What is cyber?

I wanted to address an issue that causes great confusion – what is cyber?  Cyber is not just a 12-year pimply-faced hacker sitting in front of a computer drinking Dr. Pepper and writing malware. Moreover, cyber does not have to be an intentional attack. According to NIST, a cyber incident is an occurrence that actually or potentially jeopardizes the Confidentiality, Integrity, or Availability (CIA) of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Incidents may be intentional or unintentional. (FIPS PUB 200, Minimum Security Requirements for Federal Information and Information System, March 2006.) What is important about this definition is that a cyber incident can be intentional or unintentional, an actual or potential compromise of CIA, or a violation or imminent threat to CIA.  To date, most control system cyber incidents have been unintentional. However, these unintentional incidents have shut down industrial facilities (including nuclear plants), caused significant equipment damage, and even killed people. As mentioned in previous blogs, cyber incidents are not just exploits of traditional IT vulnerabilities such as buffer overflows. Cyber incidents also occur at, and between, devices and systems because of how they are connected. Consequently, cyber is a reliability issue, not just a security issue, and needs to be addressed accordingly. What we need is a new definition to describe impacts on electronic communications between systems whether they be intentional or unintentional. Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • <p> Here is my take. I define cyber security as a condition of a machine or plant where foreseeable failures, manipulations, or manipulation attempts of automation equipment, control systems, or data networks can cause no or only insignificant damage. </p> <p> In turn, cyber insecurity is a condition of a machine or plant where foreseeable failures, manipulations, or manipulation attempts can – and will – cause significant damage. </p> <p> Three things about this definition worth noting: </p> <p> 1. Years ago, IT folks (my principal suspect is Jaron Lanier) stole the term cyber from us. It’s time to take it back. It’s time to remind folks that the successor of cybernetics is not the latest Microsoft operating system, but contemporary control systems. </p> <p> 2. There is no reference to CIA. It’s not needed, and, according to my experience, it isn’t even helpful. What matters about security is damage and its prevention. CIA refers to very abstract concepts with no price tag attached. But: No price tag, no damage. Besides, electrical and process engineers, maintenance staff, quality experts etc. more often than not don’t worry about data and their CIA. They worry about physical/chemical/logistic problems that do have a price tag attached. Most of the time, it is these people who we are working for, not the fellows in the IT department. Most of the time, they are the ones who care, and who seek some expert advice on what they are beginning to understand as security problems. It is only fair to use their language. </p> <p> 3. The definition includes prediction.  Like it or not, but there is a predictive aspect in any security related concept because whenever we try to prevent damage, we must have an idea about what damage to expect. Unfortunately this is more an art than a science. On the other hand, once that we have an idea about the misfortune around the corner, it can be determined fairly scientifically if these anticipated problems CAN cause significant damage (i.e. worth of preventing, taking into account the cost of appropriate countermeasures) or not. </p> <p> Terminology is important. In our case, it is even more important than with other engineering issues. Check out what marketing people refer to as positioning. We must make clear what we are referring to so that people understand AND BUY what we’re telling. You are damn right that cyber (security) is a reliability issue. However, it is even more than that. It is also a quality issue, a safety issue, a business continuity issue, a you-name-it-issue. This is the message that we ought to bring across. Anybody who comes up with a definition that serves this purpose better than mine, be my guest. It’s a shame that after all these years, we still haven’t got a thesaurus of well-agreed-upon definitions. Risk, threat, vulnerability, cyber, … as long as we continue to use fuzzy definitions of such terms in the community, it’s absurd to complain about the sorry state of security that we encounter in the field. </p>

    Reply

RSS feed for comments on this page | RSS feed for all comments