Abstract
Having explored the general nature of ICS and SCADA systems, it is time to take a broad look at threats to these systems, i.e., the causes of cyber incidents. An ISO standard (ISO27000 2014) for information and communication technology (ICT) defines threat as potential cause of an unwanted incident , which may result in harm to a system or organization. The former (ISO22399 2007) standard, which stems from the incident preparedness and operational continuity management domain, defines a threat as potential cause of an unwanted incident , which may result in harm to individuals, a system or organization, the environment or the community.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A number of national definitions of critical infrastructure and vital societal services can be found on CIPedia(c) (2015).
- 2.
CERN operates the Large Hadron Collider (LHC) in Geneva, Switzerland where a high-energy beam with an energy equivalent to 85 kg of TNT is steered 10,000 times a second through a 3-mm hole in a 27-km wide circle. A complex set of ICSs steer this beam and monitors and controls many aspects of this unique and complex machine. The LHC is used to discover the Higgs particle and understand other building blocks of nature.
References
Abrams, M., & Weiss, J. (2008). Malicious control system cyber security attack case study—Maroochy water services Australia. Washington, DC: NIST. Retrieved November 8, 2015, from http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-Case-Study_report.pdf.
Anderson, R., & Moore, T. (2006). The economics of information security. Science, 314(5799), 610–613. doi:10.1126/science.1130992.
Averill, B., & Luiijf, E. A. (2010). Canvassing the cyber security landscape: Why Energy companies need to pay attention. Journal on Energy Security, May 18. Retrieved November 8, 2015, from http://www.ensec.org/index.php?view=article&id=243%3Acanvassing-the-cyber-security-landscapewhy-energy-companies-need-to-pay-attention.
National Transportation Safety Board. (2010). Collision of two Washington metropolitan area transit authority metrorail trains near Fort Totten station, Washington, D.C., June 22, 2009. Washington, DC: NTSB. Retrieved November 8, 2015, from http://www.ntsb.gov/investigations/AccidentReports/Reports/RAR1002.pdf.
BSI. (2014). Requirements for network-connected industrial components v1.1.. Bad Godesberg, Germany: BSI. Retrieved November 8, 2015, from https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_downloads/techniker/hardware/BSI-CS_067E.pdf.
CIPedia(c). (2015, November 8). Critical infrastructure. Retrieved from CIPedia(c): http://www.cipedia.eu.
Computerwoche. (2008, February 2). Softwarepanne sorgt für Koffer-Chaos in London-Heathrow. Computerwoche. Retrieved November 8, 2015, from http://www.computerwoche.de/nachrichten/1856437/.
Dubowski, S. (2004, January 6). B.C. researchers urge improved industrial IT protection. BC, Canada. Retrieved November 8, 2015, from http://www.itworldcanada.com/article/b-c-researchers-urge-improved-industrial-it-protection/11622.
Duggan, D. P. (2005). Penetration testing of industrial control systems. Albuquerque, NM: Sandia National Laboratories. Retrieved November 8, 2015, from http://energy.sandia.gov/wp-content/gallery/uploads/sand_2005_2846p.pdf.
Espiner, T. (2010, July 20). Siemens warns Stuxnet targets of password risk. CNet. Retrieved November 8, 2015, from http://www.cnet.com/news/siemens-warns-stuxnet-targets-of-password-risk/.
Esposito, R. (2006, October 30). Hackers penetrate water system computers. ABC News. Retrieved November 8, 2015, from http://blogs.abcnews.com/theblotter/2006/10/hackers_penetra.html.
EWICS. (2015). European workshop on industrial computer systems reliability, safety and security. EWICS.org. Retrieved November 8, 2015, from http://www.ewics.org.
Farrell, N. (2009, October 1). Linux saves Aussie electrical grid. The Inquirer. Retrieved November 8, 2015, from http://www.theinquirer.net/inquirer/news/1556944/linux-saves-aussie-electricity.
FBI. (2009, June 30). Arlington security guard arrested on federal charges for hacking into hospital’s computer system. Dallas. Retrieved November 8, 2015, from http://dallas.fbi.gov/dojpressrel/pressrel09/dl063009.htm.
Finkle, J. (2013, January 16). Malicious virus shuttered power plant: DHS. Reuters. Retrieved November 8, 2015, from http://www.reuters.com/article/2013/01/16/us-cybersecurity-powerplants-idUSBRE90F1F720130116.
Kovacs, E. (2015, December 29). Trains Vulnerable to Hacker Attacks: Researchers, Securityweek. Fromhttp://www.securityweek.com/trains-vulnerable-hacker-attacks-researchers.
Fovino, I. N. (2014). SCADA system cyber security. In K. Markantonakis & K. Mayes (Eds.), Secure smart embedded devices, platforms and applications (pp. 451–471). New York, NY: Springer Science + Business Media. doi:10.1007/978-1-4614-7915-4_20.
Frontline. (2003, April 24). Interview: Joe Weiss. Retrieved November 8, 2015, from http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/interviews/weiss.html.
GAO. (2015). Federal facility security: DHS and GSA should address cyber risk to building and access control systems. Washington, DC: GAO. Retrieved November 8, 2015, from http://www.gao.gov/products/GAO-15-6.
Hrenchir, T. (2015, April 27). 3 million gallons of sewage leak into Kansas River after pump station power outage. The Topeka Capital Journal. Retrieved November 8, 2015, from http://cjonline.com/news/2015-04-27/3-million-gallons-sewage-leak-kansas-river-after-pump-station-power-outage.
Huitsing, P., Chandia, R., Papa, M., & Shenoi, S. (2008). Attack taxonomies for the Modbus protocols. International Journal on Critical Infrastructure Protection, 1, 37–44.
ICS-CERT. (2011). Advisory federal aviation administration GPS testing. Washington, DC: ICS-CERT. Retrieved November 8, 2015, from https://ics-cert.us-cert.gov/advisories/ICSA-11-025-01.
ICS-CERT. (2015). The industrial control systems cyber emergency response team (ICS-CERT). ICS-CERT. Retrieved November 8, 2015, from https://ics-cert.us-cert.gov/.
ICT Qatar. (2014). National ICS security standard version 3.0.. Doha, Qatar: Ministry of Information and Communications Technology. Retrieved November 8, 2015, from http://www.qcert.org/sites/default/files/public/documents/national_ics_security_standard_v.3_-_final.pdf.
Igure, V. M., Laughter, S. A., & Williams, R. D. (2006). Security issues in SCADA networks. Computers and Security, 25(3), 498–506. doi:10.1016/j.cose.2006.03.001.
ISA. (2015). IEC TR 62443-2-3:2015 patch management in the IACS environment. Geneva, Switzerland: IEC.
ISO22399. (2007). ISO/PAS 22399:2007 Societal security—Guideline for incident preparedness and operational continuity management (withdrawn in 2013). Geneva, Switzerland: ISO.
ISO27000. (2014). ISO/IEC 27000:2014 Information technology—Security techniques—Information security management systems—Overview and vocabulary. Geneva, Switzerland: ISO/IEC.
ISO27001. (2013). ISO/IEC 27001:2013 Information technology—Security techniques—Information security management systems—Requirements. Geneva, Switzerland: ISO/IEC.
ISO27002. (2013). ISO/IEC 27002:2013 Information technology—Security techniques—Code of practice for information security controls. Geneva, Switzerland: ISO/IEC.
Judmayer, A., Krammer, L., & Kastner, W. (2014). On the security of security extensions for IP-based KNX networks. Proceedings of the 10th IEEE International Workshop on Factory Communication Systems (WFCS 2014). Busan, Korea: IEEE. Retrieved November 8, 2015, from https://www.sba-research.org/wp-content/uploads/publications/judmayer_KNX_wfcs2014.pdf.
King, R. (2014, October 9). Sabotage investigation highlights poor network monitoring at utilities. Wall Street Journal. Retrieved November 8, 2015, from http://blogs.wsj.com/cio/2014/10/09/sabotage-investigation-highlights-poor-network-monitoring-at-utilities/.
Krebs. (2014, February 14). Target hackers broke in via HVAC company. KrebsonSecurity. Retrieved November 8, 2015, from http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/.
Lüders, S. (2005). Control systems under attack? 10th ICALEPCS International Conference on Accelerator & Large Experimental Physics Control Systems (pp. FR2.4–6O). Geneva: CERN. Retrieved November 8, 2015, from https://accelconf.web.cern.ch/accelconf/ica05/proceedings/pdf/O5_008.pdf.
Luiijf, E. (2013). Why are we so unconsciously insecure? International Journal of Critical Infrastructure Protection, 6, 179–181. doi:10.1016/j.ijcip.2013.10.003.
Luiijf, E. (2014). Are we in love with cyber insecurity? International Journal of Critical Infrastructure Protection, 7(3), 165–166. doi:10.1016/j.ijcip.2014.07.002.
Luiijf, H., & Lassche, R. (2006). SCADA (on)veiligheid, een rol voor de overheid? [in Dutch] (SCADA (in)security, a role for the Dutch government?). Den Haag: TNO/KEMA.
Luiijf, E., & Te Paske, B. J. (2015). Cyber security of industrial control systems. Den Haag: TNO. Retrieved November 8, 2015, from http://www.tno.nl/ICS-security.
McMillan, R. (2007, November 29). Insider charged with hacking California canal system: Ex-supervisor installed unauthorized software on SCADA system, indictment says. Computerworld. Retrieved November 8, 2015, from http://www.computerworld.com/article/2540235/disaster-recovery/insider-charged-with-hacking-california-canal-system.html.
Moore, T. (2010). The economics of cybersecurity: Principles and policy options. International Journal of Critical Infrastructure Protection, 3, 103–117. doi:10.1016/j.ijcip.2010.10.002.
MSB. (2014). Guide to increased security in industrial information and control systems. Sweden: Swedish Civil Contingencies Agency (MSB). Retrieved November 8, 2015, from https://www.msb.se/RibData/Filer/pdf/27473.pdf.
N.N. (2015, July 22). Never trust a subcontractor. Reddit.com. Retrieved November 8, 2015, from http://www.reddit.com/r/sysadmin/comments/3e3y8t/never_trust_a_subcontractor/.
Nicolas Falliere, L. O. (2011). W32.Stuxnet Dossier. Cupertino, CA, USA: Symantec. Retrieved November 8, 2015, from https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf.
Oosterink, M. (2012). Security of legacy process control systems: Moving towards secure process control systems (whitepaper). Den Haag: CPNI.NL. Retrieved November 8, 2015, from http://publications.tno.nl/publication/102819/5psRPC/oosterlink-2012-security.pdf.
Pauna, A., & Moulinos, K. (2013). Window of exposure… a real problem for SCADA systems? Heraklion, Greece: ENISA. Retrieved November 8, 2015, from http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/scada-industrial-control-systems/window-of-exposure-a-real-problem-for-scada-systems.
Potter, W. C. (1997, Augustus 20). Less well known cases of nuclear terrorism and nuclear diversion in Russia. NTI. Retrieved November 8, 2015, from http://www.nti.org/analysis/articles/less-well-known-cases-nuclear-terrorism-and-nuclear-diversion-russia/.
Radvanosky, R., & Brodsky, J. (2014, October 1). Project Shine (SHodan INtelligence Extraction) Findings Report. USA. Retrieved November 8, 2015, from http://www.slideshare.net/BobRadvanovsky/project-shine-findings-report-dated-1oct2014.
Reaves, B., & Morris, T. (2012). Analysis and mitigation of vulnerabilities in short-range wireless communications for industrial control systems. International Journal of Critical Infrastructure Protection, 5(3-4), 154–174. doi:10.1016/j.ijcip.2012.10.001.
Russel, J. (2015). A brief history of SCADA/EMS. Scadahistory.com. Retrieved November 8, 2015, from http://scadahistory.com/.
SCADAhacker.com. (2015). Metasploit modules for SCADA-related vulnerabilities. Retrieved November 8, 2015, from https://scadahacker.com/resources/msf-scada.html.
Shayto, R., Porter, B., Chandia, R., Papa, M., & Shenoi, S. (2008). Assessing the integrity of field devices in Modbus networks. In M. Papa, & S. Shenoi (Eds.), Critical infrastructure protection II (Vol. 290, pp. 115–128). The International Federation for Information Processing. Retrieved November 8, 2015, from http://link.springer.com/chapter/10.1007%2F978-0-387-88523-0_9.
Shodan. (2015). Shodan. Retrieved November 8, 2015, from http://www.shodanhq.com/.
Smith, T. (2001, October 31). Hacker jailed for revenge sewage attacks: Job rejection caused a bit of a stink. The A Register. Retrieved November 8, 2015, from http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/.
Sonnenreich, W., Albanese, J., & Stout, B. (2006). Return on security investment (ROSI)—A practical approach. Australian Computer Society Inc. Retrieved November 8, 2015, from https://www.acs.org.au/__data/assets/pdf_file/0003/15393/JRPIT38.1.45.pdf.
Stouffler, K., Pilliteri, V., Lightman, S., Abrams, M., & Hahn, A. (2015). NIST special publication 800-82 rev 2: Guide to industrial control systems (ICS) security. Washington, DC: NIST. doi:10.6028/NIST.SP.800-82r2.
Tofino Security. (2012). White paper v1.1: Analysis of the 3S CoDeSys security vulnerabilities for industrial. Tofino Security. Retrieved November 8, 2015, from http://www.isssource.com/wp-content/uploads/2012/12/120612Analysis-of-3S-CoDeSys-Security-Vulnerabilities-1.1.pdf.
Vallance, C. (2012, March 8). Sentinel project research reveals UK GPS jammer use. BBC. Retrieved November 8, 2015, from http://www.bbc.com/news/technology-17119768.
Verton, D. (2003, August 29). Blaster worm linked to severity of blackout. Computerworld. Retrieved November 8, 2015, from http://www.computerworld.com/s/article/84510/Blaster_worm_linked_to_severity_of_blackout.
Vijayan, J. (2009, March 18). IT contractor indicted for sabotaging offshore rig management system. Computerworld. Retrieved November 8, 2015, from http://www.computerworld.com/article/2531775/security0/it-contractor-indicted-for-sabotaging-offshore-rig-management-system.html.
Waterschappen, U. V. (2013). Baseline Informatiebeveiliging Waterschappen [Information security baseline for water boards]. Den Haag, Netherlands: Unie van Waterschappen. Retrieved November 8, 2015, from http://www.uvw.nl/wp-content/uploads/2013/10/Baseline-Informatiebeveiliging-waterschappen-2013.pdf.
WBPF.com. (2009, Augustus 25). Employees fired after reporting security breach: Former lake worth utilities employees fear breach could've caused statewide blackout. West Palm Beach, USA. Retrieved November 8, 2015, from http://www.wpbf.com/Employees-Fired-After-Reporting-Security-Breach/5096936.
Weiss, J. (2009, July 21). Securing the modern electric grid from physical and cyber attacks. Statement for the Record, July 21, 2009 Hearing before the Subcommittee on Emerging. Washington, DC, USA. Retrieved November 8, 2015, from http://chsdemocrats.house.gov/SiteDocuments/20090722115326-92965.pdf.
Wells, L. (2011, January 12). Fired employee allegedly shuts off Fairfield's gas. The Carmi Times. Retrieved November 8, 2015, from http://www.carmitimes.com/area_news/x1314139206/Fired-employee-allegedly-shuts-off-Fairfields-gas.
World Economic Forum. (2014). Risk and responsibility in a hyperconnected world (WEF principles). Geneva, Switzerland: WEF. Retrieved November 8, 2015, from http://www3.weforum.org/docs/WEF_IT_PathwaysToGlobalCyberResilience_Report_2012.pdf.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Luiijf, E. (2016). Threats in Industrial Control Systems. In: Colbert, E., Kott, A. (eds) Cyber-security of SCADA and Other Industrial Control Systems. Advances in Information Security, vol 66. Springer, Cham. https://doi.org/10.1007/978-3-319-32125-7_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-32125-7_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-32123-3
Online ISBN: 978-3-319-32125-7
eBook Packages: Computer ScienceComputer Science (R0)