The PG&E San Bruno natural gas pipeline rupture and the Volkswagen emissions scandal were ICS cyber incidents that put the respective corporations at risk and led to the resignation of the respective CEOs.
Not every ICS cyber vulnerability is critical. ICS cyber security should focus on what can affect ICS or system operation so the end-user can prioritize what threats are important to system reliability and safety.
The 2015 ICS Cyber Security Conference will be October 26-29 at the Georgia Tech Hotel and Conference Center in Atlanta (www.icscybersecurityconference.com ). This will be the 15th in a series that began in 2002. Because the Conference focuses on timely ICS cyber security issues, the agenda is now being finalized.
The Control Engineering 2015 Cyber Security Survey doesn’t seem to identify ICS cyber security impacts. The focus was on IT and networking devices with no mention of ICS field devices. A significant number of respondents experienced “cyber incidents” with their ICS networks – not devices.
For control systems, the CIA triad needs to add an additional term -“S” for safety. This is a real issue as there have been more than 50 actual control system cyber incidents that have injured or killed people.
My database now has more than 725 actual control system cyber incidents. VERY few were identified as cyber. There have been more than a 1000 deaths, major equipment damage, significant environmental releases, and even bankruptcies yet the C-suite too often is missing.
I have been able to identify more than 600 ACTUAL control system cyber incidents (I keep finding more) though most of the incidents were never identified with the word “cyber”. A very conservative estimate of the direct costs of control system cyber incidents to date is more than $15 Billion.
The Lloyd’s report on cyber implications of the electric grid serves a very important need to understand the insurance implications of a cyber attack against the electric grid. Unfortunately, the technical aspects of the hypothesized attack in the Lloyd’s study are too flawed to be used.
The computer security industry has long had a philosophical debate on how to define a cyber threat. For many, the use of the term Threat is reserved for hostile actors. But cybersecurity professionals and enterprise CTO’s, CIO’s and business executives must lead in ways that keep the IT (and ICS)...