Technical Article: Security incidents and trends in SCADA and process industries

Technical Article: Security incidents and trends in SCADA and process industries
Technical Article: Security incidents and trends in SCADA and process industries 

Eric Byres is CEO, Byres Security Inc.
David Leversage lectures at the British Columbia Institute of Technology
Nate Kube is CTO, Wurldtech Security Technologies
Industrial Ethernet Book Issue 39:2 
May 2007

Supervisory Control and Data Acquisition and industrial control systems, 
with their traditional reliance on proprietary networks and hardware, 
have long been considered immune to the cyber attacks suffered by 
corporate information systems. Unfortunately, both academic research and 
in-the-field experience indicate misplaced confidence. The move to open 
standards such as Ethernet, TCP/IP, and web technologies allows hackers 
and virus writers to take advantage of the control industrys ignorance. 
The result is a growing number of unpublicised cyber-based security 
events that are affecting critical infrastructure and manufacturing 
industries. Eric Byres, David Leversage and Nate Kube

In making the case against complacency about control system security, 
this report summarises the incident information collected in the 
Industrial Security Incident Database (ISID). It describes a number of 
events that have directly affected process control systems indicating 
that the number of cyber incidents against SCADA and control systems 
worldwide has increased significantly since 2001. The majority of these 
incidents are coming from the Internet by way of opportunistic viruses, 
Trojan horses, and worms, but a surprisingly large number are directed 
acts of sabotage. In addition, the analysis indicates that many 
SCADA/process control networks (PCN) have poorly documented points of 
entry that provide secondary pathways into the system.

Historically, the industrial control and SCADA systems that are 
responsible for monitoring and controlling our critical infrastructures 
and manufacturing processes have operated in isolated environments. 
These control systems and devices communicated with each other almost 
exclusively, and rarely shared information with systems outside their 

As more components of control systems become interconnected with the 
outside world using IP-based standards, the probability and impact of a 
cyber attack will heighten. In fact, there is increasing concern among 
both government officials and control systems experts about potential 
cyber threats to the control systems that govern critical 
infrastructures. Even the flaws in SCADA specific technologies have 
become general knowledge detailed presentations on how to exploit SCADA 
vulnerabilities have been given at black hat public gatherings1.What is 
lacking is good historical data to either back up or dismiss these 
concerns. Event data collected over the past five years by ISID could 
provide objective, relevant statistical data for security decisions.

The Industrial Security Incident Database

In early 2001 a security research team at the British Columbia Institute 
of Technology (BCIT) was asked by a major petroleum refining facility to 
investigate the possibility that their control systems could be impacted 
by cyber-related events such as hacking or viruses. In the course of 
this study it became apparent that accurate historical data on cyber 
impacts was badly lacking in the SCADA or process industries thus making 
accurate risk assessment extremely difficult.

To address this shortcoming, the authors founded ISID with assistance 
from Justin Lowe of PA Consulting. Modelled after similar safety-related 
databases in the process industries, ISID is intended to serve as an 
industry wide repository for collecting, analysing, and sharing high 
value information regarding cybersecurity incidents that directly affect 
SCADA, manufacturing, and process control systems. It provides an 
historical representation of industrial cybersecurity incidents from 
which industry can gain a realistic understanding of the risks 
associated with industrial cyber threats. It also gives its members 
reliable information support for adapting current security policies to 
reflect the changing dynamics of industrial cybersecurity. ISID attempts 
to addresses questions such as:

    * Which cybersecurity incidents are fact and which are urban myth?
    * How urgent is the security risk to control systems?
    * What security vulnerabilities are exploited?
    * What are the threat sources?
    * How serious are the consequences?

Incidents are obtained from either organisations voluntarily submitting 
a reporting form to ISID investigators, or from ISID staff harvesting 
reports from public sources such as the Internet, discussions at 
SCADA/industrial cybersecurity conferences, and relevant industrial 
publications. When an event is either submitted by an ISID member or 
noted in a public forum, it is reviewed and verified by the ISID 

As of June 30, 2006, there are 116 incidents that have been investigated 
and logged in the ISID database, with 12 incidents pending investigation 
and entry. Of these 116 records in the database, nine with a reliability 
of Unknown or Unlikely and one with the reliability of Hoax/Urban Legend 
were excluded from analysis. An additional incident was also excluded 
because it had null data in the event date field and could not be used 
to obtain trend data. This left 105 records that were used for the 
analysis presented in the remainder of this report.


CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - 

Site design & layout copyright © 1986-2014 CodeGods