windows. "Some of these platforms have evolved over time to lower-cost, more open, Windows-based stuff," Preece says. "It's not connected to the Internet, so the ability to receive patches at the OS level is hampered. The management of these systems is not as closely monitored as it is at the enterprise OS level."

That leaves unpatched, out-of-date software running on the systems, which leaves them prone to attacks. "Out-of-date patching [makes] a highly vulnerable platform," Preece says. And all it takes is an infected USB stick or floppy drive to be popped into one of these machines and it's infected, he says.

At the time the report was published late last month, the database contained 175 confirmed incidents in the database, and Security Incidents Organization's Cusimano says the database averaged three- to four new incident reports per month.

Security experts say attacks targeting the power grid are likely to rise and intensify during the next 12 months, as smart grid research and pilot projects advance. So far, the RISI database has only logged a single smart grid incident, but such incidents are likely to increase, experts say.

Cusimano says the sole smart grid incident basically involved an HVAC system that knocked out service to thousands of residents in one community. "With the [federal] stimulus money, there are a lot of smart grid projects going in this year," he says. "The good news is that security" has been part of the equation from the get-go with these next-generation power grid systems, so it's not an afterthought, he says.

Even so, there are concerns that smart grid projects are moving forward a bit too fast, without allowing time for properly securing them, he says. Cusimano, whose day job is working with an automation consulting firm, says his company is working on a U.S. Department of Energy-funded smart grid project that has a tight timeline. "We have a very short deadline to prepare the security model," he says.

Page 2: Industry remains skeptical that it's at risk Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Julian Assange Arrested in London
Dark Reading Staff 4/11/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
The Single Cybersecurity Question Every CISO Should Ask
Arif Kareem, CEO, ExtraHop,  4/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-04-18
In Motorola CX2 1.01 and M2 1.01, users can access the router's /priv_mgt.html web page to launch telnetd, as demonstrated by the address.
PUBLISHED: 2019-04-18
An issue was discovered in Motorola CX2 1.01 and M2 1.01. The router opens TCP port 8010. Users can send hnap requests to this port without authentication to obtain information such as the MAC addresses of connected client devices.
PUBLISHED: 2019-04-18
An issue was discovered in Motorola CX2 1.01 and M2 1.01. There is a command injection in the function startRmtAssist in hnap, which leads to remote code execution via shell metacharacters in a JSON value.
PUBLISHED: 2019-04-18
An XML External Entity vulnerability in the UEM Core of BlackBerry UEM version(s) earlier than 12.10.1a could allow an attacker to potentially gain read access to files on any system reachable by the UEM service account.
PUBLISHED: 2019-04-18
PrinterOn Enterprise 4.1.4 contains multiple Cross Site Request Forgery (CSRF) vulnerabilities in the Administration page. For example, an administrator, by following a link, can be tricked into making unwanted changes to a printer (Disable, Approve, etc).