- Feb 2016 - 58% of attacks directed at water & wastewater
- The other 42% ... government entities (ICS-CERT)
- 40% of hacking directed at government industry
- 10 minutes - time to crack 6 character password
- 99% of exploited are infected 1 year before discovery
- Permanent damage to infrastructure easily possible
- Published flaws available for all controls manufacturers
- SCADA system access are for sale in underground market
- Takes average utility company 55 days for Malware discovery
When was the last time your SCADA and PLC systems were HACKED?
Perceptive Controls is well aware of the numerous attacks on our utilities and industries. We work hard to protect you. Some of the services we offer are:
- Assessments of current control systems and vulnerabilities
- Prioritize and recommend needed immediate action items
- Hardening (securing) of controls infrastructure
- Notifications of new vulnerabilities
"Our production systems are completely isolated from outside access"
In his book "The Art of Intrusion," hacker Kevin Mittnick clearly explains how even a neophyte can easily gain root (administrator)access to the entire network through the corporation's protected public website, from anywhere in the world. The majority of PLCs are currently ordered with Web services enabled, but 87% of users leave the Web servers active, unused (and not configured), with factory default passwords.
"Our system is secure because it would be impossible for an outsider to understand it."
This is nicknamed "security by obscurity" and has repeatedly been shown to be a false assumption. There are only 5-6 leading DCS and SCADA systems used throughout the world, and there are millions of U.S. and foreign engineers who have been trained in their use.
"We're not a likely target. We're not important or interesting enough to attract hackers."
Malware (Trojans, viruses and worms) can be inadvertently downloaded from the Internet, and these can replicate themselves on portable memory devices of all types. In 2008, digital picture frames sold by major retailers were found infected with a program that disabled antivirus software and sent passwords to servers in China.
"We've never had a problem. There has been no intrusion or disruption in our production network."
When new Intrusion Detection Systems (IDS) were installed on US Department of Defense networks, they showed that thousands of attempted illegal penetrations were going on daily. One general was incensed. "Before we had these IDS, we were never attacked. Now that we go them on the network, people are attacking our nets every day thousands of times trying to get in! And some of them are getting in!"
"We can't justify the expense and manpower"
The expense of protection is a fraction of 1% of the IT budget. With the latest generation of equipment, a network of protection can be installed, plug and play, by a handful of technicians rather than IT managers. Production need not be interrupted. Beyond ROI, the simplest justification is "What will we suffer if a disaster shuts us down?"
It is obvious that others are trying to hijack our livelihood. No longer limited to the government, large corporations and banking, hackers have their eyesight on our infrastructure. Anything they can do to upset our daily lives is their goal. Electrical grids, traffic signals, erratic water pressure fluctuations, water or wastewater treatment plants are all at risk.
Our job is to assess, recommend, and deploy a secure system to ensure this doesn't happen in your community.