Economic research and the cost of incidents – do we need it

After hearing Ross Anderson's contribution to S4, Éireann Leverett used the SCADASEC listserve to ask if you think we need more economic research to be done with in the SCADA Security community, particularly on the cost of incidents.  He additionally asks if we get some good data on the cost of poor software security, will that data be persuasive enough to make the right changes.

There has been work by EPRI and the Cyber Consequence Unit to quantify the potential economic impacts of cyber attacks. Additionally, I had Bryan Singer give a presentation on his economic impact experience at a previous Control Systems Cyber Security Conference. The attendees thought it was good- but it had almost no impact on additional security funding when they got back to their offices. These types of numbers fall on deaf ears as most senior management simply don’t believe it is real. The classic example is the NERC CIPS where there is little desire by industry to actually secure the infrastructure - it is simply a compliance game.

This leads to the fundamental issue – lack of a CERT for Control Systems. I recently was informed of two more control system cyber incidents – these were with brand new control system retrofits. However, like more than 100 other incidents in my control system incident database they are not public. There have been some VERY significant economic impacts because of control system cyber incidents. However, they are often not even recognized as cyber incidents.

The bottom line is there is simply no perceived economic driver to address industrial control system security without strong government regulations. I believe the nuclear power industry will be the leader as the Nuclear Regulatory Commission is taking strong steps to require a viable control system cyber security program.

This subject will be discussed at the 2009 Control System Cyber Security Conference.

Joe Weiss
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • <p> The cost of incidents may be fuzzy, but still has to be determined at least in approximation in order to do risk management in a systematic way. If you can't assign a dollar figure to it, it doesn't exist. This doesn't change with regulation. Somebody has to pay for all those security efforts, no matter if it's the tax payer, customer, or consumer. The ones who do pay have any right to ask what they are paying for, or what they are getting for their money. If the answer then is something like "we don't know exactly, but we think it is a good idea to spend your money anyhow", regulation can get very questionable, to say the least. </p>

    Reply

  • <p> I understand why you would be reluctant to share your control system incident database. Can you at least tell us if the incidents were reported to the system manufacturers so they could take appropriate corrective actions? </p> <p> It would be interesting to see a summary of the types of incidents.  </p>

    Reply

  • <p> Many of the incidents were due to administrative (people) issues and were not reported to the vendors. Several of the incidents were reported to the appropriate vendors. In fact, some came from vendors. What is also interesting is that very few of the incidents were reported to either law enforcement or the ISACs. </p> <p> Joe Weiss </p>

    Reply

RSS feed for comments on this page | RSS feed for all comments