• ISA student section develops video on the dangers of cyberattack

    Amid the increasing risks of industrial cyberattack and mounting calls for a new generation of cybersecurity professionals, a group of automation and control students in Oklahoma has made it clear they’re aware of some of the key challenges and want to do something to address them.

    The students—members of the ISA student section at the Francis Tuttle Technology Center in Oklahoma City, Oklahoma—have developed a video designed to raise awareness of the need to better protect industrial control networks and systems from potentially destructive cyber-viruses. 

    The video, posted on YouTube, depicts how easy it is for a common and seemingly innocuous USB flash drive to infect and debilitate a modern industrial automation control network.

    “It’s impressive that these students have taken the initiative to develop this video, which highlights the real and present danger that exists when a portable media device is introduced into a control system,” says Leo Staples, a long-time ISA leader and former ISA president who serves on the Francis Tuttle Technical Advisory Committee and as a mentor to students at the school. In his profession, Staples possesses more than 36 years of experience in the electric power industry; he currently serves as Senior Manager of Utility Operational Compliance at Oklahoma Gas & Electric.

    Overhead view of I&C learning lab at Francis Tuttle Technology Center
    Overhead view of the instrumentation and control learning lab at Francis Tuttle Technology Center

    “The video tells a valuable story because it drives home the fact that the risk to industrial controls and automation systems is far greater from human beings than it is from physical and cybersecurity threats,” Staples says. “It’s also positive knowing that a greater number of students are learning about cybersecurity. There is no doubt that the next generation of automation professionals, including technicians, technologists, and engineers, must be more informed about cybersecurity and the role it plays in keeping industrial controls and automation systems safe.”

    The initial impetus for the video was provided by Matthew Maynard, instrumentation and control (I&C) instructor at Francis Tuttle who is an ISA District 8 vice president-elect and a member of ISA’s Greater Oklahoma Section.

    “At an ISA geographic assembly meeting, interest was expressed in developing some type of educational resource about cybersecurity and I volunteered to assist,” says Maynard. “The students here really took the project on and made it a reality.”

    Starring in the video are students at Francis Tuttle enrolled in the I&C certificate program within the school’s Advanced Manufacturing Department. They’re also members of the school’s ISA student section. The Francis Tuttle Technology Center is a public career and technology education center affiliated with the state of Oklahoma Department of Career and Technology Education that serves high school students as well as adults with career-specific training.

    “For all of us who participated in the video, we’re enjoying all the attention the video has received,” says Daniel Baker, an I&C student at Francis Tuttle who also directed and edited the video. “If we knew it was going to be so popular, we would have spent a lot more time on it. It was put together really quickly.”

    Baker, who was recently re-elected as webmaster within the school’s ISA student section, says “once we were told of the need for the video, we really went with it, putting together a script on the fly and assigning parts to play. “

    For Baker and his classmates, meeting the requirements of Francis Tuttle’s I&C certificate program is a worthy goal. The school reports that more than 96 percent of students who complete the program are placed in jobs, most as measurement or instrumentation technicians.

    “Given that the oil and gas industry is really strong here in Oklahoma, the prospect is bright for those who have proven I&C skills,” says Maynard, the school’s I&C instructor.

    The danger of using USB devices is real

    The risks of infecting an industrial control network through USB storage devices are real, experts point out.  They’re so small and inexpensive, they’re literally everywhere. Because they are so popular, chances are great they’ll get lost or stolen or be used to spread malicious programs. In fact, cyber criminals are starting to write viruses and worms that specifically target them. 

    In another article featured in this month’s issue of ISA Insights, Steve Mustard, an ISA subject-matter expert on industrial cybersecurity, emphasized that USB devices will continue to pose serious threats to industrial networks and control systems for the foreseeable future.

    “While most standards recommend the elimination of USB removable media devices and that all ports be locked down, this is rarely the case,” Mustard reports. “Since machines are usually not connected to the Internet, removable media is often the only way to transfer files. And while IT policies might enforce virus scanning of such devices before and after use, this often does not get enforced in IACS environments. I heard recently anecdotally that a major oil and gas company detected the Stuxnet virus on its networks, and was found to have originated from an infected USB drive.”