{"id":74746,"date":"2025-02-20T17:42:24","date_gmt":"2025-02-20T23:42:24","guid":{"rendered":"https:\/\/www.controleng.com\/articles\/10-control-system-security-threats\/"},"modified":"2025-04-23T17:44:44","modified_gmt":"2025-04-23T22:44:44","slug":"10-control-system-security-threats","status":"publish","type":"post","link":"https:\/\/www.controleng.com\/10-control-system-security-threats\/","title":{"rendered":"These are the top 10 control system cybersecurity threats"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Control system Cybersecurity insights<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u00a0Risk mitigation tools include perimeter protection, network intrusion detection, host intrusion detection and performance monitoring.<\/li>\n\n\n\n<li>Using control systems for non-control communications can only lead to problems getting the mission-critical control information distributed as quickly as possible.<\/li>\n\n\n\n<li>Technical solutions only cover 20% of the issue with the other 80% involving common sense and changing behavior.<\/li>\n<\/ul>\n\n\n\n<p>It&#8217;s critical to secure control systems from <a href=\"https:\/\/www.controleng.com\/how-cisos-can-overcome-industrial-cybersecurity-talent-resource-shortages\/\">cybersecurity threats<\/a>. No manufacturer that relies upon control systems wants to deal with the fallout from data breaches.<\/p>\n\n\n\n<p>The <a href=\"https:\/\/www.nerc.com\/Pages\/default.aspx\">North American Electric Reliability Corp. (NERC)<\/a>, which is charged with improving the reliability and security of the bulk power system in North America, watches over the electric utility grid. Those systems depend on a vast network of computer-supported regulation. It maintains a list of cybersecurity vulnerabilities that are accepted outside the utility industry as a model for protecting all industrial networking.<\/p>\n\n\n\n<p>Here are the top 10 cybersecurity threats to the control industry:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Inadequate policies, procedures and culture governing control system security<\/h3>\n\n\n\n<p>Security begins with a culture and mindset of all those involved.<\/p>\n\n\n\n<p>\u201cThere is a tendency to think of security in terms of a technical solution: firewalls, passwords, etc.,\u201d said Bob Huba, retired DeltaV product manager for Emerson Process Management. \u201cWhile those elements may cover 20% of the overall solution, common sense approaches to security implemented by plant personnel should make up the remaining 80%. To quote one industry practitioner,&#8217; just stop doing dumb things.\u2019 Ask the question, &#8216;Does your facility have a security policy?\u2019 It can be as simple as asking a stranger why he is in a control room or making sure your users know not to bring in portable media from the outside to play music or install non-approved programs.\u201d<\/p>\n\n\n\n<p>Kim Fenrich, global product marketing manager with ABB Inc., said, \u201cWithout an effective security policy that addresses procedures, mitigation strategies, and periodic training, all other security programs will be less successful. To be successful, security must be viewed as an ongoing process, not a one-time investment into firewalls, intrusion prevention or detection, encryption technologies, etc.\u201d<\/p>\n\n\n\n<p>Operators believe, said Bryan Geraldo, principal detection and response engineer with Expel, that \u201ccontrol systems are relatively safe from opportunistic attacks or inadvertent disruption because they are &#8216;indirectly\u2019 connected to the Internet, or composed of different software and hardware components, some of which have the vendors\u2019 own built-in security features.\u201d While most IT products have built-in security measures, such as passwords and encryption options, or basic firewall\/filter-type mechanisms, Geraldo says, \u201cmany of these features are deactivated \u2014 or worse \u2014 left in default or incorrect configurations, which lends a <a href=\"https:\/\/www.controleng.com\/how-should-we-assess-the-u-s-cybersecurity-posture\/\">false sense of security<\/a>.\u201d<\/p>\n\n\n\n<p>The general migration away from proprietary system architectures requires change, suggests Marilyn Guhr, senior marketing manager for lifecycle services, Honeywell Process Solutions. \u201cAs the control system environment moves to open systems,\u201d she said, \u201cnew policies and procedures are required and often control systems people are not of aware of these requirements or they believe someone else is taking care of it. The IT organizations within their companies are very aware of these things but that awareness hasn\u2019t necessarily filtered down to the process control area.\u201d<\/p>\n\n\n\n<p>Lack of knowledge produces errors. \u201cOver and over I see mistakes occur on industrial sites that can completely invalidate the entire security effort,\u201d said Eric Byres, former chief executive officer of Byres Security. \u201cFor example, during one particular site audit I ran, network cables were discovered that circumvented the SCADA firewalls. The reason later given was that there was no risk analysis showing that the firewalls were important, nor was there a policy stating that bypassing them was unacceptable.\u201d<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Inadequately designed networks with insufficient defense-in-depth<\/h3>\n\n\n\n<p>Defense requires more than just a strong perimeter. \u201cTo secure a control system successfully requires taking a systematic and comprehensive approach,\u201d advised Todd Stauffer, PCS 7 marketing manager, Siemens Energy &amp; Automation. \u201cOne of the most common (and dangerous) misunderstandings is that by simply installing a control system firewall, the system is protected. This is far from correct. Instead, a layered approach called defense-in-depth is recommended by security practitioners and agencies, such as the <a href=\"https:\/\/www.dhs.gov\">U.S. Department of Homeland Security<\/a>. Defense-in-depth advocates the creation of a nested security architecture whereby the plant is divided into multiple secure and closed cells (zones). Each cell must have clearly defined and monitored access points to control access and communication in and out.\u201d<\/p>\n\n\n\n<p>Control systems must have hierarchical levels of protection, said Kevin Staggs, global security architect, Honeywell Process Solutions. \u201cThe more critical the access, like controls and HMI, the deeper it needs to be defended. Control systems at a minimum should be firewalled off from the business network, and they should never be allowed to access the Internet. The IT realm understands how to use defense-in-depth networks, but that expertise hasn\u2019t necessarily been brought down to the control system level.\u201d<\/p>\n\n\n\n<p>Byrnes said, \u201cNo IT department in its right mind would just install a firewall and then say &#8216;we\u2019re secure.\u2019 IT departments install antivirus software, personal firewalls, automatic patches, etc., on every single server, desktop, and laptop, so that these computers are tough enough to defend themselves with or without the firewall. Yet in the SCADA and control systems world, companies install one firewall between the business network and the control network (if that) and completely ignore the security of mission critical devices like the programmable logic controller (PLC), remote terminal unit (RTU) or distributed control system (DCS). The whole control security paradigm is &#8216;crunchy on the outside and chewy in the middle\u2019 but that doesn\u2019t work. Like good safety design, a good security design has to offer layers of defense so that when one layer fails another will stand in its place. That means making every device on the control network secure enough that it can defend itself when the bad guys or bugs eventually get through the firewall. It isn\u2019t easy, but it can be done.\u201d<\/p>\n\n\n\n<p>Security can have its downside, as Adam Stein, VP of marketing Mu Security cautioned: \u201cWith supervisory control and data acquisition (SCADA)-based control systems, defense-in-depth really only hardens the edges of the network. Users won\u2019t tolerate the kind of latency that internal defense mechanisms create in a system. When the operator sends a signal to close a valve or stop a dangerous process, he doesn\u2019t want to wait the extra time needed for that to get through multiple firewalls.\u201d<\/p>\n\n\n\n<p>Emerson\u2019s Huba has seen the effects of mixed platforms common to most plants. \u201cMany of today\u2019s control networks are made up of loosely integrated controllers from different companies, with a common human-machine interface (HMI) and common off-the-shelf hardware for communications. Most often these are engineered by system integrators on an ad hoc basis and security may or may not have been considered. As these systems proliferate, it is important that end-users insist that proper restrictions to the control network be engineered as part of the solution.\u201d<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Remote access without appropriate access control<\/h3>\n\n\n\n<p>\u201cControlling which persons and programs have access to the control system is critical to maintaining security,\u201d Stauffer advises. \u201cIn general, user accounts should be set up to grant access and permission based on the defined role of the user (engineer, operator, maintenance technician, remote view-only connection, etc.). This follows the principle of minimal rights whereby users and computers are configured with the minimum set of access rights necessary to perform their role.\u201d<\/p>\n\n\n\n<p>But denying any remote access hampers end-users\u2019 ability to work with control system vendors for remote services that could really be advantageous to them, including more \u201cintellectual firepower\u201d during a customer situation, said Guhr.<\/p>\n\n\n\n<p>Bryan Singer, CISM, CISSP, principal consultant, industrial security, FluidIQs Inc., and chairman of ISA SP99, Manufacturing and Control Systems Security committee, said, \u201cTerminal services, wireless networks, radio telemetry equipment, modems and unsecured computers abound. Where electronic security is not feasible, we should have good physical security. This also extends into our ability to detect rogue or additional devices. Most networks are not managed or configured to stop unauthorized devices, so additional control systems, PCs or even attackers\u2019 workstations can often be joined to the network and never detected.\u201d<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. Separate auditable administration mechanisms<\/h3>\n\n\n\n<p>This includes system updates, user metrics, and the like that are not part of the control system implementation. \u201cThis vulnerability goes back to the people who are running the control systems,\u201d said Guhr. \u201cTheir core competencies may not be in the IT area and the vulnerabilities that are discovered in these systems are IT-related. You need a capability in place that indicates &#8216;what\u2019s the latest thing you added to the system or what\u2019s changed since the last time you had a properly running system?\u2019 If something goes wrong, you need to know what\u2019s changed.\u201d<\/p>\n\n\n\n<p>Stauffer seconds that advice: Since hackers are continuously working to find new vulnerabilities, he says, processes should monitor the control system continuously to ensure that its software is kept up-to-date.<\/p>\n\n\n\n<p>Auditing systems and software doesn\u2019t always come naturally to process operators, and they may need to learn new techniques. \u201cMost process control systems and related programs are designed with alarms and event generation capability, but they are process-focused,\u201d Singer explained. \u201cIt is very difficult to detect an attack or compromise from such logs, and computer forensic methods are also quite complicated on control devices. Some online auditing and monitoring solutions, such as intrusion detection systems, are woefully inadequate when dealing with controls protocols and many times even if these systems and firewalls are in place, the logs are not monitored.\u201d<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5. Inadequately secured wireless communication<\/h3>\n\n\n\n<p>\u201cWireless security isn\u2019t just a big issue for control systems, but for all uses, mainly because wireless is becoming so pervasive,\u201d said Staggs. \u201cIt\u2019s very easy to plug wireless in almost anywhere. But you have to be able to find the signals and know if someone has put in a rogue point.<\/p>\n\n\n\n<p>\u201cBefore installing wireless, it\u2019s important to do a complete assessment to identify the best areas for wireless use and ensure that leakage out of the plant is minimized. Wireless leakage occurs when you have transmitters or wireless-enabled workers walking around with tablet PCs or handheld devices. Those devices may be transmitting in an area outside a plant.\u201d<\/p>\n\n\n\n<p>Singer encouraged studying wireless propagation: \u201cOn the wireless network side, technologies such as 802.11b and g are often in place, operating in the 2.4 GHz spectrum. Often they have been deployed without a suitable site survey to determine if coverage is adequate and to evaluate if spurious emissions are limited so that people external to the facility must work hard to find these networks.\u201d<\/p>\n\n\n\n<p>Problems with open emission technologies fall into four basic areas, said Ken Steinberg, chief executive officer of Savant Protection: unauthorized use, on-air interception, frequency interference, and unauthorized extension. \u201c<a href=\"https:\/\/www.controleng.com\/ebook-cybersecurity-in-smart-factories-summer-edition\/\">Security professionals<\/a> need to make sure to cover all areas in order to remain secure and effective,\u201d he added.<\/p>\n\n\n\n<p>Hesh Kagan, Invensys director of technology and president of the Wireless Industrial Network Association (WINA), said dangers stem from a \u201cpoorly or incorrectly managed network, as well as poor underlying technology. An insecure network will often be a fragile network as well. The lack of robustness is as troublesome to operations as the lack of security is to IT.\u201d<\/p>\n\n\n\n<p>Sometimes separation is the best approach, advised Symantec\u2019s Geraldo: \u201cIf possible, segment the wireless networks from the rest of the control network. Additionally, it is strongly advisable to secure wireless access methods to include requiring authentication and enforcing strict access controls for communications leading from the wireless network into the rest of the control network.\u201d<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6. Use of a non-dedicated communications channel for command and control<\/h3>\n\n\n\n<p>This would be the case with Internet-based SCADA. This vulnerability also could include inappropriate use of control system network bandwidth for non-control purposes, such as voice over Internet protocol (VoIP).<\/p>\n\n\n\n<p>\u201cMany IT folks have bought the &#8216;converged network\u2019 line and think it\u2019s okay,\u201d said Singer. \u201cWe have seen cameras, VoIP, business systems processing payroll and a whole host of other issues, cause denial of service conditions on control networks. IT professionals typically look at application performance, and near real time for control is a foreign concept. Taking 300 to 500 milliseconds extra to receive e-mail or a webpage is largely unnoticeable; 300 to 500 milliseconds for control messages or safety messages could be disastrous. Often, what is an acceptable level of saturation or utilization from an IT perspective can spell disaster for controls.\u201d<\/p>\n\n\n\n<p>Staggs warned that well-meaning individuals can make mistakes about infrastructure since \u201cit costs quite a bit of money to add additional channels, and it\u2019s hard to add infrastructure wiring after the fact. But you really need to understand where the information is and where it needs to flow, and lay out your networks accordingly. Keep the control traffic off the business network and vice versa. Don\u2019t use the same channels. It\u2019s really a bad practice.\u201d<\/p>\n\n\n\n<p>Using the control system for non-control communications, said Huba, \u201cregardless of how much &#8216;extra\u2019 bandwidth appears to be available, can only lead to problems getting the mission-critical control information distributed as quickly as possible.\u201d<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">7. Lack of easy tools to detect\/report anomalous activity<\/h3>\n\n\n\n<p>This includes inadequate or non-existent forensic and audit methods. \u201cDeveloping a prevention approach to plant control systems will require a new approach to network security between the plant network layer and business\/external systems. It\u2019s only logical that we implement the tightest layer of control on our systems as technically possible in order to maintain the continuity of our business,\u201d said Ernest Rakaczky, business development manager, control system security, Invensys.<\/p>\n\n\n\n<p>The range of tools is extensive, added Todd Nicholson, chief marketing officer, Verano Inc.: \u201cRisk mitigation tools include perimeter protection (firewall, anti-virus, intrusion protection, content filtering, etc.), network intrusion detection (scanning the network for intrusions, rogue devices, changes in traffic levels, etc.), host intrusion detection (detecting file\/process\/socket changes, monitoring message queues, login failures, removable media insertion, abnormal exits, etc.), and performance monitoring.<\/p>\n\n\n\n<p>\u201cThe unique aspects of control system designs also impact the requirements for cyber security risk mitigation. For instance, control system cyber security solutions must be totally passive, extract information from the actual control applications, monitor system performance, and operate effectively on older systems\/networks.\u201d<\/p>\n\n\n\n<p>Inadequate methods are the problem, said Staggs. \u201cThe tools are available and are commonly deployed in business networks and IT networks, but they really are not understood or deployed on control systems. Right now, the control systems that are out there really don\u2019t have enough of the accounting security capabilities to provide forensic trails when things do go wrong.\u201d<\/p>\n\n\n\n<p>Singer agreed but isn\u2019t sure he likes what he sees: \u201cThere are some tools starting to emerge, but they often have the flavor of &#8216;IT-related tools,\u2019 created by IT professionals, for IT professionals, and only for traditional IT systems , not necessarily for controls.\u201d<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">8. Installation of inappropriate applications on critical host computers<\/h3>\n\n\n\n<p>Most importantly, Stauffer said, the control system needs to safely and effectively control the process. \u201cThe only necessary applications are those that are directly involved with the control of the process. Additional software programs such as e-mail, games, and media players are not necessary and can make the system vulnerable. To harden the system, it is necessary to remove all unnecessary applications and to prevent new ones from being introduced. Unwanted programs or malware can be introduced any time data is exchanged with the world outside of the control system.\u201d<\/p>\n\n\n\n<p>Guhr recalled, \u201cA customer was experiencing slow downs on certain operator stations and they couldn\u2019t figure out what was wrong. The &#8216;problem\u2019 was tracked down to a TV hookup on the operator station.\u201d<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9. Inadequately scrutinized control system software<\/h3>\n\n\n\n<p>\u201cSome of the most common ways to compromise a system involve problems with poor coding practices, such as using static buffers, or libraries that clearly have vulnerabilities,\u201d Singer noted. \u201cOften, developers rely on some sort of &#8216;tool\u2019 to analyze source code once written, which means vulnerability detection is limited to the capabilities and patch level of the tool. Coding standards and writing secure code are available disciplines today, and should be followed. End users, system integrators and consultants should all insist upon rigorous application testing, viewing coding standards for vendors, etc.\u201d<\/p>\n\n\n\n<p>Steinberg warned that some flaws will always remain: \u201cThere is no way to remove all of the code flaws from these systems, nor create all known good and bad test cases. The best way to mitigate the potential for problems is to minimize the application set complexity, perform a rigorous review of operating system and application code and avoid interpreted solutions when possible. Depending upon cost and time, it also makes sense to generate two application sets using two different development teams to minimize the potential for injecting the same logic flaws.\u201d<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">10. Unauthenticated command and control data<\/h3>\n\n\n\n<p>\u201cNot all controllers out there today authenticate who\u2019s making the change and authorize that the change is allowed for that user through the controller,\u201d Staggs noted. \u201cThis security step on most control systems is performed at a layer in the control system above the controllers. This leaves the controllers vulnerable, and that\u2019s why defense-in-depth is absolutely required. You\u2019ve got to make sure the controllers are deep down in the security infrastructure, with multiple layers of defense above them. If you\u2019re not doing that, then your controllers are basically wide open on the web.\u201d<\/p>\n\n\n\n<p>Steinberg stressed people management: \u201cWhen it comes to authenticating command and control, the only choice that providers have is to augment the human aspect, specifically with respect to problem analysis, chain of command, and communication flow. Proper policy, practice, and procedure will buy time for older command infrastructures to be re-thought and replaced.\u201d<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How do you mitigate control system cybersecurity vulnerabilities?<\/h2>\n\n\n\n<p>There are mitigation strategies for all these vulnerabilities, and they range from software packages to changing corporate culture. Returning to the opening comment of vulnerability number one, remember that technical solutions only cover 20% of the issue. The other 80% involves common sense and changing people\u2019s behavior. That is generally the larger challenge.<\/p>\n\n\n\n<p><em>This article originally<\/em> <em>appeared<\/em> <em>April 1, 2007.<\/em> <\/p>\n","protected":false},"excerpt":{"rendered":"<p>The North American Electric Reliability Corp. (NERC) is charged with improving the reliability and security of the bulk power system in North America, as part of a larger critical infrastructure protection mandate. To ensure uninterrupted service, NERC watches over the electric utility grid, whose systems depend on a vast network of computer-supported regulation.<\/p>\n","protected":false},"author":3604,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"pgc_sgb_lightbox_settings":"","footnotes":""},"categories":[104076],"tags":[109341,109340,109744,109809,109879],"tracking-metrics":[],"display-location":[],"class_list":{"2":"type-post"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>These are the top 10 control system cybersecurity threats - Control Engineering<\/title>\n<meta name=\"description\" content=\"Control systems are vulnerable to cybersecurity threats. Manufacturers who rely on these control systems open themselves up to breaches.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.controleng.com\/10-control-system-security-threats\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"These are the top 10 control system cybersecurity threats - Control Engineering\" \/>\n<meta property=\"og:description\" content=\"Control systems are vulnerable to cybersecurity threats. Manufacturers who rely on these control systems open themselves up to breaches.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.controleng.com\/10-control-system-security-threats\/\" \/>\n<meta property=\"og:site_name\" content=\"Control Engineering\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ControlEngineeringMagazine\" \/>\n<meta property=\"article:published_time\" content=\"2025-02-20T23:42:24+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-04-23T22:44:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.controleng.com\/wp-content\/uploads\/2024\/12\/ce_logo_1200x675.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"675\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Control Engineering Staff\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@controlengtips\" \/>\n<meta name=\"twitter:site\" content=\"@controlengtips\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Control Engineering Staff\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.controleng.com\/10-control-system-security-threats\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.controleng.com\/10-control-system-security-threats\/\"},\"author\":{\"name\":\"Control Engineering Staff\",\"@id\":\"https:\/\/www.controleng.com\/#\/schema\/person\/23a1144d9b5d980be07d7f9539a674b2\"},\"headline\":\"These are the top 10 control system cybersecurity threats\",\"datePublished\":\"2025-02-20T23:42:24+00:00\",\"dateModified\":\"2025-04-23T22:44:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.controleng.com\/10-control-system-security-threats\/\"},\"wordCount\":3012,\"publisher\":{\"@id\":\"https:\/\/www.controleng.com\/#organization\"},\"keywords\":[\"control engineer\",\"control engineering\",\"control systems\",\"cybersecurity\",\"security\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.controleng.com\/10-control-system-security-threats\/\",\"url\":\"https:\/\/www.controleng.com\/10-control-system-security-threats\/\",\"name\":\"These are the top 10 control system cybersecurity threats - Control Engineering\",\"isPartOf\":{\"@id\":\"https:\/\/www.controleng.com\/#website\"},\"datePublished\":\"2025-02-20T23:42:24+00:00\",\"dateModified\":\"2025-04-23T22:44:44+00:00\",\"description\":\"Control systems are vulnerable to cybersecurity threats. Manufacturers who rely on these control systems open themselves up to breaches.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.controleng.com\/10-control-system-security-threats\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.controleng.com\/10-control-system-security-threats\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.controleng.com\/10-control-system-security-threats\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.controleng.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"These are the top 10 control system cybersecurity threats\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.controleng.com\/#website\",\"url\":\"https:\/\/www.controleng.com\/\",\"name\":\"Control Engineering\",\"description\":\"Control Engineering covers and educates about automation, control and instrumentation technologies\",\"publisher\":{\"@id\":\"https:\/\/www.controleng.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.controleng.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.controleng.com\/#organization\",\"name\":\"Control Engineering\",\"url\":\"https:\/\/www.controleng.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.controleng.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.controleng.com\/wp-content\/uploads\/2024\/12\/ce_logo.png\",\"contentUrl\":\"https:\/\/www.controleng.com\/wp-content\/uploads\/2024\/12\/ce_logo.png\",\"width\":300,\"height\":93,\"caption\":\"Control Engineering\"},\"image\":{\"@id\":\"https:\/\/www.controleng.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/ControlEngineeringMagazine\",\"https:\/\/x.com\/controlengtips\",\"https:\/\/www.linkedin.com\/company\/control-engineering-magazine\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.controleng.com\/#\/schema\/person\/23a1144d9b5d980be07d7f9539a674b2\",\"name\":\"Control Engineering Staff\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.controleng.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/a71b8c279c109855866696137da9e5ce8350c84b413aec20631de37d1abcf56b?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/a71b8c279c109855866696137da9e5ce8350c84b413aec20631de37d1abcf56b?s=96&d=mm&r=g\",\"caption\":\"Control Engineering Staff\"},\"url\":\"https:\/\/www.controleng.com\/author\/control-engineering-staff\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"These are the top 10 control system cybersecurity threats - Control Engineering","description":"Control systems are vulnerable to cybersecurity threats. Manufacturers who rely on these control systems open themselves up to breaches.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.controleng.com\/10-control-system-security-threats\/","og_locale":"en_US","og_type":"article","og_title":"These are the top 10 control system cybersecurity threats - Control Engineering","og_description":"Control systems are vulnerable to cybersecurity threats. Manufacturers who rely on these control systems open themselves up to breaches.","og_url":"https:\/\/www.controleng.com\/10-control-system-security-threats\/","og_site_name":"Control Engineering","article_publisher":"https:\/\/www.facebook.com\/ControlEngineeringMagazine","article_published_time":"2025-02-20T23:42:24+00:00","article_modified_time":"2025-04-23T22:44:44+00:00","og_image":[{"width":1200,"height":675,"url":"https:\/\/www.controleng.com\/wp-content\/uploads\/2024\/12\/ce_logo_1200x675.png","type":"image\/png"}],"author":"Control Engineering Staff","twitter_card":"summary_large_image","twitter_creator":"@controlengtips","twitter_site":"@controlengtips","twitter_misc":{"Written by":"Control Engineering Staff","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.controleng.com\/10-control-system-security-threats\/#article","isPartOf":{"@id":"https:\/\/www.controleng.com\/10-control-system-security-threats\/"},"author":{"name":"Control Engineering Staff","@id":"https:\/\/www.controleng.com\/#\/schema\/person\/23a1144d9b5d980be07d7f9539a674b2"},"headline":"These are the top 10 control system cybersecurity threats","datePublished":"2025-02-20T23:42:24+00:00","dateModified":"2025-04-23T22:44:44+00:00","mainEntityOfPage":{"@id":"https:\/\/www.controleng.com\/10-control-system-security-threats\/"},"wordCount":3012,"publisher":{"@id":"https:\/\/www.controleng.com\/#organization"},"keywords":["control engineer","control engineering","control systems","cybersecurity","security"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.controleng.com\/10-control-system-security-threats\/","url":"https:\/\/www.controleng.com\/10-control-system-security-threats\/","name":"These are the top 10 control system cybersecurity threats - Control Engineering","isPartOf":{"@id":"https:\/\/www.controleng.com\/#website"},"datePublished":"2025-02-20T23:42:24+00:00","dateModified":"2025-04-23T22:44:44+00:00","description":"Control systems are vulnerable to cybersecurity threats. Manufacturers who rely on these control systems open themselves up to breaches.","breadcrumb":{"@id":"https:\/\/www.controleng.com\/10-control-system-security-threats\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.controleng.com\/10-control-system-security-threats\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.controleng.com\/10-control-system-security-threats\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.controleng.com\/"},{"@type":"ListItem","position":2,"name":"These are the top 10 control system cybersecurity threats"}]},{"@type":"WebSite","@id":"https:\/\/www.controleng.com\/#website","url":"https:\/\/www.controleng.com\/","name":"Control Engineering","description":"Control Engineering covers and educates about automation, control and instrumentation technologies","publisher":{"@id":"https:\/\/www.controleng.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.controleng.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.controleng.com\/#organization","name":"Control Engineering","url":"https:\/\/www.controleng.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.controleng.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.controleng.com\/wp-content\/uploads\/2024\/12\/ce_logo.png","contentUrl":"https:\/\/www.controleng.com\/wp-content\/uploads\/2024\/12\/ce_logo.png","width":300,"height":93,"caption":"Control Engineering"},"image":{"@id":"https:\/\/www.controleng.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/ControlEngineeringMagazine","https:\/\/x.com\/controlengtips","https:\/\/www.linkedin.com\/company\/control-engineering-magazine\/"]},{"@type":"Person","@id":"https:\/\/www.controleng.com\/#\/schema\/person\/23a1144d9b5d980be07d7f9539a674b2","name":"Control Engineering Staff","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.controleng.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/a71b8c279c109855866696137da9e5ce8350c84b413aec20631de37d1abcf56b?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a71b8c279c109855866696137da9e5ce8350c84b413aec20631de37d1abcf56b?s=96&d=mm&r=g","caption":"Control Engineering Staff"},"url":"https:\/\/www.controleng.com\/author\/control-engineering-staff\/"}]}},"_links":{"self":[{"href":"https:\/\/www.controleng.com\/wp-json\/wp\/v2\/posts\/74746","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.controleng.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.controleng.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.controleng.com\/wp-json\/wp\/v2\/users\/3604"}],"replies":[{"embeddable":true,"href":"https:\/\/www.controleng.com\/wp-json\/wp\/v2\/comments?post=74746"}],"version-history":[{"count":0,"href":"https:\/\/www.controleng.com\/wp-json\/wp\/v2\/posts\/74746\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.controleng.com\/wp-json\/wp\/v2\/media?parent=74746"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.controleng.com\/wp-json\/wp\/v2\/categories?post=74746"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.controleng.com\/wp-json\/wp\/v2\/tags?post=74746"},{"taxonomy":"tracking-metric","embeddable":true,"href":"https:\/\/www.controleng.com\/wp-json\/wp\/v2\/tracking-metrics?post=74746"},{"taxonomy":"display-location","embeddable":true,"href":"https:\/\/www.controleng.com\/wp-json\/wp\/v2\/display-location?post=74746"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}