Breaches that result in the theft of millions of pieces of personal data get big headlines, such as those involving retailers, hospitals and government agencies.
But attacks on industrial control systems — sometimes called SCADA systems — are quietly increasing as well, according to a new survey by the SANS Institute. According to the report, one-third of 314 respondents who actively maintain, operate or provide consulting services to facilities maintaining ICS systems said their organization’s control system had been breached. Of those, 17 per cent acknowledged six or more breaches had occurred so far this year, up from nine per cent in all of 2014. Another 11.3 per cent said this year they had suffered between six and 10 breaches, while 3.8 per cent thought they could have been breached up to 50 times..
Of those who acknowledged a breach, 32 per cent couldn’t put a number on how many incidents had occurred.
Forty-nine per cent said they weren’t aware of an ICS breach or infection, while another 12 per cent were certain they hadn’t been breached.
Internet-connected industrial control systems can be found in a wide range factories, utilities, municipal and defence systems.
“Both the degree of uncertainty and the rising number of known incidents are red flags calling for the dedication of greater resources to monitoring, detecting and analyzing anomalous activity in control system networks,” says the report. “Breaches of security that do not disrupt normal operations may still be detected, if trained and knowledgeable personnel armed with the requisite tools look for such breaches. The success of advanced persistent threats (APTs) depends on their operating at a sufficiently slow pace or below a level of network or system noise so as not to be noticed.
“Rapid detection is key because the longer breaches remain unknown, the greater the potential impact.”
Almost 20 per cent of respondents who’d successfully been attacked said systems were breached for at least 24 hours before it was discovered, and 20 per cent reported that they could not determine how long the infiltration had been going on. Another 20 per cent said breaches weren’t detected for more than a week, and 15 per cent reported not knowing about the infiltration for more than a month.
The report also found worrying that only 20 per cent of respondents stated that qualification of security technologies by their ICS equipment vendors is mandatory, considering what it says is the critical nature of Site Acceptance Testing (SAT) of industrial control system components. Even more concerning, it added is that 25 per cent of respondents said it is only moderately important or not important. And 10% didn’t know how important it is to validate new security tools before introducing them into control systems. Most respondents (65 per cent) said vendor qualification of security technologies and solutions to be either highly important or mandatory.