Lab Canada

New industrial cyber security study reveals tenfold increase in attacks on process control and SCADA systems

Vancouver, BC – One of the first ever global reports into industrial cyber security, The Myths and Facts behind Cyber Security Risks for Industrial Control Systems, reveals a tenfold increase in successful cyber attacks on process and supervisory control and data acquisition (SCADA) systems since 2000. Many of the attacked systems were responsible for the operation of critical services such as electricity, petroleum production, nuclear power, water, transportation and communications.

The report was produced jointly by security experts at the British Columbia Institute of Technology (BCIT) and PA Consulting Group (PA).

Process control and automation systems have traditionally been seen as immune to external attack, as systems were based on proprietary technologies and isolated from other IT systems. But the ten reported cyber attacks in 2003 are likely to be just the tip of the iceberg, as few companies are willing to report such incidents for fear of attracting further attack or negative publicity. Industry estimates indicate that between 100 and 500 unreported industrial cyber attacks occur every year.

The study also highlights the significant safety, environmental, reputational and financial risks that organizations are running every day, by failing to adequately address the threat of cyber attack on their plants and factories. Of those organizations that put a figure on the impact of cyber attacks on their process control and automation systems, 50% experienced financial losses of more than $1 million.

Analysis shows that the increase in successful industrial cyber attacks is the result of three factors:

– an increasing alignment of process control and corporate IT systems;
– the fact that corporate IT security measures often cannot be applied to process control systems;
– and increasingly powerful and malicious cyber threats, such as worms, viruses and hackers.

Research was based on data collated in the BCIT Industrial Security Incident Database, dating back to 1981. The sharp increase in cyber attacks since 2000 prompted a full study into the changing trends in industrial cyber security, the impacts, and what organizations can do to prevent attack and the potentially disastrous outcomes. Recent examples of such attacks include the Slammer Worm infiltration of an Ohio nuclear plant and several power utilities, and a wireless attack on a sewage system in Australia.

“The results were a surprise to us because they indicate that industry has been focusing their security efforts in the wrong direction," says Eric Byres, BCIT researcher. "The real threat is coming from outside the organization, rather than from within, as most of us originally believed. The variety and complexity of the different attack vectors is also a big concern. We can’t just throw in a firewall and hope all our security problems will be solved. It is going to require a disciplined, multi-layer defense if we are going to get the security our critical infrastructures under control.”

The results of the study will be previewed October 5 at ISA Expo 2004 in Houston, and the full findings will be presented October 18 to 20 at the VDE Congress in Berlin, Germany.