The physical protection and safety measures of the facility had dealt with any unwanted intruders just fine. The systems are locked up and unreachable, so what the hype about?
"We have always done it this way, we don't need anything extra fancy, a new movement called IT Security, that will take time and cost to much money. Thank you, but no thank you."
There are two major problems I have with this:
Physical protection does not protect against the insider threat and does not protect against digital intrusion.
SCADA and I&C systems SW is not patched and upgraded as well as commercial systems are, because of the same false sense of security that has been haunting the industry for many years.[ref 1]
The question: "Do we really need cyber security," is really ignorant to me and not really excusable. In today's capitalistic economy, with our most precious assets being electricity, power grids, water and waste, gas and transportation ect..., we shall not forget that these systems and facilities are being converted to run with digital I&C or already run with digital I&C. So looking back, the question of "Do we really need Cyber Security," appears rather unnecessary and foolish to me.
The treat is real. I don't want to be the one that delivers the bad news, but I&C systems do face real cyber threats. Here are a couple of reasons :
- The facility and systems may be connected to a remote control station for vendor updates.
- Systems are not as regularly patched like commercial systems after commissioning. SW updates or changes happen only once in a blue moon, especially for sub systems and maintenance systems running with COTS.
- The Utility may not have a System Security Plan.
- The employees may be vulnerable for social engineering due to no or insufficient IT Security Training.
- In 2004 they had cataloged 34 incidents
- They are at least 100 industrial cyber incidents a year (Extrapolating)
According to the Computer Security Institute and the FBI, most incidents go unreported, especially when small breaches happen.The BCIT data shows an increasing trend of incidents perpetrated by outsiders. Example:
- 31% being responsible during the 1980-2000 period
- 70% being responsible during the 2001-2003 period
Here are some of I&C hack examples:
- SCADA raiders [Ref 4]:
- The slammer worm [Ref 5]:
- Safty Parameter Display System for five houers
- Plant Proccess Computer for six hours
- Stuxnet virus:
- Australia's Maroochy Shire Council Hack [Ref 1]:
The damage was that alarms were turned off, loss of communication, pumps where not activating at appropriated times and release of raw sewage in to the drinking water. Mr. Vitek Boden hacked in to the facility from his car, using a data radio that he stole from his former employer and one of the local processors he had also stolen.
These few examples should show that I&C hacks and treats are real. I am sure current data is even more overwhelming.
Fact is, to realize that NPP's digital assets are becoming more interesting targets for attackers is the right way of thinking. So stay ahead of the game, evaluate and implement IT Security, Utility wide and system specific.
- Wil Allsopp, 2009, Unauthorized access, John Wiley and Son publishing.