Plant automation, IT dead center in cyber terrorism concerns

Until recently, it's been a truism—when it came to the subject of plant-floor security—that the greatest threat was internal, in the form of disgruntled employees or bona fide accidents. But according to researcher Eric Byres of British Columbia Institute of Technology, in the last several years, that's changed. Statistics he's compiled indicate today nearly 70 percent of incidents originate from external sources.

Don't think for a minute a firewall protects a company from sabotage. Intrusions today are more likely accomplished by means of dial-up modems, virtual private networks, or even someone bringing a diskette from home into the workplace.

Even then, the plant IT network and the business enterprise network often are thought to be separate. But all it takes is something as simple as a plant-floor engineer allowing an accountant real-time access to required plant-floor data, and the two no longer are. That means if the business enterprise can be accessed, the plant can be, too.

A final factor, discussed last month in an ISA Expo 2004 forum titled Automation systems, an Achilles heel to our critical infrastructure, was that while many plant systems are based on proprietary technology, commercial technologies are today more prevalent in industrial settings, making it easier for hackers to mount threats.

Larry Adams, a "controls resource" with ConocoPhillips Specialty Products, Bryan, Texas, says his company is aware of the dangers, adding that the newest technologies, "such as wireless PCs and Ethernet," exacerbate the challenge "because of holes in the technology."

All these concerns, and the times we live in, have heightened awareness within government to the very real risk of cyber attacks aimed at supervisory control and data acquisition (SCADA) systems. But as David Sanders of the Department of Homeland Security points out, for the foreseeable future, government efforts will focus on preventing the catastrophic events that can have serious economic consequences for the entire economy, not on protecting companies or individuals.

Nor can the government tell us how widespread these problems are, since victimized companies are reluctant to talk for fear they may subsequently be found liable. Legislation drafted to release honest companies in this regard was never enacted.

Nevertheless, two highly publicized incidents involving SCADA systems include the Slammer Worm infiltration of an Ohio nuclear plant, and a SCADA system implicated in a significant power outage in Canada.

Thus it's important that process industry manufacturers—like ConocoPhillips, which recently updated its control systems, in part to address security concerns—today know much more about the plant-floor security risk than they did even a few years ago, and, perhaps more important, thanks to efforts such as ISA's, they're learning what it is they don't yet know.