Industrial control systems at great risk of cyber attacksReprints
SAN FRANCISCO — Cyber security in the highly vulnerable information technology world is a function for which insurance underwriters look, but potentially severe outcomes should be considered when developing insurance coverage.
Cyber attacks on industrial control systems, which consist of automated equipment that monitors and controls industrial processes, have led to significant equipment damage, environmental devastation, business interruptions and deaths.
Industrial control system attacks are on the rise, but security is lax and exposes industrial businesses to all types of attacks, said Joe Weiss, Cupertino, California-based managing partner of Applied Control Solutions L.L.C.
Yet cyber alterations of industrial equipment is difficult to trace. A recent example of how altered software can go unnoticed for years is Volkswagen A.G.. The automaker programmed software to allow autos to switch into test mode during emissions tests, then shut off and emit pollution as high as 40 times the U.S. legal limit.
“It is a whole lot worse than loss of data, when nobody even knows the programming logic has been changed,” Mr. Weiss said during Business Insurance's 2015 Cyber Risk Summit last month in San Francisco.
Approximately 11 million cars manufactured by Volkswagen were affected, dozens of class action lawsuits have been filed and the company CEO departed.
Industrial control systems that are used in the electric power, water, chemical, petroleum, pipeline, manufacturing and transportation industries are mostly unprotected from hackers. Many key components were programmed long before security was a concern, which means there is no security in many components.
“A hacker can gain access into any of these systems and cause a failure of catastrophic proportion,” Mr. Weiss said.
The risk grew when the task of maintaining, monitoring and testing equipment was replaced with automation. Those tasks are now being performed using internal components programmed with logic that can be manipulated, sometimes for malicious reasons, and go undetected for long periods, he said.
Adding to the risk is that there are few industrial control system security experts and most IT security experts don't know much about industrial systems. “The control system world is about reliability and IT can find vulnerabilities, but they can't translate what the vulnerability means to a pump or a part of the industrial process functionality,” he said.
Mr. Weiss cited the “Aurora vulnerability,” a 2007 Idaho National Lab experiment, as an example of what hackers could do to the mechanized infrastructures in industries, including electric power grids.
The experiment was conducted to show how much damage could be caused by hacking into a computer program of a diesel generator connected to a power grid to show the vulnerability of control systems. The circuit breakers of the diesel generator were repeatedly opened and closed quickly, resulting in the generator exploding and bringing the grid down for more nine months. A hacker could easily gain access to the control system of any power generator and cause it to fail, disrupting businesses for months, potentially, he said.
“An ICS cyber incident is electronic communications between systems that impact confidentiality, integrity, and/or availability. It doesn't have to be malicious or targeted,” Mr. Weiss said.
A 2010 San Bruno, California, pipeline explosion, which killed eight and cost Pacific Gas & Electric approximately $5 billion in fines and lawsuits, could have been subverted with remote automated shut off valves. “Malicious versus unintentional; in many cases, the only difference is the motivation of the person doing it, and there is no way to measure motivation,” he said.
“I agree with everything that Joe said. I believe our industry is unprepared,” said a member of the industry who asked not to be identified. “Our clients are looking to us to know this stuff, even though nobody does and everybody is confused and uncertain. The reality of it is, we, as an industry, just don't know.”