What is Control System Cyber Security and Why is it so Pervasive and Important
What is cyber security? According to the National Institute of Standards and Technology (NIST), a Cyber Incident is an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability (CIA) of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Incidents may be intentional or unintentional. (FIPS PUB 200, Minimum Security Requirements for Federal Information and Information System, March 2006.) What is important about this definition is it addresses Intentional or unintentional events, actual or potential compromises of CIA, or violations or imminent threats to CIA.Why do we care? Cyber threats to Industrial Control Systems (ICSs) are real. Even though organizations are unlikely to report incidents, there have been more than 90 cases (intentional and unintentional) in all industries. Effects range from trivial to significant equipment and environmental damage to deaths. Almost every time I have given a presentation on control system case histories, I have had at least one person approach me with another case history that has not been reported. The business case for addressing control system cyber security is a combination of maintaining reliability and availability, reducing corporate liability, and maintaining regulatory compliance. It is irrelevant whether the cyber event is intentional or unintentional, the business impact is the same. Shutdown of manufacturing facilities and power plants, damage to major plant equipment, and loss of power to large swaths of customers are worth a lot of money yet senior management doesn't see this as an important area. What are we missing? Are we getting better? I don't believe so. In the electric industry, the NERC CIP Cyber Security Standards are arguably making utilities LESS secure. It is the reason that the Federal Energy Regulatory Commission (FERC) had to issue a Notice of Public Rulemaking (NOPR). The nuclear utilities have continued to shun non-nuclear cyber security activities even though the non-nuclear organizations have significantly more experience and expertise. Water (with very few exceptions) like nuclear is nowhere to be found either.
Why is it such a big deal? This is a very difficult, arcane, and complex problem. We are still at the infancy of understanding the issues. Many vendors and consultants are pushing IT solutions which are actually making things worse. Additionally, almost all new instrumentation and control systems are now digital, many with built-in cyber vulnerabilities. Topping that, corporate has discovered that control system data is important and they want access to it. Even worse (because they are often such a sieve), our regulators want access to the data. What this means is that it will be significantly more challenging to secure our future systems.