While many of you have probably read about the security breaches at Sony Pictures and Target, most likely you saw little coverage about hackers who caused massive physical damage to a steel mill in Germany. They manipulated and disrupted the systems that control the mill to such a degree that a blast furnace could not be properly shut down. And you probably missed the report that someone gained unauthorized access via the Internet to Russia’s Sochi arena’s heating and cooling system as well as its emergency response system. Luckily, the system was reconfigured in time for the start of the 2014 Winter Olympics and its opening ceremonies.
Industrial control systems monitor those critical, yet ordinary processes that run nearly every large operation. Manipulating them means hackers could, for example, turn off electricity, stop the flow of clean water, shut down transit systems, cause equipment damage in the millions of dollars, and even kill people.
A report issued earlier this month by the U.S. Department for Homeland Security says that in 2014 the Industrial Control Systems Cyber Emergency Response Team reacted to 245 such incidents. The energy sector reported the highest number of incidents with 79, followed by manufacturing at 65, and health care at15.
IEEE Senior Member Joseph Weiss, a cybersecurity expert, has been concerned about these types of attacks for years. In 2010, I wrote “The Cyberhacker’s Next Victim: Industrial Infrastructures” based on two IEEE online tutorials he authored about how to protect the systems: “Cyber Security of Substation Control Systems,” and “Cyber Security of Substation Control and Diagnostic Systems.” Weiss is the managing partner at Applied Control Solutions, in Cupertiono, Calif.
In response to The Institute’s March special report on cybersecurity, Weiss wrote, “The experts you have brought together are focused on security and privacy of IT. Unfortunately, that is only part of the cybersecurity landscape. There is still a significant gap in understanding about control system cybersecurity by the traditional IT security community. There have already been almost 400 control system cyberincidents but very few were identified as such. Once control systems go down, protecting credit card information will be the least of our worries.”
Weiss has recently given lectures on control system risk and control system cyberforensics at the International Atomic Energy Agency, the U.S. Air Force Institute of Technology, and Stanford University
In this recorded lecture at Stanford, he said: “The difference between the IT world and the control systems world is that IT is only worried about a malicious attack. In our world a nonintentional attack kills people. If you can do something unintentionally, you can do it worse intentionally. These systems were not meant to be used in the wrong way.”
‘“The offensive world thinks very differently than the defensive world,” Weiss noted. “It really makes it difficult on the defensive side to anticipate what these threats will be when we don’t think that way.”