by Liza Penarroyo
October is National Cyber Security Awareness Month. The Department of Homeland Security recommends that individuals and businesses rethink their strategies for staying secure in a digital world — one which is both increasingly interconnected and also dominated by “smart” devices. Organizations big and small are reviewing their cybersecurity policies and making sure their employees are equipped to identify and avoid the phishing scams that can lead to devastating cyberattacks on their websites and eCommerce systems.
For process facilities in industrial, utility, and manufacturing organizations, the nature of cyberthreats and cybersecurity is a little different — and the stakes are even higher — because a cyberattack on one of these organizations can threaten the infrastructures that global economies, the environment, and international communities depend on.
Cyberattacks on the rise
In case anyone still doubts the need for attention to cybersecurity, consider this: Between 2006 and 2012, the number of cybersecurity incidents federal agencies reported to the United States Computer Emergency Readiness Team (CERT) increased by a whopping 782%.
The nature and sophistication of the attacks has also changed: Proportionally, most attacks are aimed at water and energy resources, with chemical and nuclear facilities and government-related processes targeted as well.
For example, Iran’s nuclear power plant was the target of the December 2010 Stuxnet attack. In Poland, in January 2008, the public tram system in Lodz was hacked remotely by a 14-year-old boy who turned it into his own personal train set — derailing four of the trams and injuring 12 people.
Clearly, the motives behind such strategic attacks can range widely — including anything from a personal grievance to monetary gain, an attempt to achieve a competitive advantage, or the desire for social prestige. Of course, there are powerful “hacktivist” groups such as Anonymous that coordinate cyberattacks to make a political point.
Where are cyberattacks focused?
Historically, most cyberattacks have primarily targeted industrial control systems, such as distributed control systems (DCS), programmable logic controllers (PLC), supervisory control and data acquisition (SCADA) systems, and human machine interfaces (HMI). With so many possible motives for these attacks and potential targets, however, no process facility is completely safe.
There are several challenges that organizations seeking to effectively secure their industrial environments face:
- The open, collaborative nature of the industrial workplace leaves it open to cyberthreats.
- End users are often unaware of or unconcerned about the cybersecurity measures they need to take.
- More industrial environments are making use of commercial off-the-shelf IT solutions, rather than custom software solutions, leaving them more vulnerable to malware attacks.
- Inadequately skilled human power is another issue.
That’s a lot of challenges, but it’s still possible and, of course, necessary to take action against cyberthreats.
Because it’s so important to mitigate cybersecurity risks that pose a threat to industrial production, plant personnel, assets, and so much more, it’s also important to be prepared through the use of:
- Continuous employment of best practices, from the most basic password management to changeover management
- Thoughtful design and implementation of well-secured controls and proper network segmentation from the very beginning of process design
- User education to ensure that employees are well aware of cybersecurity best practices and willing to follow them
Cyber Security Awareness Month is the perfect time to review process systems and the network overall to make sure cyber criminals have as little chance of success as possible.