Industrial Control Systems Under Attack


Posted on: February 17, 2016 by Paul Visser

A threat more readily associated with Hollywood, the idea that hackers can access and control vital infrastructure or industrial production tools, is a frightening thought. Indeed, embattled former police officer John McClane spends over two hours of the fourth instalment of the famed Die Hard franchise battling terrorists as they seek to target the US’ reliance on computer controls and take down critical services such as transportation grids and the stock market.

Thankfully, digitally-led attacks causing physical damage are still exceedingly rare – though they do happen as an unnamed German steel mill discovered. After hackers disrupted the facility’s Industrial Control System (ICS) the blast furnace was unable to be shut properly, causing extensive damage to the mill.

The attack on the unfortunate steel mill was only the second such instance of an ICS hack, and the first against a private sector enterprise. The other known incident – known as Stuxnet – is far more contentious and shrouded in secrecy. Believed – though never openly confirmed – to be a joint venture between American and Israeli security agencies, Stuxnet was a malicious computer worm aimed at sabotaging Iran’s nuclear program. Unlike traditional viruses or worms, rather than hijacking control or stealing information, Stuxnet was able to disrupt physical processes – in this instance causing failures in centrifuges of Iran’s Natanz uranium enrichment plant.

Changing Needs

The implications of both incidents are huge. Concerns over the trustworthiness of the IT systems controlling utilities and infrastructure cannot be underestimated and in many cases are literally a matter of life and death. Industrial Control Systems are used in all manner of contexts – from bridges to sewers; power plants to bank vaults.

A relatively new issue, it is only in recent years that production systems have been directly connected to an organization’s network. And while it has offered a number of benefits – from automating production processes, to providing a real-time overview of a facility, or enabling new business models – it has in turn further increased an organization’s ‘attack surface’, leaving the business more vulnerable to cyberattacks.

Understanding the System

In every Industrial Control System there are three key components: The Supervisory Control and Data Analysis (SCADA) system, which gathers and distributes information about production processes; the Control System Network (CSN), which connects all end-points; and the Product Logic Controller (PLC), a hardware-based card, with programmable logic that is electrically connected to the equipment. It is the latter that is most susceptible to attack. The PLC provides the control aspect of an Industrial Control System, and, unusually in the world of IT, it contains both production and development systems – meaning that code can be modified and changed even while it is in motion. This is how disruption occurs, as hackers are able to edit codes in real-time to create havoc in the system.

An attack on a PLC can disrupt in two ways: firstly, in disturbing production – such as opening a bridge or closing a valve. Secondly, in changing the speed of a production system – for example, altering ventilation frequency, or conveyer belt speeds.

Part of the concern over ICS vulnerability comes from the niche nature of these technologies. With the production team often siloed, separate even from the general IT department, organizations can overlook the importance of ICS security. Many firms are likely to be unaware of how many distributed control networks they even have – it’s simply not at the top of their mind – but it needs to be. Furthermore, the industry has engaged in large scale outsourcing of production facilities, many of which are managed remotely by third parties. This in turn has created further direct internet connectivity, once again increasing the attack surface.

The potential for cyber attacks on ICS is terrifying. For an organization, it could take you out of business; for a country, it could shut you down. Including ICS within the scope of the IT department and closing the chink in the armour is vital.

Share this blog article


About Paul Visser

Practice leader Governance Risk & Compliance
Paul Visser is the Practice leader Governance Risk & Compliance  within Atos Consulting in the Netherlands. With over 16 years’ experience, Paul has developed expertise in risk-based auditing as well as the use and management of complex control frameworks. Offering expertise in a number of fields - including risk analysis and management, data protection and process control - Paul is service leader for the Audit and Assurances services and the Cloud consulting offerings. As a principal consultant he advises organizations on the strategic choices regarding quality management, internal control and external compliance.

Follow or contact Paul