ICS cyber security and plausible deniability
Matt Luallen wrote a very timely and cogent article in the December 2013 issue of Control Engineering called “Plausible deniability is not a security strategy”.
For years, too many in the ICS community have lived with the concept of “security by obscurity”. At least in this case, there was the concept of addressing the subject even if it was to dismiss it as a non-problem. I believe way too many people and organizations particularly in the electric and water industries have a severe case of plausible deniability - “if I have not heard about it to my face, I do not have to address it.”
Plausible deniability is the root of “compliance” too.
I believe Aurora is probably the epitome of plausible deniability. I personally know of several utilities that have made it clear they will not talk to me about Aurora so they can plausibly state it is not a problem to them.
Who attends (or not) the ICS Cyber Security Conference is another example of plausible deniability. As long as people are not there when discussions happen, they can claim they were unaware and it doesn’t affect them. NERC and the CIP Committee are in this category as it would be difficult to continue pushing their agenda when it is clearly not adequate to prevent ICS cyber incidents that have already occurred and openly discussed at the Conference.
However plausible deniability may have just sprung a leak. The recent Target hack may be the needle causing the leak. Target, seen from their perspective, is the victim. Seen from their customers’ perspectives Target didn’t do enough to protect their data. Target says they did all they could and are doing all they can after the hack. Unfortunately, plausible deniability will not save them from lawyers. It will also be interesting to see how insurance companies respond to ICS cyber security following the Target hack. One wonders what will happen to the electric utilities when another major cyber-related incident like the 2008 Florida outage or the 2010 PG&E San Bruno natural gas pipeline explosion occurs. Similar to Target, the utilities will claim they met the NERC CIPs and therefore should be held blameless even though the NERC CIPs are clearly inadequate to protect substations and power plants and there is insufficient ICS cyber security guidance to protect pipelines. The same is true of many industries, not just the electric utilities.