Critical infrastructure assets like electricity generation plants, transportation systems, oil refineries and manufacturing plants are large, distributed complexes that are deemed essential by governments, in order for a fully-functioning economy and society.
The financial figures, in particular, give an idea of how expensive downtime can be. In the National Security Strategy and Strategic Defence Security Reviews, the UK government revealed how it has “prioritised the need to improve the security and resilience and resilience of the infrastructure most critical to keeping the country running against attack”, and this was down in part to the floods in 2007 which cost the economy over £4 billion via lost revenues, reputational damage and contractual penalties. The damage specifically to critical infrastructure was valued at around £674 million.
It's to no surprise then that these systems must retain maximum efficiency at all times, and this is something that requires continuous monitoring and control. Operational downtime cannot be tolerated and, as a result, technology changes are rare and planned well ahead of time.
Over the years, managing ICS and SCADA systems - a subset of systems (sometimes referred to as "industrial control systems") which are supervised and offer more plug-ins with third-party solutions - has been significantly easier than it is today; they were largely proprietary and isolated systems and operation managers worked on-site. They weren't connected to the corporate network or internet – mainly because there was no need, and the internet was not what it is today. Management rarely fell under IT control
But experts now say that these systems are increasingly connecting to more open and often public networks (such as the internet) in an attempt to streamline business, improve communication in the supply chain and to find new intelligence from two of the technology latest trends – Big Data and the Internet of Things. There's been a desire for engineers, in particular, to connect to such control systems remotely.
With new connections come new threats though, and specifically from cyber-criminals and other outside parties; research from Unisys and Ponemon Institute last month indicated that nearly 70 percent of companies responsible for world's water, power and other critical functions reported at least one security breach that led to the loss of confidential info or disruption operations in the last 12 months, while 64 percent anticipated one or more serious attacks in the coming year.
And yet despite this, and high-profile SCADA system attacks such as Stuxnet (a computer worm which damaged targeted industrial Programmable Logic Controllers, damaging Iranian nuclear centrifuges in 2010), Telvent (the SCADA system manufacturer allegedly hacked by the Chinese state sponsored actors in 2012) and the more recent Dragonfly/Energetic Bear campaign (which used the Havex malware family to target the energy sector), security still isn't getting prioritised. Only 28 percent said that security was ranked as a top five strategic priority for their organisation, and yet minimising downtime was a top priority for the majority of respondents.
“While the desire for security protection is apparent among these companies, not nearly enough is actually being done to secure our critical infrastructure against attacks,” said Dr Larry Ponemon, at the time.