Industry association aims to bolster SCADA security

Industrial and automation control systems have a way to go before they're resilient from targeted and sophisticated malware attacks

It's no state secret that industrial and automation control systems have a way to go before they're resilient from targeted and sophisticated malware attacks. Just last week the International Society of Automation (ISA) announced that the ISA99 standards committee on Industrial Automation and Control Systems Security had formed a task group to conduct a gap analysis of the current ANSI (American National Standards Institute) ISA99 standards and modern threats against critical industrial systems, such as Stuxnet

The ISA 99 standard provides guidance to control system operators on security technologies and how well they work (or don't) at mitigating the risks associated with certain threats and vulnerabilities. The intent of this gap analysis is to determine if organizations that are following ISA 99 would have been able to fend off a Stuxnet-like attack and to identity any improvements the standard may need. A technical report is expected by mid-year 2011.

Also see: "Why SCADA security must be addressed"

The ISA 99 standard is a foundation of Supervisory Control and Data Acquisition System (SCADA) security. "Over the next few years, these standards will become core international standards for protecting critical industrial infrastructures that directly impact human safety, health, and the environment; and, likely will be extended to other areas of application, even broader than those generically labeled SCADA. Based on this, it is essential that industrial companies following IEC 62443 standards know they will be able to stop the next Stuxnet," the ISA wrote in its statement announcing the security task force.

The news of the ISA 99 gap analysis came the same day as the Security Incidents Organization released its 2011 report, Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems Resulting from Malware Infections.

"This report shows the details of the continuing threats to manufacturing and infrastructure security around the world. As the Stuxnet malware showed in 2010, the threat continues and has become even more complicated and mature," John Cusimano, executive director of the Security Incidents Organization (SIO), said in a statement.

The threats may be growing more mature and complex, however experts say the vulnerabilities have been laying in wait for some time. "Stuxnet really didn't change anything," says Richard Stiennon, chief research analyst, IT-Harvest and author of the book "Surviving Cyberwar."

"The vulnerabilities have all been there for awhile. Most SCADA networks are pretty wide open and are susceptible to attacks. Stuxnet did, however, open our eyes to what is possible now," he says.

Many industry and critical manufacturing systems are open to not only Stuxnet-like attacks, but also trivial attacks. "Many of these systems are listening on open ports for broadcast messages. And, for example, if they get the right one, they'll reset back to factory settings. There's no authentication of signing processes in place," he says. "So while it's good to have standards, the real problem is why haven't facilities been employing security 101 practices?" Stiennon asks.

George V. Hulme writes about security, technology, and business from his home in Minneapolis, Minnesota. You can also find him on Twitter as @georgevhulme.

Read more about critical infrastructure in CSOonline's Critical Infrastructure section.

Join the CSO newsletter!

Error: Please check your email address.

Tags SCADAsecurityphysical securityStuxnetPhysical Security | Critical Infrastructure

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts