Computer Crime Research Center


Cyber security breaches threaten, 2006 forecasts

Date: December 24, 2005
By: Bob Felton

Cyber security breaches threaten, smarter factories and processes emerge, consulting business booms, and engineering talent base shrinks.

Engineers who began their careers 25 or more years ago have witnessed, benefited from, and contributed mightily to the greatest technological leap forward in history. And the wonders will continue during the coming year. But those engineers who tracked into management may scarcely notice them, spending the year feeling, instead, as if they're tip-toeing through a clutch of just hatched rattlesnakes.

Automation industry executives place worldwide growth in 2005 in the neighborhood of 5%, a substantial improvement over the past several years, and expect to see similar overall growth in 2006. Yet they note significant disparities among market sectors and geographical regions and are carefully watching several worrisome trends.

From the kitchen table to the neighborhood merchant, from corporate boardrooms to the White House cabinet room, the cost of energy is the ever-present concern. Have the world's economies and industries at last grown so interdependent that—as when the failure of an obscure, overextended state bank triggered cascading failures that launched the Great Depression—a business failure here, or storm there, or terrorist attack elsewhere, might be felt worldwide?

"High energy prices will eventually put a damper on world economies," said Emerson Process Management President John Berra. He added he doesn't think it's inevitable, and the worry shouldn't be overblown. "I'm optimistic about the next two-to-three years."

Consulting thrives on energy cost hikes

Industry's response to the problem of increasing energy costs has been a boon to automation firms. In the U.S., Emerson Process Management and Honeywell are enjoying rapid growth of their consulting services and a nice uptick in product sales, as companies search for ways to squeeze more profit from their existing industrial infrastructure, turning to tactics that range from improved instrumentation to intelligent, finely tuned controls and information management systems that make the decades old dream of instantaneous plant-floor-to-boardroom communication a near reality.

Both companies have found consulting is the most rapidly growing part of their North American business, with clients seeking everything from analyses of current operations and recommendations for retrofitting, to resident plant-engineering services. And both companies anticipate their consulting services will grow in importance, displacing or overtaking traditional integrators.

Smaller, more mobile factories

Further, plant upgrades and new capacity are designed to run more cheaply and efficiently than ever. The era of "lights-out manufacturing" envisioned by the early proponents of robotics is quietly becoming a reality. A 2003 article in The Wall Street Journal reported, "The future of manufacturing for me is doing it whenever possible with no labor at all," said Pete Evans, the fourth generation in his family to head its 73-year-old business. By expanding lights-out manufacturing, he expected to double output in the coming two years without adding to his 49-person workforce.

Though streamlining, upgrading, and increasing efficiencies is the industrial trend in the mature economies, new industrial capacity is growing rapidly in the emerging economies, with construction of new factories underway throughout China, India, the Middle East, western Africa, and South America.

The model for next-generation plant capacity is also undergoing significant changes. "Factories are going to become smaller," and more mobile, too, said industry observer and founder of San Diego-based Action Instruments Jim Pinto. "When there's no more gold, or no more coal, or whatever resource you're using, you don't need the factory to be there. So you disassemble it and move it."

Students snub science

Engineers will probably be more mobile, too, as students outside the developing nations turn their backs on careers in science and engineering. South African municipalities are currently unable to fill 40-45% of their technician and engineering positions, said Alison Lawless, a former president of the South African Institute of Civil Engineering.

American executives remain worried. Honeywell President Jack Bolick said there are areas worldwide, but especially in North America, where it's difficult to locate the engineering talent he needs. "What I'm finding is that engineers don't want to go into refining, or power, or semiconductors anymore. They want to go into nanotechnology or genetic engineering." The company is responding by consulting with retirees and codifying their knowledge in their software products, adding laid-off engineers to their own consulting staff, and contemplating a day when management of remote systems and some types of maintenance are done over the Internet.

Watching the decline in engineering enrollments, Emerson is cultivating relationships with universities worldwide and sponsoring work-study programs. "In the long run, availability of engineering talent is going to be a global issue," Berra said.

Cyber security remains vulnerable

The electronic security of manufacturing systems has already become a global issue, with more than 100 documented instances of cyber events that affected, or could have affected, process control. And because few companies willingly disclose breaches of security, experts believe the actual number is much higher.

* In Australia, a disgruntled contractor remotely arranged the release of one million liters of raw sewage into adjoining waterways.
* In Tempe, Ariz., an intruder gained access to the Salt River Project system, disrupting delivery of power and water to utility customers and stealing account information, including financial data.
* Iranian hackers entered Israel Electric Corp.'s controls in 2003 and repeatedly attempted to disrupt that nation's power supply.
* Hackers disabled vital PLCs during the Venezuelan general strike of 2002, closing that country's main port.

Most of the attacks against industrial controls prior to 2001 were committed by insiders, said Eric Byres of the British Columbia Institute of Technology. Then, he said, the preponderance of attacks started to come from the outside. Presently, 80-90% of attacks from the outside are opportunistic— the work of someone who finds the site by happenstance—and the remainder are targeted at a specific facility (for industrial espionage, for instance). Organized crime has moved into computer crime in a big way, setting up high-tech sweatshops in undeveloped nations where legions of cheap, skilled computerheads troll cyberspace looking for easily penetrated systems.

"We're still in the Wild West of Internet security," said Byres, and the complexity of manufacturing software systems, with their many portholes, makes them especially vulnerable to somebody who wants a look inside.

Most hackers, once in, will simply go looking for financial data that can be stolen, packaged, and sold. But attackers who know what they are doing can, and have, seized control of the HMI console.

Byres said the majority of manufacturing systems remain vulnerable. "We're quite immature in this field," he said, adding effective system security must be embedded into corporate culture, like safety. "This isn't a diet," he said. "It's a lifestyle change."

ISA released the latest draft of its proposed electronic security standard, ISA-99.00.01, Manufacturing and Control Systems Security, in October 2005. Ambitious in scope, it aims to address manufacturing and control systems whose compromise could result in any or all of the following situations:

* Endangerment of public or employee safety
* Loss of public confidence
* Violation of regulatory requirements
* Loss of proprietary or confidential information
* Economic loss
* Impact on national security

The concept of manufacturing and control systems electronic security is applied in the broadest possible sense, encompassing all types of plants, facilities, and systems in all industries. Manufacturing and control systems include, but are not limited to:

* Hardware and software systems such as DCS, PLC, SCADA, networked electronic sensing, and monitoring and diagnostic systems
* Associated internal, human, network, or machine interfaces used to provide control, safety, and manufacturing operations functionality to continuous, batch, discrete, and other processes

The standard is expected to include four parts; the first two are slated for release in mid-2006. Few experts worry about the garish scenarios proposed a few years ago in which cyber terrorists actually modified plant operations and caused defects to be built into products, but there is widespread agreement that tactical strikes against vital public infrastructure prior to physical attacks is a possibility or even a likelihood.

Since 11 September 2001, the critical link between cyberspace and physical space has been increasingly recognized. Critical infrastructures face an increasing threat of cyber attacks in addition to physical attacks. In July 2002, NIPC reported the potential for compound cyber and physical attacks, referred to as "swarming attacks," is an emerging threat to critical infrastructures. The effects of a swarming attack, according to NIPC, include slowing or complicating the response to a...
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo