Industrial operating systems hold hidden cyber risksReprints
SAN FRANCISCO — Cyber risk is seen as largely information technology specific, but an industry expert says that shortchanges cyber attacks on industrial control systems.
ICS are used throughout the mechanized infrastructures of electric power, water, chemicals, petroleum, pipelines, manufacturing, transportation and other industries that have transitioned from manual processes. Robots and other automation programs, or firmware, can be manipulated from outside the organization, sometimes with malicious intent.
“Trying to control a process to operate at its optimal level — when that went from manual to automated is where cyber risk crept in,” Joe Weiss, managing partner, Applied Control Solutions L.L.C., said Monday at the Business Insurance 2015 Cyber Risk Summit in San Francisco. He expressed concern that companies are not seeing the potential risk or not doing enough to defend against it.
“There is a disconnect between the ICS and IT security worlds,” he said. “… ICS has incidents where there is no Internet or Windows involved. … IT can't kill people; these systems can and have.”
There have been 700 ICS cyber incidents worldwide “leading to $20 billion in losses” and more than 1,000 deaths, most not identified as cyber related, according to Mr. Weiss.
And 1 million ICS devices across all industries are connected to the Internet. And still, Mr. Weiss points out, there's not much ICS-specific cyber security technologies, training or policies.
Vendors build back doors into their equipment to aid in maintenance, he said. This creates a potential for attack that is going largely unaddressed.
He cited Volkswagen A.G.'s recent incident as an example of how ICS changes can go unnoticed. Volkswagen had changed the emissions monitoring firmware in the programmable logic controllers in its new vehicles, but then switched the programming to use the older emission standards.
“It's (this incident) not stealing money, it's not killing people, but it may have destroyed Volkswagen's diesel line,” Mr. Weiss said.
Mr. Weiss recommends risk managers pay the same attention to ICS cyber security as to IT security, noting that executive leadership is not prioritizing ICS cyber security and existing cyber forensics and training are not adequate for ICS cyber incidents.
During the session, he said that in the past, insurers gave companies a break on premiums if they had reliability centered maintenance programs in place to identify equipment as broken.
“It's the insurance industry that can help drive these risks to be more secure, if they mandate more care,” he said. “It's your dollars at risk — and these are hundreds of billions of dollars.”