Vital control systems used by energy, water, and transportation are ill-prepared to cope with online terrorism and hacking threats, the EU’s cyber security agency has warned, blaming patchy and inconsistent testing for what could be a potential infrastructure disaster. Industrial Control Systems (ICS) are “often outdated” ENISA points out, while their expected lifespan of 20 years or more fails to incorporate the sort of security features essential to withstand cyber-terrorism attacks.
“They are not prepared to deal with current threats” ENISA concludes, before setting out a list of recommendations for the Europe-wide testing processes it suggests are now essential. The guidelines address “poor planning, lack of information, security configurations, as well as with the incorporation of both well-known and new, undiscovered or yet unpatched “zero-day” vulnerabilities into ICS/SCADA systems” the agency says.
For instance, ENISA argues that Europe now needs a standardized testing body that would take responsibility for a program of “harmonized” analysis. That should also come with an executive board that could “enforce” the programs, and various working groups to tackle individual key areas.
The risk of unauthorized access to infrastructure is a very real one. The Stuxnet virus is one of the better known perils, responsible for crippling Iran’s main nuclear enrichment facilities back in 2007, but malware attacks have also happened on US soil, loaded by rogue USB drives.
That sort of low-tech infection also represents another of the key risks the ENISA identifies: a lack of awareness and training for those responsible for maintaining the ICS systems.
For instance, hackers used social engineering to get employees at some of the top chemical and defense companies to install malware on their enterprise systems back in 2011. That opened a backdoor with which R&D secrets could be extracted, including proprietary designs, formulas, and manufacturing processes.