In the IT community, a worst case scenario is denial-of-service. In the ICS community, a worst case scenario is loss of control/loss of view. Enclosed are some recent cases of loss of control/loss of view with four different major ICS suppliers each without a known cause.
The broken record - why do people who don't understand ICSs still continue to speak for ICS cyber security
Would anyone with a heart condition go to an orthopedist to check on their heart? An internist and orthopedist are both doctors, but they certainly have different specializations. The fact that someone understands IT security does not make them an ICS cyber security expert.
On December 14, SANS came out with the following headlines: All 3 "top of the news" stories this week illustrate an important security trend: Internet facing control systems are becoming much more prevalent allowing easy exploitation of disclosed vulnerabilities for disruption as well as back door access to other corporate systems...
In November, ViaSat conducted a survey of 213 utility and smart grid personnel. The results can be found at http://smartgridresearch.org/wpcontent/uploads/sgi_reports/Utility_Cyber_Security_Survey_2012_INFOgraphic_ViaSat_Zpryme.pdf?utm_source=Smart+Grid+Insights&utm_campaign=a420661749-_ViaSat_INFOgraphic_12_13_2012&utm_medium=email. The results indicate a growing concern by utilities about cyber security and the potential of significant impacts. I wish I could believe these results.
November 27-28, the Georgia Tech Research Institute and the US Office of Naval Research Global held the TransAtlantic Cyber Security Summit in Dublin, Ireland. The agenda can be found at http://www.siliconrepublic.com/events/event/2927-transatlantic-cyber. There were approximately 60 attendees from Europe and the US.
November 19, the following thread was in Linked-in Cyber Security in Real-Time Systems. "I found that there is a vulnerability in Image-Memory of PLCs. Ralph lunger (sic) said in a movie." the vulnerability is read and write capability in Memory of PLC ". Is there that vulnerability now?"
The National Research Council prepared the report, "Terrorism and the Electric Power System". The report was completed in 2007 but was classified by its sponsor, the Department of Homeland Security, until now. The Council lobbied DHS to allow for its release, and said key findings remain "highly relevant." It was...
November 9th, Susquehanna Unit 2 had a manual shutdown (scram) of the plant due to a failure of the Integrated Control System (ICS) which controls feedwater flow and other systems. The ICS is not a safety system but affects the functionality of the plant.
At the recent ICS Cyber Security Conference we had the first public discussions of Aurora. Aurora is a gap in protection of the electric grid. Aurora is starting Alternating Current (AC) equipment (generators, motors, etc) out-of-phase imposing a large torque which can cause significant loss of equipment life or damage.
On Tuesday, a major control and safety system vendor held a webinar on cyber security of safety systems - "The rocky relationship between safety and security". The vendor talked about the network issues that needed to be considered, limitations on read/write, etc.