Process control system infection concerns – actual current cases

A number of control system networks in South America are currently being impacted by several different malware infections. In one case, the control systems utilize OPC for interoperability.  The company has configured their systems such that all of their facilities are on a common network. This is not unusual as fleet asset management and environmental dispatch needs often require direct or indirect communications to all plants in the fleet. In the South American case, once the infection occurs, it can spread to all facilities within the fleet. Moreover, the infection can impact systems from vendors other than the one initially impacted. There is a saying that control system security can result in the system be hard on the outside, but soft and chewy on the inside. This seems to be an excellent example where even an unintentional infection by a vendor’s compromised laptop at one facility can impact the entire fleet. Additional complications are multiple older workstations that do not run antivirus and cannot be patched and the forensics cannot identify where the infection started. Even more problematic is that up-to-date anti-virus did not prevent a Conficker (Stuxnet?) infection in one of the process control networks. These types of vulnerability can impact process control networks in any industry. In the South American case, the systems affected are both power plant and steel mill control systems. The proper scope for cyber security is the correct application of the specifications in ISA99 in any industrial control system, in any industry, including fossil power and nuclear. In the South American case, there are steel mills and power plants affected. The system integrator from South America will discuss these cases at the September ACS Conference.

Joe Weiss