Eric Byres is CEO, Byres Security Inc.
David Leversage lectures at the British Columbia Institute of Technology
Nate Kube is CTO, Wurldtech Security Technologies
Industrial Ethernet Book Issue 39:2
Supervisory Control and Data Acquisition and industrial control systems,
with their traditional reliance on proprietary networks and hardware,
have long been considered immune to the cyber attacks suffered by
corporate information systems. Unfortunately, both academic research and
in-the-field experience indicate misplaced confidence. The move to open
standards such as Ethernet, TCP/IP, and web technologies allows hackers
and virus writers to take advantage of the control industrys ignorance.
The result is a growing number of unpublicised cyber-based security
events that are affecting critical infrastructure and manufacturing
industries. Eric Byres, David Leversage and Nate Kube
In making the case against complacency about control system security,
this report summarises the incident information collected in the
Industrial Security Incident Database (ISID). It describes a number of
events that have directly affected process control systems indicating
that the number of cyber incidents against SCADA and control systems
worldwide has increased significantly since 2001. The majority of these
incidents are coming from the Internet by way of opportunistic viruses,
Trojan horses, and worms, but a surprisingly large number are directed
acts of sabotage. In addition, the analysis indicates that many
SCADA/process control networks (PCN) have poorly documented points of
entry that provide secondary pathways into the system.
Historically, the industrial control and SCADA systems that are
responsible for monitoring and controlling our critical infrastructures
and manufacturing processes have operated in isolated environments.
These control systems and devices communicated with each other almost
exclusively, and rarely shared information with systems outside their
As more components of control systems become interconnected with the
outside world using IP-based standards, the probability and impact of a
cyber attack will heighten. In fact, there is increasing concern among
both government officials and control systems experts about potential
cyber threats to the control systems that govern critical
infrastructures. Even the flaws in SCADA specific technologies have
become general knowledge detailed presentations on how to exploit SCADA
vulnerabilities have been given at black hat public gatherings1.What is
lacking is good historical data to either back up or dismiss these
concerns. Event data collected over the past five years by ISID could
provide objective, relevant statistical data for security decisions.
The Industrial Security Incident Database
In early 2001 a security research team at the British Columbia Institute
of Technology (BCIT) was asked by a major petroleum refining facility to
investigate the possibility that their control systems could be impacted
by cyber-related events such as hacking or viruses. In the course of
this study it became apparent that accurate historical data on cyber
impacts was badly lacking in the SCADA or process industries thus making
accurate risk assessment extremely difficult.
To address this shortcoming, the authors founded ISID with assistance
from Justin Lowe of PA Consulting. Modelled after similar safety-related
databases in the process industries, ISID is intended to serve as an
industry wide repository for collecting, analysing, and sharing high
value information regarding cybersecurity incidents that directly affect
SCADA, manufacturing, and process control systems. It provides an
historical representation of industrial cybersecurity incidents from
which industry can gain a realistic understanding of the risks
associated with industrial cyber threats. It also gives its members
reliable information support for adapting current security policies to
reflect the changing dynamics of industrial cybersecurity. ISID attempts
to addresses questions such as:
* Which cybersecurity incidents are fact and which are urban myth?
* How urgent is the security risk to control systems?
* What security vulnerabilities are exploited?
* What are the threat sources?
* How serious are the consequences?
Incidents are obtained from either organisations voluntarily submitting
a reporting form to ISID investigators, or from ISID staff harvesting
reports from public sources such as the Internet, discussions at
SCADA/industrial cybersecurity conferences, and relevant industrial
publications. When an event is either submitted by an ISID member or
noted in a public forum, it is reviewed and verified by the ISID
As of June 30, 2006, there are 116 incidents that have been investigated
and logged in the ISID database, with 12 incidents pending investigation
and entry. Of these 116 records in the database, nine with a reliability
of Unknown or Unlikely and one with the reliability of Hoax/Urban Legend
were excluded from analysis. An additional incident was also excluded
because it had null data in the event date field and could not be used
to obtain trend data. This left 105 records that were used for the
analysis presented in the remainder of this report.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com