The number of control system security incidents, especially in water/wastewater, rose sharply in 2009, according to a report from the Security Incidents Organization (SIO, www.securityincidents.org). The "2009 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems" is an analysis of all incidents recorded up to Dec. 31, 2009, in the Repository of Industrial Security Incidents (RISI), an industry-wide database for collecting, analyzing and sharing high-value information regarding cybersecurity incidents that directly affect SCADA, manufacturing and process control systems.
The analysis was conducted to determine where and when the 175 confirmed incidents have occurred. A significant shift has been observed in the incident rates by industry over the past five years. RISI has observed an overall decline in the incident rate in the petroleum and chemical industries (more than 80%), but an increase in the incident rate in the water/wastewater (more than 300%) and the power/utilities industries (30%).
Despite a decline in recent years, the vast majority of control system cybersecurity incidents (almost 50%) reported by RISI have been caused by malware, including viruses, worms and trojans.
However, incidents involving unauthorized access or sabotage perpetrated by internal sources, such as a disgruntled former employee or an independent contractor who uses inside knowledge or access privileges to cause disruption or harm to the company, are up considerably in the same time-period comparison. Also on the rise are incidents where network anomalies induced failures in control system equipment.
According to the RISI database, incidents were rare in the 1980s and into the late '90s, until the number of annual incidents climbed from two to eight over the span of 1996-2001.
The number skyrocketed to 30 in 2003, and then the number of recorded incidents gradually declined back to seven in '07 before climbing to 10 in '08 and then jumping to 18 in '09.
"The spike around 2003 was primarily due to two major malware attacks in that timeframe that made their ways into industrial control systems," explained John Cusimano, managing director at Security Incidents Organization.
"The Slammer worm was particularly successful in infiltrating control systems, as it was built on Microsoft SQL, which is used in process historians as well as other database-driven applications. Also prevalent in that timeframe was the Sobig worm/trojan."
The primary cause attributed to the decline of recorded incidents in the mid-2000s was a lull in tracking during a transition in ownership of the database, said Cusimano.
Prior to 2006, the database was operated by a university as a research project and then went idle for a few years before transitioning to private ownership and then to not-for-profit Security Incidents, where it is today, explained Cusimano.