|
Cyber Security concerns of Internet connected plant control systems. Saturday, June 12, 2004 Is your plant’s control system connected to the Internet? (or to another system that is connected to the Internet?) Are you worried about hackers or “cyber terrorists”? The General Accounting Office of the U. S. government thinks you should be. According to a GAO report released in March and testimony by one of its officials at a congressional hearing, there is a growing threat to the security of critical infrastructure due to hacker attacks on plant control systems. The GAO is an agency of Congress that monitors the activity of the U. S. Government and delivers reports as requested by members of Congress. One of their studies covered the treat to critical facilities by computer attack, over the internet, to digital plant control systems. According to the report: Control systems can be vulnerable to a variety of types of cyber attacks that could have devastating consequences—such as endangering public health and safety; damaging the environment; or causing a loss of production, generation, or distribution by public utilities. The report states that control systems have already been subject to attacks, including one to a sewage system in Australia in 2000 and one to a nuclear power plant in Ohio. According to the GAO report, in January 2003, the Microsoft SQL Server worm, known as Slammer, infected a private computer network at the Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly 5 hours. Slammer reportedly also affected communications on the control networks of at least five other utilities by propagating so quickly that control system traffic was blocked. The GAO cites several major trends have increased the vulnerability of control systems to cyber attacks: Control systems are adopting standardized technologies with known vulnerabilities. Older, proprietary hardware and software limited to the use of one control system vendor made it difficult for hackers to understand the detailed operation of the control system software. Control systems are connected to other networks. Until recently no one would be able to gain access to a control system through the internet because there were no connections to the internet. However, there has been a recent trend to connect control systems to plant wide networks to allow access to the control system from offices remote from the control equipment. This also allows, however, a way for hackers to breach the security and enter a system. The GAO also complained that “insecure connections exacerbate vulnerabilities” and that “information about infrastructures and controls systems is publicly available. The GAO recommended that the Secretary of Homeland Security develop a strategy for coordinating private sector and government agency work to improve control system security. ISA, The Instrument, Systems, and Automation Society, standards committee SP99 (Manufacturing and Control Systems Security Standards) was established to address the security threat. The committee has released two reports, "Security Technologies for Manufacturing and Control Systems" (ISA-TR99.00.01-2004) and "Integrating Electronic Security into the Manufacturing and Control Systems Environment" (ISA-TR99.00.02-2004). The first report examines 28 technologies currently available to the control systems user. The second report discusses the methodologies needed to secure a control system. One obvious method of securing a control system: just don’t connect a control system to any system connected to the Internet. Of course, you lose functionality related to the convenience of data transfer to other plant or company areas, but you gain security. |