© photo iStockphoto / DenGuy
Imagine you are a facility manager and hear about a new cyber intrusion. You might call an emergency meeting to create a mitigation plan for this threat, but is this the correct action? Does this threat pose a real risk? Let’s examine the dynamics involved with this question. The first is the difference between the world of Information Technology (IT) and industrial automation.
Information Technology versus Automation Networking
In the IT world, users need access to external information, including web sites, email, etc. To mitigate cyber attacks, IT professionals rely on software integrity, not restricting access to external information.
An automation network is just the opposite because it generates most, if not all, the data it needs to operate. There is much less reliance on external information. Thus, restrictions can be imposed to minimize access to external information.
This can lead to an interesting phenomenon. These restrictions may protect a utility from component vulnerability even before it is discovered. Therefore, even if a vulnerability report is issued, it does not mean that a utility is at imminent risk.
Of course, this does not alleviate a manufacturer from addressing any identified vulnerability. It just means that device vulnerabilities may not equate to control system vulnerabilities.
System threats fall into two categories, malicious and non-malicious. Let’s look at malicious threats.
Most systems use computers running supervisory control and data acquisition (SCADA) software. These are connected to various automation devices. While the SCADA computers utilize mainstream operating systems, the automation devices probably do not. Most cyber-intrusive code exploits weaknesses in mainstream operating systems; therefore, most trojans, viruses, botnets, etc. are not designed to penetrate beyond the SCADA computer.