Looking at Past Industrial Cybersecurity Attacks & Ways to Protect Against Future Threats

In February 2014, the Obama Administration published the Framework for Improving Critical Infrastructure Cybersecurity with the aim of providing a “how-to” guide for cybersecurity critical infrastructure in the modern age. In the years leading up to the release of this framework, there were a number of high-profile cyber incidents on industrial automation and control systems (IACS) or IACS-based organizations, including:

• An Olympic Oil pipeline in Bellingham, Wash., ruptured spilling over 230,000 gallons of gasoline and killing three people. One of the key causes was poor cyber-management of the IACS.
• Maroochy Water Services in Queeensland, Australia was deliberately attacked by a disgruntled former contractor, causing millions of gallons of raw sewage to be released into the environment (2000).
• The Davis-Besse Nuclear Power Station in Oak Harbor, Ohio lost its safety monitoring for five hours when the internal network was infected by the Slammer worm (2003).
• Iran’s uranium enrichment facility in Natanz was severely disrupted and potentially set back several years due to a deliberate attack by the Stuxnet worm (2010).
• Saudi Aramco was forced to shut down its internal network for more than a week after 30,000 of its computers became infected with the Shamoon virus (2012).

Steve Mustard, a team member of the ISA99 Security Standards Committee and Automation Federation’s Government Relations Committee, says that despite these well-publicized attacks, many industrial organizations have been slow to take the necessary steps to protect themselves from the cyber threats they face.

To help industry in this regard, the ISA provides an extensive range of training courses that are designed for professionals involved in IT and IACS security roles, including a certificate program for ISA99/IEC62443 standards. The ISA is also developing a course focused specifically on the Cybersecurity Framework.

Mustard says many cyber attacks can be avoided by the application of some basic or intermediate security controls, such as:

• Good personnel security, including enforcement of proper access control, strong passwords, and remote access;
• Securing computer equipment and enforcement of policies, such as use of removable media;
• Securing the computer network, including the use of appropriate segregation of equipment and the use of firewalls and other security devices.

While cyber attacks can happen within minutes, they are generally not detected immediately. One of the main goals of the Cybersecurity Framework is to provide companies with clear guidance on the controls to implement so attacks can be either prevented or, at a minimum, detected and resolved in a timely manner.

Jake Mastroianni is the managing editor of Flow Control magazine. He can be reached at [email protected]. Follow Jake on Google+.