Journal of Critical Infrastructure Policy
tinuous operation and distributed , multi-component architecture underpin the growth of cyber threats to SCADA systems ... they are exposed to a wide range of cyber threats also because of the standardization of communication protocols , growing interconnectivity and legacy ” ( Cherdantseva , 2016 ). The same can be said of plant Distributed Control Systems ( DCSs ) used in power plants , refineries , chemical plants , water treatment systems , etc . which is the rationale behind the Open Process Automation Initiative . 11
Perhaps the biggest hole in SCADA , DCS , and other control systems can be traced to connectivity to both internal business systems and external partners . 12 While business processes are made more efficient , the concentration of IT assets and streamlined networking of control system and IT processes leaves control systems vulnerable to viruses , denial of service attacks , and malicious software ( Lewis , Ted , 2020 ). It should also be noted that many legacy plant DCSs and SCADA systems may not be capable of running anti-virus or other cyber security programs .
Sample control system threat vectors are presented in Table 3 . Several threats may be implicated in a single attack and operating issues may be mistaken for unintentional events or equipment “ glitches .” For example , Level 1 devices such as temperature transmitters provide input to controllers and HMIs to reliably monitor and safely control a process . These sensors are common in turbine / generator systems to provide input about unstable or unsafe conditions or provide safety shutdowns . They are integral to equipment operation and cannot be bypassed . If the sensors are out of accepted operating limits whether accidentally or maliciously , a turbine or generator may be prevented from starting . The lack of generator availability could , and has , caused grid outages affecting large numbers of electricity consumers . 13
One window on the current scale and future potential of control system attacks can be found in control system cyber security surveys . For example , the Claroty assessment of 365 ICS vulnerabilities was published by the National Vulnerability Database ( NVD ). During the first half of 2020 , 53 venders received 139 ICS advisories issued by the Industrial Control Systems Cyber Emergency Response Team ( IC-CERT . 14 1H ICS vulnerabilities published by the NVD ( 2019 ) increased by 10.3 % from 331 , while ICS-CERT advisories increased by 32.4 % from 105 . More than 75 % of vulnerabilities were assigned high or critical Common Vulnerability Scoring System ( CVSS ) scores . According to the report , more than 70 %
12 IT can be backed up and restored , but process degradation can result in a physical mess that must be cleaned up . This results in a culture of greater risk taking in IT that would not be accepted by Engineers .
13 Texas PUC Docket-40368
120