Severity Ratings…You must consider the context!

What do severity ratings REALLY mean?

I read a blog on Digital Bond’s Bandolier project (www.digitalbond.com, Posted: May 27th, 2008 under Bandolier, DoE Research Project). It seems to be a good approach to identifying vulnerabilities in control system computers. The severity ratings for Bandolier are a good idea but the approach does not go far enough. Since these ratings are used for compliance reporting, it potentially could cost companies a significant amount of money without an accompanying risk reduction. The missing piece is the impact on the process or facility. I see two issues with the Bandolier approach- the first is the classification of non-critical computers as “severe”. The second is how Bandolier is used in the overall context of securing the facility. Many of the Major and Moderate control system cyber incidents I have identified in my incident database would not have been identified using an approach like Bandolier as they were not caused by traditional computer vulnerabilities but represented failures, omissions, or errors in design, configuration, or implementation of required programs and policies.

As an example of the first issue, consider a “typical” automation system like the one with which I am now working. It is a large power plant control system retrofit where security is to be considered. This facility includes many generations of control system workstations that are used in both critical and non-critical applications. Some are connected to the Process network LAN, some are connected to the Control LAN, some are connected to the Corporate LAN, and some are not even connected to a LAN. Using the Bandolier security rating approach, many workstations used in non-critical applications and not even connected to the plant control network could get a “Severe” rating if all IT appropriate security controls have not been applied. However, in the grand scheme of protecting assets (the facility and its ability to produce power), this type of rating would require significant expenditures without offering any benefit to the security of the facility.

For security approaches such as Bandolier to be effective, they need to be combined with impact on facilities. Examination of ISA SP99 requirements and risk definitions and tools such as the Idaho National Laboratory-developed Cyber Security Self-Assessment Tool (CS2SAT) make it clear that consequences must be understood in terms of the effects on facilities, major equipment health, environmental concerns, and public safety. Perhaps that was the idea of the Bandolier approach. But unless they define what they mean by “systems” to include these effects, their approach will not meet automation systems needs. I think these identified limitations in Bandolier have more to do with the different cultures of IT and Operations where IT’s focus is protecting computers while Operations focus is protecting the process and facilities. I believe the potential for extending Bandolier (or other IT-type approaches) to include impacts on facilities provides a basis for the two communities to work together. Consequently, this will be a major discussion area at the Applied Control Solutions August Control System Conference in Burr Ridge, IL.

Joe Weiss

What are your comments?

Join the discussion today. Login Here.

Comments

  • I could see where this would draw unnecessary attention to areas that do NOT need or warrant an audit or forensics investigation. To me, this makes no sense. So...we'd be chasing our tails in trying to find problems, only to be falsely-alerted to known areas? Uhhhhh.....

    Secondly, I believe that there are commercial manufacturers out there that already have similar features available, and have for several years.

    I just see this as a waste of tax-payers money.

    Then again, I'd have to pay $100 to find out more (which I don't have) about it...

    Reply

  • While I agree in general that severity cannot be established without context, experience tells me that such context can hardly be established by any kind of automated software tool. Even worse, many asset owners don't have any realistic idea, not to say methodology, of calculating the cost of potential cyber incidents. Without having seen the Bandolier product, my guess is that it goes half the way... which is better than nothing, after all.

    P.S. Why not discuss this stuff over at Digital Bond's?

    Reply

RSS feed for comments on this page | RSS feed for all comments