VANCOUVER, Oct. 4, 2004 - One of the first ever global reports into industrial cyber security, The Myths and Facts behind Cyber Security Risks for Industrial Control Systems, reveals a tenfold increase in successful cyber attacks on process and supervisory control and data acquisition (SCADA) systems since 2000. Many of the attacked systems were responsible for the operation of critical services such as electricity, petroleum production, nuclear power, water, transportation and communications. The report was produced jointly by security experts at the British Columbia Institute of Technology (BCIT) and PA Consulting Group (PA).

The report findings will shock many in the engineering and IT community. Process control and automation systems have traditionally been seen as immune to external attack, as systems were based on proprietary technologies and isolated from other IT systems. But the 10 reported cyber attacks in 2003 are likely to be just the tip of the iceberg, as few companies are willing to report such incidents for fear of attracting further attack or negative publicity. Industry estimates indicate that between 100 and 500 unreported industrial cyber attacks occur every year.

The study also highlights the significant safety, environmental, reputational and financial risks that organizations are running every day, by failing to adequately address the threat of cyber attack on their plants and factories. Of those organizations that put a figure on the impact of cyber attacks on their process control and automation systems, 50 per cent experienced financial losses of more than $1 million.

Analysis shows that the increase in successful industrial cyber attacks is the result of three factors:

- an increasing alignment of process control and corporate IT systems;

- the fact that corporate IT security measures often cannot be applied to process control systems;

- and increasingly powerful and malicious cyber threats, such as worms, viruses and hackers.

Research was based on data collated in the BCIT Industrial Security Incident Database, dating back to 1981. The sharp increase in cyber attacks since 2000 prompted a full study into the changing trends in industrial cyber security, the impacts, and what organizations can do to prevent attack and the potentially disastrous outcomes. Recent examples of such attacks include the Slammer Worm infiltration of an Ohio nuclear plant and several power utilities, and a wireless attack on a sewage system in Australia.

Said BCIT researcher Eric Byres, "The results were a surprise to us because they indicate that industry has been focusing their security efforts in the wrong direction. The real threat is coming from outside the organization, rather than from within, as most of us originally believed. The variety and complexity of the different attack vectors is also a big concern. We can't just throw in a firewall and hope all our security problems will be solved. It is going to require a disciplined, multi-layer defense if we are going to get the security our critical infrastructures under control."

Justin Lowe, PA Consultant, said, "All organizations that are reliant on process control and automation systems need to sit up and listen to the results of this study. Industrial cyber security incidents cannot be ignored - they are occurring more frequently, are more destructive and have serious business impacts. Organizations need to engage with both their engineering and IT employees, to undertake security risk assessments of all their control systems and ensure effective protection measures are deployed."

The results of the study will be previewed Oct. 5 at ISA Expo 2004 in Houston. ISA Expo 2004 is North America's annual event for automation and control professionals.

The full findings will be presented Oct. 18 to 20 at the VDE Congress in Berlin, Germany. The VDE Congress is the one of the key annual conferences of electrical engineers in Europe.

To obtain a copy of the report The Myths and Facts behind Cyber Security Risks for Industrial Control Systems or speak to the authors, contact Eric Byres (BCIT) or Stephanie Henderson (PA Consulting Group). For additional background information go to http://www.bcit.ca/news/releases/newsrelease100404349.shtml

Stephanie Henderson, Marketing, PA Consulting Group, 
123 Buckingham Palace Road, London, SW1W 9SR, 
Phone: +44 20 7312 4617, Fax: +44 20 7333 5116,
Email: stephanie.henderson@paconsulting.com

Eric Byres, P.Eng., Research Manager - 
Critical Infrastructure Security,
British Columbia Institute of Technology, 
3700 Willingdon Ave. Burnaby, B.C.
V5G 3H2, Phone: 604-453-4017, 
Cell: 604-816-0540, Fax: 604-436-0286, 
Email: eric_byres@bcit.ca