Figure 4 Bellingham, WA Gasoline Pipeline Rupture
Figure 5 is a picture of the Idaho National Laboratory (INL) demonstration of the capability to intentionally destroy an electric generator from a cyber attack8.
Figure 5 INL Demonstration of Destroying Large Equipment via a Cyber Attack
An attempt was made to categorize the severity of these events. The prevailing view has been there have been no significant ICS cyber incidents, but that industry will respond when a significant event occurs. Consequently, a database of ICS cyber incidents was examined to determine the level of severity of these incidents. Arbitrarily, three levels of severity were developed based on impacts:
This represents failures, omissions, or errors in design, configuration, or implementation of required programs and policies which have the potential for major equipment and/or environmental damage (more than millions of dollars); and/or extreme physical harm to facilities’ personnel or the public; and/or extreme economic impact (bankruptcy).
Example: The Bellingham, WA gasoline pipeline rupture’s impact was 3 killed, $45M damage, and bankruptcy of the Olympic Pipeline Company. Forensics were not available to determine the actual root cause. This incident would not have been prevented by mainstream IT security policies or technologies.
This represents failures, omissions, or errors in design, configuration, or implementation of required programs and policies which have the potential for moderate equipment and/or environmental damage (up to hundreds of thousands of dollars) with at most some physical harm to facility personnel or the public (no deaths).
Examples: 1) Maroochy (Australia) wireless hack caused an environmental spill of moderate economic consequence. This incident would not have been prevented by mainstream IT security policies or technologies. 2) Browns Ferry 3 Nuclear Plant Broadcast Storm could have been caused by a bad Programmable Logic Controller (PLC) card, insufficient bandwidth, or caused by mainstream IT security testing. Forensics were not available to determine the actual root cause. This incident would not have been prevented by mainstream IT security policies or technologies.
This represents failures, omissions, or errors in design, configuration, or implementation of required programs and policies which have the potential for minimal damage or economic impact (less than $50,000) with no physical harm to facility personnel or the public.
Example: Davis Besse Nuclear Plant cyber incident caused by a contractor with a laptop contaminated by the Slammer worm plugging into the plant Safety Parameter Display System. This incident could have been prevented by mainstream IT security policies.
From the incident database, many of the incidents would have been judged to be Moderate or Severe. Most would not have been detected nor prevented by traditional IT security approaches because they were caused by the system interconnections or inappropriate policies or testing – not by mainstream IT cyber vulnerabilities. In order to improve security and avoid vast expenditures on systems and equipment without real improvements in automation network security, there is a critical need to examine previous ICS cyber incidents to determine if there are patterns in these incidents, what technologies would detect such events, and what policies should be followed. For mainstream IT security approaches to be effective, they need to be combined with ICS expertise that appreciates potential impact on facilities. Examination of ISA SP99 requirements and risk definitions and tools such as the Cyber Security Self-Assessment Tool (CS2SAT)9 make it clear that consequences must be understood in terms of the effects on facilities, major impact on equipment, environmental concerns, and public safety.
One way to move towards cross-sector convergence in cyber security ways and means is for all stakeholders to use the same terminology and to eliminate duplicative or overlapping sets of security standards’ requirements. NIST offers a set of high-quality publications addressing most of the relevant managerial, administrative, operational, procedural, and technical considerations. Each of these publications, such as SP 800-53, have been put through a significant international public vetting process, including, to the extent possible, by authorities in the national security domain. NIST offers its documents to all organizations interested in using them as a basis for developing in-common standards within the ICS community. The recent Nuclear Regulatory Commission Draft Regulatory Guide 5022 specifically references NIST SP 800-53 and other appropriate NIST documents.
Incentives versus Regulation
Because I am very familiar with the electric power industry, I will focus on that segment. However, the information and experience from this segment generalizes across the entire critical infrastructure.
When the EPRI Enterprise Infrastructure (cyber security) Program was initiated in 2000, control system cyber security was essentially a non-factor – it was a problem of omission. Immediately following 9/11, the Federal Energy Regulatory Commission (FERC) attempted to provide incentives for security improvements by issuing a letter that would allow security upgrades to be included in the rate base. For various reasons, very few utilities took advantage of the offer and little was done. Consequently, in 2003 FERC approached the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Working Group with an ultimatum – do something or FERC would do it to you. In order to preclude regulations, industry promised they would produce cyber security requirements that would comprehensively secure the electric enterprise. The electric industry eventually developed the NERC CIP series of standards and the nuclear industry developed the Nuclear Energy Institute (NEI) guidance documents (NEI-0404). Instead of providing a comprehensive set of standards to protect the electric infrastructure, the NERC CIPs and NEI-0404 were ambiguous and with multiple exclusions. The industry went from being vulnerable because of lack of knowledge to now being vulnerable because of excluding systems and technologies and then claiming compliance. The electric industry has demonstrated they cannot secure the electric infrastructure without regulation. Other industrial verticals have similarly defaulted. Therefore, regulation is needed.