- Posted by fedco
- On January 4, 2015
- control system security, it security
Have we ever heard some attack targeted to some big companies by using email attachment + virus/trojan injection as the vector attack? How is about the awareness of our employees regarding the cyber security threat that waiting every single second to launch their attack once we missed our defense. It is a common attack by using this kind of vector attack, but imagine the impact on the target side, and imagine the incident that may happens if this attack continued to our control system. It was too late to realize that we have done some mistake of unaware behavior on our daily activities facing with the internet, and it just become the nightmare for the organization once it has been attacked. sooner or later the attack will be acknowledged but the impact of it stil remains for some time (financial exposure, personal consideration, system development for fixing the crash, etc.).
What we can learn from the above statement is even the big company still having a hole that can be utilized by unauthorized person to gain advantage and do something worst to the target. The data contained on the corporate computing system usually has something confidential and restricted distribution on it.
Now let’s see what is the correlation between IT security breach with Plant Automation Control System integrity. We can assume that the corporate that being targeted has some critical control system infrastructure across the country, and some of these systems already integrated to the corporate IT backbone for the monitoring and reporting purposes. Unaware personnel either from corporate level (financial department, controllers department, high level management, etc.) or control system level (engineer, technician, plant operator and technician) can be one of the targeted attack for the attack vector. Once the attack has been inside the corporate computer system either via virus injection, trojan attack, removable media malware invected etc. then it can be utilized as per designed by the attacker to explore the targeted system, which is control system. One of the most popular example of security breach into control system environment is Stuxnet. It was attacked Iranian nuclear plant and did some stealth changes on specific parameter related to the centrifugal frequency drive.
Cyber security education and skills appproach for all critical personnel within the corporate should be put as one of the priority on the organization. People need to know on how to act and react if some “suspected” unintended/intended materials come into their desk, such as email with some link to unknown/known website, files attachment that looks so interesting to be opened, etc.
It is just like bypassing all security guard that corporate has implemented if the attack vector successfully gain advantage from unaware worker that opening some link that will trigger to the nightmare malware. Just imagine the example of Trojan horse when the Sparta believed the gift from Troy, Sparta took inside the horse statue into their fort, and then we already know what happened.
The cyber security awareness in on of the important thing to have regardless our corporate and position. Nowadays, there is no single company that has no access to the internet.
It is still better to prevent the security incident rather than to fix it. But some people just seeing the security in plant automation control system as a optional rather than a priority. “Seeing is believing” will not be a good approach for this case, since we cannot accept the impact of security incident if it is already happens. The good approach is we believe on the risk and consequence of the security threats and vulnerabillity of our environment and try to strategize and implement the prevention and mitigation plan for the best feasible effort synergy with the criticality of the object that being protected and financial power that support the action.
At the end, there is no 100% secure IT and plant automation control environment, there will be a hole to be explored someday. The hacker only need to find one single hole to launch to be the vector attack, while the targeted attack needs to consider and protect the whole thing of the possible security holes on their environment.
This is an IT era, where nobody cannot avoid to get exposed with IT thing. Except we live in a remote area with still traditional living behavior far away from modernity.