Computer hackers are increasingly targeting industrial control systems — including those at nuclear power stations, utilities and transport infrastructure — says a report that promises to “shock many in the engineering and IT community.”

The study by security experts at the British Columbia Institute of Technology and PA Consulting Group says there has been a 10-fold increase since 2000 in successful cyber attacks on process and supervisory control and data acquisition systems.

“Many of the attacked systems were responsible for the operation of critical services,” BCIT and PA say.

Recent assaults include a Slammer Worm infiltration of an Ohio nuclear plant and a wireless insurgency at a sewage system in Australia.

Process control and automation systems have been widely regarded as immune to external attack because they were based on proprietary technologies and were isolated from other information technology systems.

“But the 10 reported cyber attacks in 2003 are likely to be just the tip of the iceberg, as few companies are willing to report such incidents for fear of attracting further attack or negative publicity,” the study found.

“Industry estimates indicate that between 100 and 500 unreported industrial cyber attacks occur every year.”

The increase in cyber assaults on industrial systems is attributed to an increasing alignment of process control and corporate IT systems, the fact that corporate IT security measures often cannot be applied to process control systems, and “increasingly powerful and malicious” worms, viruses and hackers.

“The results were a surprise to us because they indicate that industry has been focusing their security efforts in the wrong direction,” says BCIT researcher Eric Byres.

“The real threat is coming from outside the organization rather than from within, as most of us originally believed. The variety and complexity of the different attack vectors is also a big concern. We can’t just throw in a firewall and hope all our security problems will be solved.”

Process control and automation systems have been widely regarded as immune to external attack because they were based on proprietary technologies and were isolated from other information technology systems.

“But the 10 reported cyber attacks in 2003 are likely to be just the tip of the iceberg, as few companies are willing to report such incidents for fear of attracting further attack or negative publicity,” the study found.

“Industry estimates indicate that between 100 and 500 unreported industrial cyber attacks occur every year.”

The increase in cyber assaults on industrial systems is attributed to an increasing alignment of process control and corporate IT systems, the fact that corporate IT security measures often cannot be applied to process control systems, and “increasingly powerful and malicious” worms, viruses and hackers.

“The results were a surprise to us because they indicate that industry has been focusing their security efforts in the wrong direction,” says BCIT researcher Eric Byres.

“The real threat is coming from outside the organization rather than from within, as most of us originally believed.”

© The Vancouver Sun 2004