Weiss pointed to Project SHINE (SHodan INtelligence Extraction), an initiative that has scanned the internet looking for SCADA and ICS devices. “They found more than 2 million (control) system devices directly connected to the Internet,” he said, contending that the US government has been suppressing information on ICS attacks that have already occurred. “Our government won’t publicize and acknowledge them,” he said. “We have met the enemy and it is us.”
In a blog post this week, Weiss said targeted ICS attacks in the US have caused, “loss of electric and water SCADA, damage to manufacturing lines, shutdown of HVAC systems, and damage to facility equipment including critical motors.”
Other experts are much less vehement – they say the risks are likely greater than Sachs is saying, since even with an air gap a system can be compromised. But they agree that US ICSs are far from sitting ducks – that the chance of a catastrophic attack is, as Clapper said, “remote.”
Ben Miller, director of the Threat Operations Center at Dragos, said if a power company’s corporate network is connected to the internet, and the ICS is connected to that, then there is an online way to get to the ICS. There is also the risk of access to ICS that attackers might gain through compromised third-party vendors.
He also said he and Dragos CEO Robert M. Lee will be delivering a keynote at this week’s SANS ICS Summit in Orlando, Fla., on a project titled MIMICS (Malware in Modern ICS), that found, “thousands of cases of ICS software infected with viruses, just over the course of 90 days.”
Those, he said, were mainly non-targeted, “opportunistic viruses and removable media across many ICS vendor programs.”
Still, he said in the US, online access to ICS, “is extremely rare. Ultimately taking down the grid is a really complex subject. Having an industrial impact on any ICS is hard. Scaling an attack to a particular region is really really hard.”
Edgard Capdevielle, CEO of Nozomi Networks, also said connections to the corporate network are a risk. “While industrial traffic may not go through the internet to get from one site to another, all these networks often have a physical path to the outside and are therefore exposed,” he said. “Firewalls help provide segmentation in the network, but the exposure still exists.”
Eddie Habibi, CEO of PAS agreed with Sachs that a successful attack on ICSs is unlikely, “given the layers of cyber defense that most companies have in place.”
But he said the risks are very real, even with air-gapped systems. He said they could include downloading an infected software upgrade from a third-party vendor’s website into a SCADA system.
Sign up for Computerworld eNewsletters.