Home » Under-reporting Bedevils Estimates of Cyber Threat
Under-reporting Bedevils Estimates of Cyber Threat
By Andrew Bond, Industrial Automation Insider
Our observation, in reporting publication of a new white paper from cybersecurity specialist Innominate, that the most surprising aspect of the cybersecurity issue as it relates to process plant and critical infrastructure is "just how few really serious cases have been added to the list of documented incidents over the years" did not go unnoticed.
Frank Dickman, who wrote the original paper, entitled "Hacking the Industrial Network" and downloadable from www.innominate.com/white_paper_registration, emailed us to point out that, while most of the published incidents he quoted were already familiar, that was because "I specifically chose published source documents to allow the reader to readily check every statement of fact, rather than write unsupported opinion." And he cites a number of references to support the argument that the principal reason for the dearth of reported incidents is non- or under-reporting. For example, the U.S. General Accounting Office (GAO) report "Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems" of 2004 estimates that "as much as 80% of actual security incidents go unreported in most cases because (1) there were no indications of penetration or attack, (2) the organization was unable to recognize that its systems had been penetrated, or (3) the organization was reluctant to report."
Similarly Idaho National Laboratory’s 2005 report, "Cyber Incidents Involving Control Systems" states that ". . . the confidential nature of cyber incidents makes it difficult to collect data and project future losses."
Clearly there is a problem in arriving at a reliable estimate of the level of attacks, both successful and unsuccessful, and in assessing how valid is the widely accepted contention that actual incidents are many times more numerous than the few that are reported.
Nonetheless, it is still surprising, for example, that the Repository for Industrial Security Incidents (RISI), which is maintained by Byres Security on behalf of Idaho National Laboratories and logs incidents directly affecting SCADA and process control systems, including those reported in confidence by organizations, currently holds data on a total of only some 150 incidents, according to the Byres web site. Nevertheless that makes it, so it is claimed, the largest known repository of SCADA security data in the world.
Nor is the problem getting any easier. Dickman writes that "Hackers and malware authors have metastasized from teenagers seeking peer recognition to professionals seeking profit within recent years" and concludes that "it is my expectation that we will see more efforts at profit-centered extortion in the future." With organizations and companies almost certainly even more reluctant to admit that they have been blackmailed than that they have simply been attacked, the need for more reliable data on the scale of the threat is even more pressing.
SANS Control Security Training Coming to Houston
SANS Institute will hold ICS Security Training event on June 10-15 in Houston
Compressor Controls: Saudi Aramco Buys First GE Compressor Control Systems
Saudi Aramco has purchased advanced compressor control technology from GE for the Haradh GOSP-1 facility in Saudi Arabia's Eastern Province.
ISA Training Through June in Houston
Technician training, engineering survival and SIS boot camps for condensed, intense, comprehensive educational experience.
NIST Releases Initial Cyber Security Framework Comment Analysis
The National Institute for Standards and Technology has released an initial analysis of the hundreds of comments by industry and the public they have received on the Obama Administration's "Improving Critical Infrastructure Cyber Security" executive order.
Past Time to Upgrade Your DCS?
Upgrading Your DCS: Why You May Need to Do It Sooner Than You Think
Metso Provides New Heating Solution for Finnish Utility
Finland's largest pellet-fired heating plant produces environmentally friendly energy in Tampere
K-BIM Consortium Selects Siemens' Parasolid for New AEC Applications
-BIM, a consortium of commercial, academic and government organizations wants the new application suite to help create a national standard for building information management (BIM)
Friday p.m. Wrap-Up:This Week on ControlGlobal and Elsewhere
Some of the week's biggest stories in process automation
What's Bad Weather Costing Us?
U.S. taxpayers paid nearly $100 billion responding to damages caused by last year’s extreme weather events associated with climate change, about $1,100 per taxpayer, according to an analysis by the Natural Resources Defense Council (NRDC).
BP, Shell, Statoil Raided by EC
European Commission investigators raided the offices of oil companies BP, Royal Dutch Shell and Statoil as well as data collector Platts as part of a larger inquiry into price manipulation of the global crude market.
- All news »
Access the entire print issue on-line and be notified each month via e-mail when your new issue is ready for you. Subscribe today.
- Featured White Papers