How should a cyber incident be defined for ICSs

 This discussion follows one from months earlier by Walt Boyes on functional security.

As a result of the San Bruno natural gas pipeline failure, I have a had a number of conversations with people on the definition of  "cyber incident".  What is clear to me is that using the term "cyber" which in the IT world connotes a malicious attack can mean something totally different in the ICS world.  While the term "cyber" may be appropriate for the Windows-based HMI, some people feel it may not be appropriate for the field devices which are generally not Windows and often not connected to the Internet. There are similar discussions within the IT community on non-Windows computers (eg, Linux) and non-IP-based communications (eg, X.25). Rather than denial of service, the ICS world worries about denial of function, loss of operator view, etc.  These failures, intentional or not, can have devastating consequences. Often it is not possible to distinguish between an unintentional incident and a malicious attack. Currently, the NIST definition states that electronic communications between systems that affects C,I, or A is a cyber incident.  The Hatch nuclear plant, Browns Ferry, Bellingham, and DC Metro incidents to name just a few were cyber incidents by this definition as was San Bruno.  Do we need a new ICS term in place of the term "cyber"? Do we need to redefine what is meant by Integrity to include design deficiencies? These are all good questions and I expect this discussion to go on with the revision to ISA 99.01. These issues will get even worse in the future. Let's not forget the goal which is to ensure ICSs operate in a safe, reliable manner.

Joe Weiss