A Member's Opinion...
President Obama laid the blame on the recentDetroit bomber (Umar Farouk Abdulmutallab)
fiasco on a "mix of human and systematic failures". His withering assessment
indicated the extent of the failure is deep and widespread. The same sort of
failures in sharing information were cited in the aftermath of the 9/11 attacks.
Prior to 9/11, intelligence agencies were unable to connect the dots between
disparate clues that alone didn't seem to add up to much. But when taken
together - if only in hindsight - it was clear they had the makings of a huge
and sophisticated terrorist plot.
Compare what happened with 9/11 and theDetroit incident to the lack of "connecting the
dots" in Industrial Control System (ICS) cyber security. According to my ICS
incident database there have been more than 170 control system cyber incidents -
many of these of common origins and continuing to recur. There are many
government, industry, and commercial organizations providing guidance for
traditional IT threats - put in firewalls, isolate networks, etc. However, there
is no guidance on what to do or even what to look for to prevent ICS-unique
cyber incidents. And, it is ICS-unique cyber incidents that have caused some of
the most significant cyber events to date including those that have killed
people, and caused major outages and equipment impacts.
- There is still limited use of ICS-unique policies and procedures to prevent incidents,
- The work force still is not trained to detect ICS-unique cyber incidents (this is not what IDS/IPS monitor)
- ICS cyber forensics are still lacking in even some of the newest systems, and
- Industry is still in denial about ICS security.
TheBellingham , WA pipeline rupture that killed three people
and the Maroochy sewage spill incidents are the two most comprehensively
documented ICS-cyber cases. There were a number of "red flags" that were missed
(the Bellingham
report prepared by MITRE is on the NIST website and we presented it at RSA in
2008). Many of the non-publicly identified ICS cyber incidents also had red
flags that were missed. Does that sound similar to 9/11 and Detroit ? As for continuing
industry denial, Mike Assante's April 9th letter criticized the utility industry
for their lack of identifying Critical Assets and the Control Engineering survey
results from December 22nd had almost 25% of the respondents stating ICS cyber
threats are not a risk to their business. Complicating this is the headlong dash
for Smart Grid that will create untold number of cyber vulnerabilities with a
scarcity of ICS cyber experts (see 12/29/09 blog). One can only hope government
and industry take ICS cyber security seriously before consequences are
unrecoverable. And make no mistake, ICS cyber incidents can cause consequences
such as loss of electric power for months or major toxic releases.
This was submitted by a member of the SF Bay InfraGard chapter, Joseph Weiss. Mr. Weiss is the principal at Applied Control Systems. Mr. Weiss has presented and lectured extensively and testified to congressional committees on Industrial Control System security issues.
President Obama laid the blame on the recent
Compare what happened with 9/11 and the
- There is still limited use of ICS-unique policies and procedures to prevent incidents,
- The work force still is not trained to detect ICS-unique cyber incidents (this is not what IDS/IPS monitor)
- ICS cyber forensics are still lacking in even some of the newest systems, and
- Industry is still in denial about ICS security.
The
This was submitted by a member of the SF Bay InfraGard chapter, Joseph Weiss. Mr. Weiss is the principal at Applied Control Systems. Mr. Weiss has presented and lectured extensively and testified to congressional committees on Industrial Control System security issues.
