The difference between cost of a data breech and cost of control system (ICS) cyber incident

In the IT community, the concerns are denial of service or stealing of information. From the Ponemon Institute’s “2010 Annual Study: The U.S. Cost of a Data Breach” prepared for Symantec, the 2010 cost per compromised record of a data breach involving a malicious or criminal act averaged $318, up $103 (48  percent) from 2009. The average organizational cost of a data breach this year increased to $7.2 million, up 7 percent from $6.8 million in 2009. The most expensive data breach included in this year’s study cost a company $35.3 million to resolve.

In the ICS community, the concern is loss of control of the process or loss of operator view which can lead to physical damage and personal harm. Consequently, compare the impacts to a control system cyber incident. Replacement power cost for a nuclear plant is $1Million/day not including any other costs. That's only if the nuclear plant is shutdown and no equipment is damaged. If the plant is damaged, due to a cyber event the costs could be immeasurably high both in terms of repair and extended downtime. That also does not take into account the potential forced shutdown of other nuclear plants from a regulatory perspective.

Specific examples of ICS cyber indent impacts:

The 2010 San Bruno natural gas pipeline rupture cost 8 lives (what are they worth?), a CEO and numerous executives, and $400 Million and counting. 

A second control system cyber incident was the 2008 Florida outage which led to an 8 hour outage affecting more than 3 million people. 

Moreover, an ICS cyber attack could target multiple locations making the dollar value (not including physical harm) astronomical.

While the Stuxnet issue has focused considerable attention on cyber security in the ICS environment, we continue to need to move more quickly to secure installed systems. Even more important, we need to secure the design process for hardware and software going forward and the installation of new systems in greenfield and brownfield applications alike.

As Walt Boyes says, "Security is a safety issue." Safety issues are being addressed more and more by professional risk managers, both in corporations and in insurance companies. ICS Security issues should be included as a matter of course in any safety and/or risk audit.


Joe Weiss