FRAMINGHAM, Mass. — It’s no state secret that industrial and automation control systems have a way to go before they’re resilient from targeted and sophisticated malware attacks.
That’s why earlier this month the International Society of Automation (ISA) announced that the ISA99 standards committee on Industrial Automation and Control Systems Security had formed a task group to conduct a gap analysis of the current ANSI (American National Standards Institute) ISA99 standards and modern threats against critical industrial systems, such as Stuxnet.
The ISA 99 standard is a foundation of Supervisory Control and Data Acquisition System (SCADA) security. “Over the next few years, these standards will become core international standards for protecting critical industrial infrastructures that directly impact human safety, health, and the environment; and, likely will be extended to other areas of application, even broader than those generically labeled SCADA. Based on this, it is essential that industrial companies following IEC 62443 standards know they will be able to stop the next Stuxnet,” the ISA wrote in its statement announcing the security task force.
“This report shows the details of the continuing threats to manufacturing and infrastructure security around the world. As the Stuxnet malware showed in 2010, the threat continues and has become even more complicated and mature,” John Cusimano, executive director of the Security Incidents Organization (SIO), said in a statement.
The threats may be growing more mature and complex, however experts say the vulnerabilities have been laying in wait for some time. “Stuxnet really didn’t change anything,” says Richard Stiennon, chief research analyst, IT-Harvest and author of the book “Surviving Cyberwar.”
“The vulnerabilities have all been there for awhile. Most SCADA networks are pretty wide open and are susceptible to attacks. Stuxnet did, however, open our eyes to what is possible now,” he says.
Many industry and critical manufacturing systems are open to not only Stuxnet-like attacks, but also trivial attacks. “Many of these systems are listening on open ports for broadcast messages. And, for example, if they get the right one, they’ll reset back to factory settings. There’s no authentication of signing processes in place,” he says. “So while it’s good to have standards, the real problem is why haven’t facilities been employing security 101 practices?” Stiennon asks.
George V. Hulme writes about security, technology, and business from his home in Minneapolis, Minnesota. You can also find him on Twitter as @georgevhulme.