In 2010, the clandestine world of cyber-attacks took aim at control systems. Siemens PLCs operating Iran's nuclear enrichment facility were attacked by sophisticated, state-sponsored malware whose main target was industrial espionage & sabotage. It was an abrupt awakening that viruses could now illicitly access the previous isolated world of industrial control systems, PLCs and SCADA networks.
So, the simple answer to the question, "Are industrial control systems secure?" is no. Insecure control systems and unqualified industrial IT networks put companies at financial risk.
Even worse, since PLC programming and DCS controllers are used in water treatment plants, oil & gas pipelines & power distribution, vulnerabilities in these control networks can put societies and public safety at risk.
In the past, SCADA & PLC systems were segregated from the corporate network and only trained operators and engineers had access. Security protocols weren't in-depth since the only way to break into the system was to be physically at the operating console.
Today, the control network is connected to the corporate network to allow business management software to access historical databases, to forecast maintenance trends and to monitor performance.
The once segregated control network is now an extension of the corporate network and critical control data shares bandwidth with enterprise data.
Even with the updated virus scanners & network firewalls, electronic attacks are now sophisticated enough to go undetected until havoc has been unleashed.
Security for SCADA & control systems is challenging for different reasons:
As the American National Standards Institute stated, "...the single biggest threat to cyber security is misunderstanding." As control systems engineers, our jobs, our companies and our society are relying on us to be knowledgeable and effective at industrial control system security.
Greg A. Lynch, P.Eng.