The world's most capable, rugged and secure
industrial control system...
Introducing Bedrock OSA® Remote
- Intrinsically-secure PLC and RTU control
- 10 or 20 channels of universal I/O
- Free IEC 61131-3 engineering software
- -40ºC to +80ºC temperature range
- Rugged, all-metal case 5.4 in x 8.9 in x 2.3 in
Industrial Control Systems as Weapons
January 27, 2020 | Robert Bergman
In a recent Dark Reading feature, Kelly Higgins Jackson describes how cyber threats to aging industrial operational technology have advanced from simple malware vulnerabilities and lack of security controls to use as potential weaponry.
She cites a recent PAS Global analysis of 10,000 of its customers’ ICS systems. It found numerous ways in which malicious attackers could weaponize automation systems at power, oil & gas, chemical and other critical infrastructure systems. PAS, of course, did not detail any of its customer systems, but Dale Peterson, CEO of Digital Bond, gave her some examples of how an attacker might weaponize a control system:
- Manipulating output characteristics, for example, manipulating flow rate of air or gas in a valve
- Manipulating HMI graphics configurations to allow access to the administrative control of the entire DCS network
- Manipulating HTML to inject code that can contain flow control settings
- Scrambling calculations of the flow indicator and the flow controller on the CPU
- Accessing hard-coded system engineer username and password and using it to enter other systems
To address these issues, PAS Chief Operating Officer Mark Carrigan suggested interventions such as improving configuration management on the most critical systems and assets and implementing passive network monitoring that can catch anomalous traffic. While such configuration management and passive monitoring can certainly be of help, they do involve purchase, installation and maintenance costs.
Such costs should be weighed against upgrading controls to automation technology in which cyber security protection is already built-in. For companies that are already planning to modernize their controls, specifying built-in cyber security at purchase should be a no-brainer. This is especially true for Bedrock OSA controls, for which protection that makes it all but impossible for attackers to weaponize controls is included at no additional cost above very competitively priced and high-performing PLC, RTU, DCS and power supply solutions.
For more information about how to separate truly built-in cyber security from products that just claim it, see Built-in Cyber Security vs. Built-in Cyber Security