Why SOCs are not comprehensive enough for ICS cyber security

I had a call with a utility senior manager responsible for physical security. The utility operates a security operations center (SOC) and the cyber and physical security operations are in close contact. This is a good plan for IT cyber security where cyber forensics exists and cyber threats can be identified. However, for ICS cyber security, there is a gaping hole. The hole is there are significant shortcomings in ICS cyber forensics. This disconnect can be seen in most cyber security surveys including the 2016 DHS ICS-CERT Summary that focus on networking issues not ICS field device-related incidents. As there are no cyber security or cyber forensics, in process sensors, it is often not possible to tell the difference between an unintentional incident versus a cyber attack. Yet, the impact could be the same. Because of the organizational disconnect, the SOC generally is not informed when system upsets occur and operational personnel are not trained to identify upset conditions as possibly being cyber-related. Therefore, the SOC is generally unaware of process upsets or outages that could be cyber-related. Yet, ICS cyber security is cross-functional and needs to be treated that way. Currently, it is the exception rather than the rule when Operations, cyber security, physical security, and risk management organizations coordinate. For this reason, I supported the International Atomic Energy Agency (IAEA) to provide scenario-based training for nuclear plant operations personnel to identify potential cyber incidents that were not malware-related to understand when to coordinate with IT. The bottom line is that for ICS cyber security Operations, cyber security, physical security, and risk management organizations need to coordinate and training is required for Operations to know when to work with IT Security following upset conditions.

Joe Weiss