PA arc
PA arc PA Consulting Group is a leading global management, systems and technology consulting firm. Committed to innovation, responsive to our clients' needs, and focused on delivery of value, PA designs and delivers innovative solutions to complex business issues.
PA in the news
 
PA in the business news
Press releases
    2008
    2007
    2006
    2005
    2004
    2003
    2002
    2001
    2000
    1999
    1998
    1997
Articles by PA
Articles about PA
Award-winning client work
  Contact us

2004

New and original study on industrial cyber security reveals at least tenfold increase in number of successful attacks on process control and SCADA systems since 2000 - 04 October 2004

One of the first ever global reports into industrial cyber security, The myths and facts behind cyber security risks for industrial control systems, reveals a ten-fold increase in successful cyber attacks on process control and SCADA (supervisory control and data acquisition) systems since 2000. Many of the attacked systems were responsible for the operation of critical services such as electricity, petroleum production, nuclear power, water, transportation and communications.

The report was produced jointly by security experts at the British Columbia Institute of Technology (BCIT) and PA Consulting Group (PA).

The report findings will shock many in the engineering and IT community. Industrial process control and automation systems have traditionally been seen as immune to external attack, as systems were based on proprietary technologies and isolated from other IT systems. But the ten reported cyber attacks in 2003 are likely to be just the tip of the iceberg, as few companies are willing to report such incidents for fear of attracting further attack or negative publicity. Industry estimates indicate that between 100 and 500 unreported industrial cyber attacks occur every year.

The situation is being further exacerbated by new efforts by the hacker community to specifically target process control and SCADA systems for attack. A recent hacker conference included a demonstration on how to attack a water utility control system.

The study also highlights the significant safety, environmental, reputational and financial risks that organizations are running everyday, by failing to address adequately the threat of cyber attack on their plants and factories. Of those organizations that put a figure on the impact of cyber attacks on their process control and automation systems, 50% experienced financial losses of more than $1 million.

Analysis shows that the increase in successful industrial cyber attacks is the result of three factors:

  • an increasing alignment of process control and corporate IT systems;
  • the fact that corporate IT security measures often cannot be applied to process control systems;
  • and increasingly powerful and malicious cyber threats, such as worms, viruses and hackers.

Research was based on data collated in the BCIT Industrial Security Incident Database, dating back to 1981. The sharp increase in cyber attacks since 2000 prompted a full study into the changing trends in industrial cyber security, the impacts, and what organizations can do to prevent attack and the potentially disastrous outcomes. Recent examples of such attacks include the Slammer Worm infiltration of an Ohio nuclear plant and several power utilities, and a wireless attack on a sewage system in Australia.

Eric Byres, BCIT researcher, says:

“The results were a surprise to us because they indicate that industry has been focusing its security efforts in the wrong direction. The real threat is coming from outside the organization, rather than from within, as most of us originally believed. The variety and complexity of the different attack methods is also a big concern. We can’t just throw in a firewall and hope all our security problems will be solved. It is going to require a disciplined, multi-layer defense if we are going to get the security of our critical infrastructures under control.”

Justin Lowe, PA Consultant, says:

 “All organizations that are reliant on process control and automation systems need to sit up and listen to the results of this study. Industrial cyber security incidents cannot be ignored – they are occurring more frequently, are more destructive and have serious business impacts. Organizations need to engage with both their engineering and IT employees, to undertake security risk assessments of all their control systems and ensure effective protection measures are deployed.”

The results of the study will be previewed at the ISA Expo 2004 in Houston on 5 October 2004, North America’s annual event for automation and control professionals.  http://www.appcluster05.com/App/homepage.cfm?moduleid=651&appname=353

The full findings will be presented on 18-20 October 2004 at the VDE Congress in Berlin, Germany. The VDE Congress is the one of the key annual conferences of electrical engineers in Europe. http://www2.vde.de/veranstaltungen/de/va/esd_181004.htm?target_lang=en 

To obtain a copy of the report The myths and facts behind cyber security risks for industrial control systems or speak to the authors, contact Eric Byres (BCIT) or Stephanie Henderson (PA Consulting Group).

For more information, please contact: 

Stephanie Henderson
PA Consulting Group
123 Buckingham Palace Road
London
SW1W 9SR
United Kingdom

Tel: +44 20 7312 4617
Fax: +44 20 7312 4612
E-mail: stephanie.henderson@paconsulting.com
 

Notes to editors

1. About the report
The myths and facts behind cyber security risks for industrial control systems

Authors
Eric Byres, P. Eng.      
Research Faculty - Critical Infrastructure Security Consultant
British Columbia Institute of Technology   
Burnaby, BC, Canada
and
Justin Lowe
PA Consulting Group
London, UK

Report abstract
Process control and SCADA systems, with their reliance on proprietary networks and hardware, have long been considered immune to the network attacks that have wrecked so much havoc on corporate information systems.  Unfortunately, new research indicates this complacency is misplaced - the move to open standards such as Ethernet, TCP/IP and web technologies is letting hackers take advantage of the control industries ignorance. This paper summarizes the incident information collected in the BCIT Industrial Security Incident Database (ISID), describes a number of events that directly impacted process control systems and the lessons that can be learned from these security events.

2. For copies of the report or to obtain the charts from the report please contact the BCIT or PA Consulting Group as above.

3. About the British Columbia Institute of Technology (BCIT)
BCIT is Canada’s premier polytechnic institution. BCIT builds pathways for career success with full-time and part-time studies leading to certificates, diplomas and applied bachelor’s degrees. Technological innovation demands higher levels of applied knowledge. BCIT’s dedicated resources for applied research support their extensive linkages with business and industry, such as those in the industrial cyber security arena.

BCIT is the only Canadian public post-secondary institution focusing its cyber-security research activities in the area of critical infrastructures and is widely considered a world leader in industrial cyber-security research.  It researchers are regular advisors to G7 government security agencies, major oil companies and power utilities. They have also testified to the US Congress on the “Security of Industrial Control Systems in National Critical Infrastructures” and received numerous awards. 

One of the key reasons for this success is the integration of research facilities that are unique internationally; the Internet Engineering Laboratory (IEL), and the Industrial Instrumentation Process Laboratory (IIPL).  The IEL, supported by the Canada Foundation for Innovation/BC Knowledge Development Fund, is one of only four research centres of its kind in North America.  It focuses on the design and management of advanced networks including research on issues such as network performance evaluation, network security and conformance to standards.  The IEL’s $1.5 million of network hardware and test equipment allow construction of network configurations used for testing innovative ideas about building data networks that are intrinsically more reliable and secure.  Researchers can recreate almost any network configuration from a small plant floor network to a nationwide Internet surrounded by edge “client” VPN networks. 

The IIPL is located adjacent to the IEL and contains a collection of large-scale industrial processes that is typical of critical infrastructure systems.  These systems are controlled by industry standard networks, fieldbuses, distributed control systems and programmable logic controllers from every major control manufacturer.  Combined, the IEL and IIPL offer researchers facilities that are unique in the world of industrial cyber security.

4. About PA Consulting Group
PA Consulting Group is a leading management, systems and technology consulting firm. Operating worldwide in more than 35 countries, PA draws on the knowledge and experience of 3,000 people, whose skills span the initial generation of ideas and insights all the way through to detailed implementation.

PA is fast becoming an established global leader in industrial process control security. It has been working with one of the world's largest energy companies to address the risk of cyber attack on process control and automation systems, and is also engaged with a number of other clients, critical national infrastructure and standards bodies to address the issue. PA’s experts in the field are in constant international demand as conference speakers.

PA builds and implements strategies for the creation and capture of shareholder and customer value for all its clients. We help accelerate business growth by developing innovative products for our clients and by the application of emerging technology. We deliver major transformation programs, mobilize human resources, and manage complex IT and technically-challenging programs. PA focuses on creating benefits for clients rather than merely proposing them, and our results-focused approach is founded on a unique commitment to excellence, independence and value:

  • Excellence. We are committed to unremitting excellence and quality in every aspect of our work: in our relationships with our clients, in the client assignments we deliver, and in the people we recruit and develop, who enjoy exciting and rewarding careers at PA.
  • Independence. PA is totally independent from outsourcing, software, hardware and audit providers. We are the pre-eminent client-side advisor on IT and outsourcing projects, and deliver, in partnership with our clients, business solutions tailored to our clients' needs, rather than solutions pre-determined by commercial alliances. As an employee-owned company, we are answerable to our clients and to ourselves only.
  • Value. PA's consultants bring an intense focus on delivering value through deep industry insight, the development and application of technology, and our culture of respect, collaboration and flexibility in working with clients.

www.paconsulting.com/process_control_security

  Previous  |    |  Next  |
Sign in |  Register
 
Advanced search
Site map    Help   
 
   
Locations  
 
  

* Request the full report: 'The myths and facts behind cyber security risks for industrial control systems'

* More about PA's process control security expertise

© PA Knowledge Limited 1997 - 2008 . All rights reserved.
Problems with, or comments on, this page? E-mail the PA webmaster
 

  Legal  
  Privacy policy  
  Site map  
  Help  
  Contact us