A Member's Opinion...
President
Obama laid the blame on the recent Detroit bomber (Umar Farouk Abdulmutallab)
fiasco on a "mix of human and systematic failures". His withering assessment
indicated the extent of the failure is deep and widespread. The same sort of
failures in sharing information were cited in the aftermath of the 9/11 attacks.
Prior to 9/11, intelligence agencies were unable to connect the dots between
disparate clues that alone didn't seem to add up to much. But when taken
together - if only in hindsight - it was clear they had the makings of a huge
and sophisticated terrorist plot.
Compare what
happened with 9/11 and the Detroit incident to the lack of "connecting the
dots" in Industrial Control System (ICS) cyber security. According to my ICS
incident database there have been more than 170 control system cyber incidents -
many of these of common origins and continuing to recur. There are many
government, industry, and commercial organizations providing guidance for
traditional IT threats - put in firewalls, isolate networks, etc. However, there
is no guidance on what to do or even what to look for to prevent ICS-unique
cyber incidents. And, it is ICS-unique cyber incidents that have caused some of
the most significant cyber events to date including those that have killed
people, and caused major outages and equipment impacts.
ICS security
is difficult to detect and prevent because:
- There is still limited use of
ICS-unique policies and procedures to prevent incidents,
- The work force
still is not trained to detect ICS-unique cyber incidents (this is not what
IDS/IPS monitor)
- ICS cyber forensics are still lacking in even some of the
newest systems, and
- Industry is still in denial about ICS security.
The Bellingham,
WA pipeline rupture that killed three people
and the
Maroochy sewage spill incidents are the two most comprehensively
documented ICS-cyber cases. There were a number of "red flags" that were missed
(
the Bellingham
report prepared by MITRE is on the NIST website and we presented it at RSA in
2008). Many of the non-publicly identified ICS cyber incidents also had red
flags that were missed. Does that sound similar to 9/11 and
Detroit? As for continuing
industry denial,
Mike Assante's April 9th letter criticized the utility industry
for their lack of identifying Critical Assets and the Control Engineering survey
results from December 22nd had almost 25% of the respondents stating ICS cyber
threats are not a risk to their business. Complicating this is the headlong dash
for Smart Grid that will create untold number of cyber vulnerabilities with a
scarcity of ICS cyber experts (see 12/29/09 blog). One can only hope government
and industry take ICS cyber security seriously before consequences are
unrecoverable. And make no mistake, ICS cyber incidents can cause consequences
such as loss of electric power for months or major toxic releases.
This was submitted by a member of the SF Bay InfraGard chapter, Joseph Weiss. Mr. Weiss is the principal at Applied Control Systems.
Mr. Weiss has presented and lectured extensively and testified to
congressional committees on Industrial Control System security issues.
