I wanted to focus on some key definitions that can, and have, created misunderstandings. The term "cyber security" is an IT artifact that does not reflect the need to assure control system reliability and availability. Generally, the term cyber security refers to protection against attackers. For my working definition, the term cyber security refers to all electronic communications that could impact the performance of control systems. This definition includes intentional events (eg, viruses and worms), malicious events (eg, hackers),
and unintentional events (eg, inappropriate policies and testing). Based on the data I have collected, there have been significantly more unintentional events than intentional ones. Some of these unintentional events have caused significant damage. I believe there will be significantly more unintentional events than intentional events until appropriate awareness, policies, procedures, technologies, training, and testing are in place.
Another misnomer is equating the terms safety, reliability, and security. They are related but not the same. Making a system safe should, but does not mean you have made it cyber secure. As an example, ProfiSafe is actually connected to Profibus making a safety-instrumented system less secure than when it was hard-wired and isolated. Making a system more reliable also does not mean you have made it more secure. Following the Northeast Outage, many "cyber dumb" electro-mechanical switches and relays were replaced with "cyber-alive" intelligent electronic devices which significantly improved system reliability but at the cost of new cyber security vulnerabilities. Unless you specifically address cyber security, making systems safer or more reliable can actually increase cyber vulnerabilities.
The last definition for this blog is "denial-of-service". According to Wikipedia, "In computer security, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users." However, this does not really reflect the conditions that could occur in an industrial facility when affected by a cyber event. For example, loss of a variable speed drive that causes a pump to shut down is a "denial of service"; that is, the pump doesn't work. A more subtle case is when cyber events lead to erroneous changes to operator screens. In one sense service has not been lost as the screen is still available; in another sense, it has as the screen is no longer accurate. These types of events may or not have occurred from making computing resources unavailable. They could just as easily have been caused by compromising the computing resources. There needs to be a clear way to describe the impacts when systems or facilities cannot perform their intended function because of intentional or unintentional cyber events.
Joe Weiss
