With reference to Joe Weiss’ “Unfettered” blog post about the importance of keeping track of control systems' cyber incidents:
I began being concerned about control system cybersecurity long ago, back in the days where everyone thought "Who would bother?"
We have a long way to go to catch up, but bringing it out into the open with databases, where people can compare their incidents with previous occurrences would be a step towards raising awareness. As everyone knows, Stuxnet was the bellweather event that pointed out we were as vulnerable as any other computer-based system. But because of corporate concerns and internal policies, most are not aware of exactly how widespread that vulnerability truly is. Keep up the good fight.
Paul butchart
[email protected]
With reference to Joe Weiss' "Unfettered" blog post about our review of cyber events in the water industry, thanks a lot for your interest in our work and for stimulating the discussion.
As one of the authors of the review paper, I'm adding my answers to the issues you raised, hoping they clarify things for the readers of your (interesting) blog.
1. It's true that edge devices can also be attacked. Indeed, I co-authored several papers that explicitly consider this problem. I also developed a software toolbox that, among other things, allows you to simulate attacks on edge devices, such as manipulation of sensor readings. This work has been cited in our review paper. That said, all the incidents we reviewed did not feature any direct attack on edge devices like the one you mentioned, and that's why we put the emphasis on network attacks instead.
2. At the end of the subsection on “Defense models,” we explain the similarities between IT and OT security controls, and suggest how we can categorize OT controls in standard IT CIS. Our focus is not to propose a new CIS category for OT.
3. There's no unwritten assumption regarding attack detection. Indeed, we specifically wrote “that many attacks go undetected."
4. We do cite a piece in Wired from Zetter (2011) that was published one day after your blog post (Nov. 18) and features an interview you had with them. We did not find any reputable source that claimed that the Illinois incident was real after it had been identified as a false alarm. Similarly, we did not find any source claiming that the Kemuri incident was a myth. Did we miss something important released by independent and reputable sources on these matters?
5. Most of our reported incidents (with reputable sources confirming) happened in the U.S. Again, this can't be considered a major issue since we were talking about the majority of the reported incidents (not all). Readers can easily figure this out since we also discuss Maroochy, Australia.
Riccardo Taormina
Delft University of Technology
[email protected]
