Everybody’s talking about cybersecurity these days, but just how concerned should industry be?
During an aside at a conference I attended about a year ago, a representative for a major control systems provider told me that most of their large customers were facing attempted cyber attacks on a regular basis. This statement was an eye-opener for me, as it provided some level of confirmation that cyber threats to industry aren’t just limited to major events like Stuxnet, but rather present a more persistent danger. Prior to this chat session, I had read a number of reports about cyber threats to industry, but it was difficult to quantify how pressing the concern was, as most industrial end-users, for obvious reasons, were pretty hush about the cyber threats they faced. That said, information continues to emerge showing cybersecurity is a growing and very real concern for industry.
According to a report issued last month by the Repository for Industrial Security Incidents, the transportation and water & wastewater industry sectors have both experienced large increases in the number of reported cybersecurity incidents, up 160 percent and 60 percent, respectively, from 2001 through the end of 2012. RISI, an industry-wide repository for information regarding cybersecurity incidents that directly affect industrial control (IC) and supervisory control and data acquisition (SCADA) systems, says that while IC and SCADA have been a cybersecurity concern for more than a decade, they have come under increased scrutiny following the discovery of the Stuxnet worm in 2010, the Duqu worm in 2011, and the Shamoon virus in 2012. Equally concerning for industrial users is that, according to RISI’s data, 33 percent of all ICS security incidents were perpetrated through remote access.
Another sign that cybersecurity is a major concern for industry can be found in the increased efforts to establish best practices and protocols for protecting industrial systems from cyber threats. For example, representatives of the Automation Federation (www.automation federation.org) advised the U.S. National Institute of Standards and Technology (NIST) in the development of a National Cybersecurity Framework, which was published in October in preliminary draft form. The Automation Federation is also hosting a free seminar in February 2014 to discuss how the framework impacts industrial automation control systems (IACS) security.
Meanwhile, the ISA99 Committee, a standards effort led by industrial cybersecurity experts worldwide, published its most recent standard, ISA-62443-3-3-2013, Security for Industrial Automation and Control Systems Part 3-3: System Security Requirements and Security Levels, in August. It is designed to address risks arising from the growing use of business information technology (IT) cybersecurity solutions for IACS cybersecurity in complex manufacturing and processing applications.
So it appears the race is on—those who aim to protect IC and SCADA systems are working to gain a step on those who seek unauthorized access to those systems. And while the existence of industrial cyber threats cannot be denied, the question now is: Can the good guys outpace the multitude of cyber threats lurking in the shadows?
I’d love to hear your thoughts on this topic. Are we doing enough to “cybersecure” critical industrial systems? My email address is provided below.
Thanks for your readership,
— Matt Migliore, Director of Content
Follow Matt on Google+.