Is the Risk Real?

Media reports have highlighted a number of incidents where computer viruses and worms specifically targeted industrial control systems (ICS). Systems can be infected through USB drive usage, remote access, and wireless connectivity. Like a personal computer, a plant automation system could be shut down or operate incorrectly if control systems are infected and not proactively protected against a cyber-attack.

According to the DHS ICS-CERT 2010 Year in Review1, 2010 saw an increase in advanced persistent threat activity affecting organizations across all critical infrastructure sectors. In addition, a June 16, 2010 Government Accountability Office (GAO) report2 found that federal agencies reported approximately 30,000 incidents to US-CERT in fiscal year 2009, representing an increase of more than 400 percent compared to 2006. In most cases, these attacks focused on corporate espionage with the intent to gain a competitive advantage in regional or global markets. Although control systems are not the typical target, all pathways from a business network should be considered if a compromise has breached the control network.

Moreover, 2010 also represented an unprecedented year for the control systems community. The emergence of Stuxnet, the first malware created specifically to target ICS, signaled a paradigm shift. Stuxnet demonstrated that organizations must be operationally prepared with tools, systems, and personnel to detect malicious activity and effectively mitigate the impact to their control systems. Stuxnet highlighted the interdependencies and vulnerabilities that exist in legacy control system environments and demonstrated that motivated groups are interested in attacking critical infrastructure.  

Control systems are increasingly interconnected to other plant and business systems to share valuable data using standard communications protocols. Also, most ICS vendors are incorporating standard information technology into their systems, which can expose these systems to modern malware threats, even if those threats are not intended for the plant floor. 

For further information on 2010 cyber threats, you should access the DHS ICS-CERT report, 2010 Year In Review.

1  DHS ICS-CERT 2010 Year in Review, Washington, D.C.: Department of Homeland Security, January 2011: p.2.

2 GAO, Cybersecurity: Continued Attention is Needed to Protect Federal Information Systems from Evolving Threats, Washington, D.C.: June 2010: p. 3.