06 October 2004

New angle to cyberthreats

By Nicholas Sheble

Industrial cybersecurity expert Eric Byres catalyzed a panel of government and private industry cybernetworking and critical infrastructure specialists Tuesday at "Automation Systems—An Achilles' Heel to Our Critical Infrastructure" at the ISA EXPO at Reliant Center in Houston.

No longer are attacks on industrial computer control systems coming from internal sources.

Outside hackers and terrorists concern everyone, and the difference between the two is merely a matter of goals, though clearly one is far more deadly, Byres said.

Joining Byres for the forum were Dave Sanders of the U.S. Department of Homeland Security, Dave Scheulen of British Petroleum (BP), Elizabeth Rhodenizer of Public Safety and Emergency Preparedness Canada (PSEPC), and Karl Williams of the U.K.'s National Infrastructure Security Co-Ordination Center (NISCC).

Byres, research faculty, critical infrastructure security at the British Columbia Institute of Technology (BCIT), introduced research numbers that he and Justin Lowe, principal consultant at PA Consulting Group in London, gathered.

Their breakdown of 13 incidents of industrial intrusion between the years 1982 and 2000 show that incidents were almost evenly split between accidental, internal, and external sources, with only 31% of the events being generated from outside the company. Accidents, inappropriate employee activity, and disgruntled employees accounted for most of the problems.

These statistics correlate well with the numbers being expressed by security researchers in the traditional information technology (IT) world at that time. For example, one statistic was widely quoted in 2001: "A study by the FBI and the Computer Security Institute on Cybercrime, released in 2000, found that 71% of security breaches were carried out by insiders."

They then analyzed the same events for the 2001 to 2003 period. Externally generated incidents account for 70% of all events, indicating a change in threat source.

"This finding was a big surprise to me and my team," Byres said.

Interestingly, the IT world appears to be experiencing the same shift. For example Byres quoted a report from Deloitte and Touche:

"Deloitte & Touche's 2003 Global Security Survey, examining 80 Fortune 500 financial companies, finds that 90% of security breaches originate from outside the company, rather than from rogue employees. For as many years as I can remember, internal attacks have always been higher than external," said Simon Owen, Deloitte & Touche partner responsible for technology risk in financial services. "Sixty to 70% used to be internally sourced. But most attacks are now coming from external forces, and that's a marked change."

Why did the threat source change so significantly in such a short period of time?

Byres and Lowe said they have no definite answers, but there are a few possibilities to explain the impact on industrial control systems. First the emergence of automated worm attacks starting with Code Red 19 July 2001 have meant that many of the intrusions have become nondirected and automated. The control system has become just a target of opportunity rather than a target of choice.

Second, Lowe and Byres said, common operation systems (e.g., Windows 2000 or Linux) and applications (e.g., SQL Server) now dominate the Human Machine Interface (HMI), engineering workstation, and data historian systems. These often come configured more appropriately to business requirements and are vulnerable to a wide variety of common IT attacks and viruses. Issues with applying patches to these critical systems exacerbate the problem.

Finally, the increasing interconnection of critical systems has created interdependencies users haven't been aware of in the past. As the Slammer incident documented by North American Electric Reliability Council illustrates, Internet incidents can indirectly affect a system doesn't use the Internet at all. In this case the power utility used frame relay for its SCADA network, believing it to be secure. Unfortunately the frame relay provider utilized a common Asynchronous Transfer Mode (ATM) system throughout its network backbone for a variety of its services, including commercial Internet traffic and the SCADA frame relay traffic. The worm overwhelmed the ATM bandwidth, blocking SCADA traffic to substations.

"Regardless of the reasons, the threat sources are moving from internal to external and this needs to be taken into consideration in the risk assessment process. Determining the actual perpetrators and their probability of attack is currently beyond the ability of the database, but security risk analysts are advised to look at governmental studies of threats to critical infrastructure to obtain some possible threat estimates. A good starting place is the NISCC report, "The Electronic Attack Threat to Supervisory Control and Data Acquisition (SCADA) Control & Automation Systems."