Economic research and the cost of incidents – do we need it

After hearing Ross Anderson's contribution to S4, Éireann Leverett used the SCADASEC listserve to ask if you think we need more economic research to be done with in the SCADA Security community, particularly on the cost of incidents.  He additionally asks if we get some good data on the cost of poor software security, will that data be persuasive enough to make the right changes. There has been work by EPRI and the Cyber Consequence Unit to quantify the potential economic impacts of cyber attacks. Additionally, I had Bryan Singer give a presentation on his economic impact experience at a previous Control Systems Cyber Security Conference. The attendees thought it was good- but it had almost no impact on additional security funding when they got back to their offices. These types of numbers fall on deaf ears as most senior management simply don’t believe it is real. The classic example is the NERC CIPS where there is little desire by industry to actually secure the infrastructure - it is simply a compliance game. This leads to the fundamental issue – lack of a CERT for Control Systems. I recently was informed of two more control system cyber incidents – these were with brand new control system retrofits. However, like more than 100 other incidents in my control system incident database they are not public. There have been some VERY significant economic impacts because of control system cyber incidents. However, they are often not even recognized as cyber incidents. The bottom line is there is simply no perceived economic driver to address industrial control system security without strong government regulations. I believe the nuclear power industry will be the leader as the Nuclear Regulatory Commission is taking strong steps to require a viable control system cyber security program. This subject will be discussed at the 2009 Control System Cyber Security Conference. Joe Weiss