Well-known attacks on industrial control systems include the late 2014 breach of a South Korean nuclear plant’s computer systems. Earlier, in Australia, a disgruntled computer expert hacked into radio-controlled sewerage equipment and released raw sewage into parks and waterways. In 2012, Chinese hackers broke into the security system of a software vendor and stole the source code for its popular SCADA administration tool. With the code, the hackers could have launched cyberattacks against other energy companies.
Other types of control systems are also under scrutiny. After a vulnerability was identified in certain Internet-enabled vehicles that allowed remote control of the engine, steering and other systems, Fiat Chrysler is recalling 1.4 million vehicles for updated software to address the issue.
The energy sector was targeted in a third of the 245 cyberattacks on industrial control systems that a U.S. Dept. of Homeland Security team responded to in 2014. In June 2015, Arkansas Electric Cooperative Corp. President and CEO Duane Highley told U.S. senators, “We’ve already seen Pearl Harbor” for cyberattacks on utilities.
Cybersecurity was not a concern when most of today’s electric grid was built. Advancing technology has allowed utilities to add digital control equipment that uses modern networking to monitor and protect the grid. But those networks can become highways for hackers who succeed in breaking in.
Even the most modern control systems are typically behind the security-patch curve, leaving critical equipment vulnerable to attack. When you realize that control systems often are connected across networks, through the Internet or over wireless systems, you can see how quickly large sections of our economy could be brought down by a cyberattack.
Cybersecurity on industrial controls for water, power and transportation is more critical than for most business functions. For example, security for the power grid must secure electrical protection devices such as relays and fault detectors, but it can’t get in the way of the essential mission of keeping the lights on. One way to ensure that is to treat cybersecurity for control systems as a design and engineering goal rather than as a bolt-on addition to current equipment. An engineered strategic approach to cybersecurity can help stop an attack by:
• Identifying current security gaps both in control system processes and in design. An engineered approach then can address those gaps with changes in management policies, technology and processes.
• Designing automated systems and training staff to respond to malicious threats in a way that keeps equipment up and running.
• Ensuring the security of redundant control systems by simplifying the design. Complexity is the enemy of security. An engineered approach to cybersecurity looks at overall design goals and strives for a balance of automation and function.
• Monitoring for change. Selecting the right areas for monitoring requires an expert understanding of the effects on the control system.
• Maintaining up-to-date firmware and software. Also important is incident response, recovery planning and testing.
These bullet points follow the principle of designing and engineering control systems using resiliency, redundancy, monitoring and maintenance to match modern threats. The fundamental elements of design and engineering haven’t changed just because the Internet has allowed us to interconnect devices. Rather, the interconnection itself, while vastly improving the operation and efficiency of our systems, has heightened their exposure to greater threats than ever.
Many things that affect control system security are outside the control of system owners. But if we stick to sound engineering practices and are diligent in monitoring and maintenance, our automated control systems will withstand many forms of threat and provide the benefits and safety that are required to manage and protect our critical infrastructure.
The goal is not just to address today’s challenges, but to build for the future.
Jeff Pack, senior project engineer, specializes in cybersecurity services for POWER Engineers, Inc. He can be reached at (208) 288-6693, firstname.lastname@example.org.