Control System Security Threats, Security / Reliability Incidents, Useful Industrial Cyber Security Tips
Recently I was asked “How could a hacker possibly attack an industrial controller like a PLC or SIS, since there is no operating system in these devices?”
Now some manufacturers would like people to believe there is no operating system in a controller, but unfortunately this is not true. Every RTU, PLC, SIS or DCS controller on the market today has a commercial operating system in it. For example, here are just a few I have worked directly with in the past:
Nowadays Stuxnet has become a household term the second anyone talks about cyber security for industrial control systems (ICS). This sophisticated piece of malware first identified in 2010, showed just how powerful an ICS compromise could be in terms of both the impact to manufacturing operations and the possibility of mechanical damage. Was this an isolated attack, unlikely to occur again, or the beginning of a new era in ICS security issues?
One of the mantras about good SCADA security is that it is primarily dependent on people and processes, not technology.
Thus if you have an ICS security problem, first look for solutions such as user training or better processes rather than technology solutions. This sounds good on the surface, but I’m not sure it’s true.
Performing tasks securely just isn’t part of human nature. Doing them the easiest way possible is. Unless the secure way is also the easy way, security will lose 9 times out of 10.
A lot of people are re-examining this question and giving it higher priority after learning about Stuxnet and the recent publishing of SCADA system vulnerabilities on the Internet. It is no longer possible to believe that ‘air gaps’ between your systems and the rest of the world, or that ‘security by obscurity’ are effective security strategies.
At approximately 11:00 a.m. EDT last Saturday morning (April 16, 2011), The Repository for Industrial Security Incidents (RISI) received the following email:
Subject: Florida Power & Light Company (FPL) Fort Sumner Wind turbine Control SCADA was HACKED