Security Incidents Rise In Industrial Control Systems

Even with minimal Internet access, malware and breaches are increasingly occurring in utility, process control systems
Meanwhile, the RISI report's findings of a major drop in chemical and petroleum security incidents may be the result of consolidated facilities and closed refineries, for instance, Capgemini's Preece says.

Water plant and wastewater plant incidents may be higher because they are typically required to issue press releases of incidents to their communities, notes Cusimano.

Overall, 25 percent of the security incidents in process control systems were intentional, directed attacks, where an outside attacker or an insider breached the system, according to the report. Of the remaining 75 percent, half were malware-borne, and half where equipment breakdowns or failures of some sort. Insider attacks rose 30 percent over the last five years.

Cusimano noted that there was an improvement in the number of viruses infiltrating control systems: the number of malware incidents has dropped by 83 percent in the past five years. "Largely, companies are doing a better job at firewalling their control systems and using anti-virus protection," he says. And if companies were to address their accidental incidents, most of them would also be protected from most targeted attacks, he says.

The financial impact of these incidents on the organizations is rising: according to the report, over the past five years, twice as many incidents added up to $10,000 to $100,000 in losses. The majority of incidents occurred in the U.S.

But the industrial process control sector remains largely unconvinced that they face major cybersecurity threats, he says. "There's a lot of skepticism that there's a real problem, particularly when it comes to doomsday scenarios like when the press talks about China or Russia breaking into a chemical plant to blow it up," Cusimano says.

And like the IT versus security dynamic in many enterprises, there's often a disconnect between the IT department and the SCADA group in process control, according to Cusimano. "The control system engineering department in control of the control systems and the plant's IT department have yet to find a way to work well together," he says. While the IT department looks at control systems as any other asset, it prioritizes confidentiality, then integrity, and then availability. "But the control systems department's priorities are reversed: availability is paramount, then integrity and confidentiality"

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.