Trends in security incidents in the SCADA and process industries: a summary — Part 1

Historically, critical infrastructures and manufacturing processes have been monitored and controlled using industrial control and SCADA systems that have operated in isolated environments. These control systems rarely shared information with outside systems, and were typically composed of proprietary hardware and software components designed specifically for control operations.

Due to the generally isolated nature of infrastructure and processing systems, their security was thought to be a trivial problem that could be managed through the use of either traditional IT security efforts or internal safety processes.

Today, with greater business reporting requirements, and with the move towards having access to real-time business information from any location, these previously standalone control systems are now being connected to systems not directly related to process control and monitoring. While rarely directly connected to the internet, studies show that in a typical corporation, 80 to 90% of all control networks are now connected to the enterprise network, which in turn is interconnected to the internet in myriad ways.

Furthermore, in an effort to reduce costs and improve performance, both control system vendors and owners have been transitioning from proprietary technologies to the less expensive technologies prevalent in the IT world, such as ethernet, TCP/IP, and Microsoft Windows. Unfortunately, many of these popular applications, protocols and operating systems have a significant number of widely known vulnerabilities, with new ones being reported every day.

Even the flaws in SCADA specific technologies have become general knowledge — detailed presentations on how to exploit SCADA vulnerabilities have been given at public security conferences.

As more components of control systems become interconnected with the outside world, the probability and impact of a cyberattack will heighten. In fact, there is increasing concern among both government officials and control systems experts about potential cyberthreats to the control systems that govern critical infrastructures. What has been lacking is good historical data to either back up or dismiss this concern.

The Industrial Security Incident Database

In 2001, two researchers at British Columbia Institute of Technology (BCIT), Eric Byres and David Leversage, founded the Industrial Security Incident Database (ISID). ISID is intended to serve as an industry-wide repository for collecting, analysing and sharing high-value information regarding cybersecurity incidents that directly affect SCADA, manufacturing and process control systems. The ISID provides a historical representation of industrial cybersecurity incidents.

Incidents are obtained from either organisations voluntarily submitting an ISID reporting form to ISID investigators or from ISID staff harvesting reports from public sources such as the internet, discussions at SCADA/industrial cybersecurity conferences and relevant industrial publications. Examples of the latter include the Slammer Worm infiltration of an Ohio nuclear plant and several power utilities^{1, 2} and the wireless attack on a sewage SCADA system in Queensland, Australia.³

The surge since 2001

The change in the number of security incidents against SCADA and control systems is shown in Figure 1(a), which graphs the frequency distribution of incident event dates. There are 14 categories of years ranging from 1982, the earliest incident event date in the database, to June 2006.

Figure 1: Incident events by date from 1982 to 1 June 2006: (a) Graphed as a frequency distribution; (b) Charted as a percentage (105 records)

The earliest incident recorded in ISID occurred in 1982, but these early incidents were sporadic, and the period of continuous annual incidents didn’t begin until 1994. It can be seen that there is a striking increase in the annual incident rate starting in late 2001. As Figure 1(b) indicates, even though the four and one-half year period from 2002 to June 2006 represents less than 20% of the total time scale, it contains almost 75% of reported incidents. As it turns out, there is a tendency for companies to report incidents long after they have actually occurred. Thus, if more incidents had occurred prior to 2002, we would still expect to see a few of them being submitted as late as 2006. Since this is not happening, it appears that sometime between 2001 and 2002 there was a significant shift in incident occurrence rates.

Also, it might appear that there is a now a marked decrease in the frequency of cyberattacks against the SCADA and process control industry as compared to the 2003/2004 period. However, the time lag between the occurrence of an incident and when it is logged into the database (a mean delay of 13 months) is likely masking the true incident rates for 2005 and 2006. For example, in early 2005 only 10 incidents had been reported for 2004 and 15 for 2003; a year later that number had climbed to 23 and 29 respectively. Thus, with eight incidents currently reported for 2005, the ISID researchers have assumed that by 2007 the incident numbers for 2005 will be of the same magnitude as 2003 and 2004. Figure 2 shows their predicted incident rates from 1994 to 2005 along with a moving average trend line.

Figure 2: Actual and predicted ISID incidents from 1994 to 2005

It also appears that whilst events have increased significantly since 2001, the rate appears to have levelled off in the past few years and may actually have decreased slightly in 2005/2006. It is likely that the trends in the critical infrastructure industries are following similar trends found in the overall IT world, where cyberattacks on a wide scale are occurring less frequently, and smaller, stealthier attacks at specific targets are on the increase. As IT networks are becoming increasingly more secure, it is anticipated that many of these attacks will target the most vulnerable access point within a company or organisation, which could easily be the SCADA or process control system.

Tip of the iceberg

Operators of traditional business crime reporting databases indicate that the typical incident database collects no better than one tenth of the actual events occurring. In 2003, 29 incidents were collected and 23 in 2004, so the ISID researchers believe that it is likely that industry is currently experiencing at least 200 incidents per year. However, this number is probably several orders of magnitude low, due to the fact that of the 197 companies listed in the Fortune 500 with significant manufacturing or critical infrastructure operations, only 14 currently report to ISID and several of these are sporadic in their reporting. Thus it is probable that 2000 to 3000 industrial cybersecurity incidents are occurring per year to Fortune 500 companies alone. This is also consistent with past research that found reports of security breaches can adversely affect a firm’s share price, and so many companies have a policy of not reporting them.

Finally, the companies that do report to ISID tend to be on the leading edge of industrial cybersecurity preparedness and thus are likely experiencing lower incident rates as compared to the other companies. If nothing else, one conclusion we can draw from these statistics is that there is an ongoing security incident problem, and it may be more widespread than most control systems professionals believe.

Threat sources have moved outside

The ISID data was analysed for incident type to get an idea of the threat sources. Figure 3(a) shows the breakdown of 27 incidents between the years 1982 and 2001. Accidents, inappropriate employee activity and disgruntled employees accounted for 74% of the problems, indicating that most of the threat, malicious or otherwise, was coming from within the company boundaries.

The ISID study team then produced the same graph for 78 incidents during the period 2002 to 2006, as shown in Figure 3(b). In this time period, externally generated incidents account for 60% of all events, indicating a significant change in threat source.

Figure 3: (a) Incident types charted as a percentage from 1982 to 2001 (27 records); (b) Incident types charted as a percentage from 2002 to 1 June 2006 (78 records)

This was also seen in the general IT industry. For example, the researchers quote a Deloitte & Touche research report:

“Deloitte & Touche’s 2003 Global Security Survey, examining 80 Fortune 500 financial companies, finds that 90% of security breaches originate from outside the company, rather than from rogue employees. ‘For as many years as I can remember, internal attacks have always been higher than external,’ said Simon Owen, Deloitte & Touche partner responsible for technology risk in financial services. ‘60 to 70 per cent used to be internally sourced. But most attacks are now coming from external forces and that’s a marked change.’“⁴

Although there is no definite answer as to why this dramatic change took place in late 2001, there are a few possible explanations. First, the move to integrated business networks and an increase in the use of COTS technologies like ethernet and TCP/IP have meant the previous isolation of processing and control systems has broken down.

Second, the emergence of automated non-email worm attacks, starting with Code Red in July 2001, has meant that many of the intrusions have become non-directed and automated, and the control system may have become just a target of opportunity. Since control systems rarely use or allow simple mail transfer protocol (SMTP) traffic, earlier malware that used email as a vector were unlikely to penetrate the plant floor. On the other hand, protocols such as remote procedure call (RPC) and structured query language (SQL) are ubiquitous in control environments, allowing the worms using these attack vectors easy access — 78% of attacks after 2001 (Figure 4) were the result of common viruses, Trojan horses or worms. Three worms (Slammer, Blaster and Sasser) accounted for over 50% of the incidents and these utilise the SQL Server Resolution Service (UDP Port 1443), the RPC Service (TCP Port 135) and the Microsoft-DS service (TCP port 445) respectively, to propagate to new victims.

The majority of these worm events occurred months or years after the worm was widely known in the IT world and patches were available and proven for control systems. This indicates to us a lapse in security policy rather than technology. If attack trends in the financial and IT sectors are any indication, total attacks in the next few years may decrease slightly in volume, but are likely to increase significantly in severity, malicious intent and associated negative consequences. The ISID researchers also believe that attacks will be more specifically focused and, when successful against a SCADA or process control network, potentially far more damaging than in previous years.

Figure 4: The percent total of each external incident type category, 2002 to 2006

It is also interesting to note that 9% of all external incidents from 2002 to 2006 were the result of deliberate sabotage, as shown in Figure 4. This would seem to indicate that directed attacks are more prevalent than one might expect.

Summary of incident trend rates

The overall trend data collected in the ISID, while limited in scope, appears to indicate two primary developments since the start of the millennium. First, the number of incidents affecting SCADA and control systems started to increase dramatically sometime in late 2001. This jump occurred within a short window of under six months. Second, this overall increase has now reached a plateau and has levelled out somewhere just below 2003 levels, a trend consistent with observations in the IT world. But whilst attacks may decrease slightly in volume, they are likely to be more targeted and increase significantly in severity, malicious intent and associated negative consequences.

In Part 2

In Part 2 of this article, we will look at the common attack vectors discovered by the BCIT study and conclude with some advice on an overall approach to mitigating risk from cyberthreats to SCADA, manufacturing and process systems.

*Glenn Johnson is the Editor of What’s New in Process Technology and has previously worked as an IT security consultant.

This article is based on, and is a summary of, a white paper titled ‘Security Incidents and Trends in the SCADA and Process Industries — A statistical review of the Industrial Security Incident Database (ISID)’, prepared by Eric Byres, David Leversage and Nate Kube, for Symantec Corporation, 2007.

Footnotes:

1. NRC Information Notice 2003-14: Potential Vulnerability of Plant Computer Network to Worm Infection, United States Nuclear Regulatory Commission, Washington DC, 29 August 2003.
2. SQL Slammer Worm Lessons Learned For Consideration By The Electricity Sector, North American Electric Reliability Council, Princeton NJ, 20 June 2003.
3. R vs Boden [2002], QCA 164-Appeal against Conviction and Sentence, Supreme Court of Queensland, May 10, 2002.
4. Nash E, Hackers bigger threat than rogue staff, VNU Publications, 15 May 2003, www.vnunet.com/News/1140907.