Skip to Content

Cybersecurity Risk High in Industrial Control Systems

Professionals in energy and other industries say design of control systems makes them vulnerable.
February 22, 2013

If you thought that concerns over the security of the physical infrastructure of the U.S. are overblown, consider what people in industry say. It’s not particularly encouraging, although there are signs that awareness of the issue is rising.

The SANS Institute, a security training company, this week released results of survey from professionals who work with SCADA and process control systems, which are used in utilities, healthcare, transportation, oil and gas, chemical production, among other industries. Concern is growing at the national level over the security of these control systems, which are increasingly linked to computers and networks.

Professionals in the field share that concern. Seventy percent of the nearly 700 respondents said they consider their SCADA systems to be at high or severe risk. One third of them suspect that they have been already been infiltrated. 

The main problem is that SCADA control systems are being connected to the Internet or mobile devices, exposing them to risk they were never designed to protect against. A utility worker may set up a wireless access point at a transformer to connect to the company network, for example. But without the right security in place, such as encryption, this sort of practice leaves this piece of grid infrastructure exposed, industry executives said during a presentation of the white paper.

In contrast to computer systems, SCADA and control systems, which can be in place for decades, were not built for frequent patching. Updating the firmware of a control system may require updating the entire firmware, rather than just a patch, and the equipment itself, which may control a water utility’s infrastructure for instance, typically can’t go offline for long periods.

The survey comes at a time of heightened awareness around cybersecurity in the U.S. Earlier this week, the White House released a white paper outlining strategies to combat the theft of intellectual property online.

Also this week, computer security company Mandiant caused a stir by saying that many attacks on U.S. companies originate in a building operated by the Chinese military. (See, Expose of Chinese Data Thieves Reveals Sloppy Tactics.) Meanwhile, a number of high-profile company, including Apple, the New York Times, and Twitter, have publicly talked about recent attempts to penetrate their networks. 

The SANS Institute survey found that industrial companies are also showing more willingness to disclose cyberattacks than a few years ago, which is generally considered good for raising awareness of cybercrime. The high-profile cases of Stuxnet and other malware aimed at critical infrastructure helped raised the visibility of the issue at the highest levels of business.

“The reality is that people are aware there is risk in that (control system) space,” Matthew Luallen, president of cybersecurity training company Cybati said during the presentation. “You don’t need to spend a lot of time convincing people.”

The survey showed that a malicious attack along the lines of Stuxnet or Flame is the top “threat vector” of concern. Close behind, though, are internal threats, external threats from hacking activists or nation states, and phishing scams.

The pieces of equipment that are of most concern from attacks are computers and network gear that connect to controllers of industrial systems.

One of the main recommendations of the White House cybersecurity plan is for industry share information to lower the overall risk. The SANS Institute’s paper says businesses should have layered controls, an architecture where security and monitoring are embedded into all levels of a network, rather than only the perimeter. Updating to more modern control systems will also improve security. 

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

This baby with a head camera helped teach an AI how kids learn language

A neural network trained on the experiences of a single young child managed to learn one of the core components of language: how to match words to the objects they represent.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.