Environmental Engineering Reference
In-Depth Information
understand how control systems operated—and therefore how to hack into
them. Today, however, to reduce costs and improve performance, organiza-
tions have been transitioning from proprietary systems to less expensive, stan-
dardized technologies such as Microsoft's Windows and Unix-like operating
systems and the common networking protocols used by the Internet. These
widely used standardized technologies have commonly known vulnerabili-
ties, and sophisticated and effective exploitation tools are widely available and
relatively easy to use. As a consequence, both the number of people with the
knowledge to wage attacks and the number of systems subject to attack have
increased. Also, common communication protocols and the emerging use of
Extensible Markup Language (XML) can make it easier for a hacker to interpret
the content of communications among the components of a control system.
Control systems are often connected to other networks, as enterprises
often integrate their control systems with their enterprise networks. This
increased connectivity has significant advantages, including providing deci-
sion makers with access to real-time information and allowing engineers to
monitor and control the process control system from different points on the
enterprise network. In addition, the enterprise networks are often connected
to the networks of strategic partners and to the Internet. Further, control sys-
tems are increasingly using wide area networks and the Internet to transmit
data to their remote or local stations and individual devices. This conver-
gence of control networks with public and enterprise networks potentially
exposes the control systems to additional security vulnerabilities. Unless
appropriate security controls are deployed in the enterprise network and the
control system network, breaches in enterprise security can affect the opera-
tion of controls system. According to industry experts, the use of existing
security technologies, as well as strong user authentication and patch man-
agement practices, are generally not implemented in control systems because
control systems operate in real time, typically are not designed with cyber
security in mind, and usually have limited processing capabilities.
Existing security technologies such as authorization, authentication,
encryption, intrusion detection, and filtering of network traffic and com-
munications require more bandwidth, processing power, and memory than
control system components typically have. Because controller stations are
generally designed to do specific tasks, they use low-cost, resource-con-
strained microprocessors. In fact, some devices in the electrical industry still
use the Intel 8088 processor first introduced in 1978; consequently, it is diffi-
cult to install existing security technologies without seriously degrading the
performance of the control system.
Further, complex passwords and other strong password practices are
not always used to prevent unauthorized access to control systems, in part
because this could hinder a rapid response to safety procedures during an
emergency. As a result, according to experts, weak passwords that are easy to
guess, shared, and infrequently changed are reportedly common in control
systems, as well as the use of default passwords or even no password at all.
Search WWH ::




Custom Search