The cybersecurity of industrial automation systems

Featured in Sectra Newsletter, April 2021

Industrial automation systems are a key component of critical infrastructure: They are used to monitor and control, for example, the distribution of electricity and water. Automation systems based on different standards have been implemented for decades, long before the global networking which began in the 1990s. One of the oldest standards for automation systems is the SCADA (supervisory control and data acquisition) which is still in use. SCADA systems have traditionally been physically separated from other networks because their control and monitoring have taken place from the system control room and there has been no need for remote connections.

Physical isolation has also been an effective way to control security, but it has also had negative effects on the security of systems. Old automation systems have not been updated at the same pace as other IT systems, and obsolete versions of software and operating systems are widely used. Versions of Windows XP and 7, for which security updates have been unavailable for years, are still widely used as part of older automation systems. In addition, over the years, the systems have been hard-coded with default passwords, and management of operations has not been designed for possible denial-of-service attacks.

Connecting systems to the Internet

Automation systems are being connected to the public network and traditional IT systems. In this context, the term IT / OT often occurs, which refers to the combination of traditional IT systems and industrial automation (OT = Operational Technology). The reason for connecting systems to the Internet is the need to use the systems remotely, as well as the need for real-time operation where controlled and monitored devices communicate directly with each other. When a closed system is connected to the Internet or other IT infrastructure, it is exposed to the same security risks as other IT systems. In newer automation systems, security has been taken into account, but the security of older systems as such is not at a level where connecting to the Internet would be risk-free.


Sun setting behind the silhouette of electricity pylons

The number of cyber attacks are growing

There have been surprisingly few successful attacks on automation systems compared to their poor security and the considerable impact that an attacker can achieve. Perhaps the  most famous attack on automation systems dates ten years, when the Stuxnet worm was spread to an Iranian uranium enrichment plant through an USB memory stick and was eventually able to dismantle the centrifuges used for enrichment.

Since then, the world has experienced numerous serious attacks on automation systems, such as the NotPetya malware in 2017. Ukraine was the main target of the Russian NotPetya malware, however it also effectively spread to the rest of the world, halting the Danish shipping company Maersk and causing more than 1 billion euros in financial damage globally. One of the more recent serious attacks is the paralysis of the electricity distribution network in Mumbai, India, by a group of Chinese hackers. According to the ICS CERT, the U.S. organization for the cyber security of automation systems, there are a few hundred serious cyber attacks on automation systems each year, and the number is growing.

In Finland for example, only one successful cyber-attack on automation systems has been recorded. In 2015, the heating system of an apartment building in Lappeenranta collapsed as a result of a denial-of-service attack. In this case, it was a distributed denial-of-service attack (DDoS), the target of which was outside of Finland and the equipment of the condominium was used as part of the attack. The heating system equipment could not withstand the drastically increased load on the network and the heating system stopped working.


Why is critical infrastructure in interested target?

Critical infrastructure attacks are often part of the hybrid operations of other states, as well as an experiment on infrastructure, how a target responds to an attack, and how quickly it is able to restore vital functions. Much of the critical infrastructure is based on the use of industrial automation systems such as energy production and transport. The role of automation systems in maintaining national defense capabilities is significant protecting them even in the event of a military conflict is important.

Critical infrastructure is also of increasing interest to cybercriminals, who aim to profit financially, in the form of ransoms required in the event of a ransomware attack. Determining the culprit when considering attacks on critical infrastructure is increasingly difficult. The objective may be state hybrid operations, financial gain of criminals, or industrial espionage by competitors. In most cases, the profit seeker does not carry out the cyber-attack but uses a third party instead.

The safety of automation systems is being actively improved. According to an American study, critical infrastructure operators invest most in improving user management, logging, and encryption of telecommunications connections. Isolation of automation networks from the public network by means of a new generation of firewalls as well as physical isolation are also popular method. New systems are built with security features that do not need to be fixed later on. Backup methods have also been further developed: the distribution of electricity or water is not entirely dependent on information systems, but operations can also be controlled manually.

Key takeaways

  • Automation systems are often used to operate and monitor critical infrastructure. Older automation systems suffer from a number of cybersecurity issues that are laborious to fix.
  • Automation systems are being connected to the Internet, exposing them to the same cyber threats as other IT systems. Automation systems are attractive targets for cyber attacks due to their poor protection and substantial repercussions.
  • Industrial automation systems are also the target of hybrid operations. State actors are testing the operation of the systems and their ability to return to normal.
  • In the future, automation systems will be exposed to more targeted, complex and better developed attacks. Automation systems are of increasing interest to cybercriminals.

Featured in Sectra Newsletter, April 2021

Related products and services