What Is ICS Cybersecurity – You Don't Need Digital Assets

I am in Las Vegas attending the IEC TC45A Nuclear Plant Cyber Security Standards meetings as a designated US Expert. As mentioned, in my earlier blog, I have a great concern about many people in nuclear (and other) industries only focusing on malicious cyber attacks to the exclusion of unintentional cyber incidents. There is also a prevailing misconception that you need to have a digital system in order to be cyber vulnerable. Older analog systems also have CPUs and signal processing. The recent disclosures about cyber vulnerabilities about HART (4-20milli-amp) protocol makes this issue not just a discussion about unintentional incidents but also brings it into the malicious realm.

As mentioned, the NIST definition of a cyber incident does not mention “digital” nor does it require the incident to be malicious. The latest draft version of NIST SP800-82, Rev 2, “Draft Guide to Industrial Control System Cyber Security” states the following:

“3.5.Consideration of the Potential Physical Impacts of an ICS Incident

Evaluating the potential physical damage from a cyber incident should incorporate:

i)    how an incident could manipulate the operation of sensors and actuators to impact the physical environment
ii)    what redundant controls exist in the ICS to prevent an impact; and
iii)    how a physical incident could emerge based on these conditions.

Determination of the potential impact that a cyber incident may have on the ICS should incorporate analysis of all non-digital control mechanisms and the extent to which they can mitigate potential negative impacts to the ICS. There are multiple considerations when considering the possible mitigation effects of non-digital control mechanisms.”

Yesterday (10/7), I had a conversation a with senior government official that demonstrated a gap in understanding of what is a cyber incident. The official told me he had read my recent blog about TMI (Three Mile Island) being an ICS cyber incident. His response was it couldn’t be because there was no digital assets in TMI in 1979. The “aha” was he did not realize you do NOT need to have digital assets to have a cyber incident. It is important to note this is not a hypothetical situation – ICS cyber security directly contributed to the core melt at TMI.