Questions from Senate Hearing Blog

Ralph Langer asked two questions about the blog on my Senate testimony that I thought would be of interest to all:
"When can we let Vitek Boden rest in peace?”
"Why NIST? Why not ISA-99?”

"When can we let Vitek Boden rest in peace? If the case proves anything, it's that intentional attacks are extremely rare and result in minor damage. If we forget about Boden, we can still make our point, probably even better. The point is that the risk is bigger by several magnitudes than the Boden case suggests. The point is that right now, aggressive malware targeting control systems might knock out significant portions of various industries simultaneously. The Boden case is misleading."

Dale Peterson in his Friday blog also wants to let the Vitek Boden (Australian sewage spill) case die. There is no argument the Vitek Boden case is “old”. However, because there is so little information-sharing (we really do need a CERT for Control Systems), it is one of the very few control system cyber security incidents with specific details. I agree that intentional control system cyber attacks are currently extremely rare. However, with the economy creating so many disgruntled ex-employees, the number of cyber attacks by these people may soon significantly rise to all of our detriment. I believe the Boden case has many relevant lessons that still need to be learned because:
1) It was real with deleterious results- opening a valve resulting in a large sewage spill. Since it was taken to court, there is detailed, public information. The Bellingham, WA gasoline pipeline rupture is probably the only other control system cyber incident with such documented detail.
2) It is similar to several other disgruntled cases that have subsequently occurred including very recent ones. They are not nearly as well known which leads to less chance for training and awareness.
3) It was a water case which is important to get the focus off cyber being just an electric industry problem.
4) It demonstrates several key issues not clearly demonstrated elsewhere such as defining who is an insider and how soon a control system cyber incident can be identified and mitigation taken.

"Why NIST? Why not ISA-99? NIST makes heavy references to ISA-99, which is also accepted as an international standard, as the adoption by IEC makes clear."

I am a member and strong proponent of ISA S99. There is significant cross-pollination between NIST and ISA. The technical requirements work in ISA99 Working Group 4 (WG4) is drawn directly from the content of the NIST documents. This is because the WG4 members saw the NIST documents as the most complete treatment of the subject. I believe the NIST Standards has attributes needed for near-term US regulatory purposes and an ancillary benefit for all industries - domestic and international.
1) The Industrial Control System version of NIST SP800-53 (NIST SP8-00-53, Revision 2, Appendix I) is currently available, referenceable, and is mandated for all US federal agencies.
2) It is the only document that includes both IT and control systems which means it has the best chance for getting those two functional areas currently in conflict at most locations to work together.

Once ISA 99 Part 4 is complete, it will be referenceable and potentially made into an IEC standard.

Joe Weiss