Still no correlation of cyber vulnerabilities to ICS reliability and safety impacts - VW testing is an example

Sept. 22, 2015

Not every ICS cyber vulnerability is critical. ICS cyber security should focus on what can affect ICS or system operation so the end-user can prioritize what threats are important to system reliability and safety.

Many people wonder why there is still such a gulf between the IT and ICS communities about ICS cyber security. One of the continuing major differences between the IT and ICS communities revolve around the issue of cyber vulnerabilities.  IT and security researchers generally continue to view vulnerabilities as “the end result” without understanding the potential impact on control system or facility operations, particularly reliability and safety. RecordedFuture just issued their report – “Web Data Reveals ICS Vulnerabilities Increasing Over Time - Up and to the Right: ICS/SCADA Vulnerabilities by the Numbers”. It is a very interesting and detailed report about cyber vulnerabilities with ICS vendors and their products. However, there is no correlation of the vulnerabilities to actual impact on ICS or facility operations. This same situation occurred at the September 16-17 Silicon Valley Executive Network 2015 Cyber Security Summit in Partnership with MIT. There were a number of panel sessions and discussion about cyber vulnerabilities without any correlation to ICS or facility impacts. This is where my database of almost 750 actual ICS cyber incidents gets to be so interesting. These are all real incidents with real impacts and many do not correlate to the identified cyber vulnerabilities.

The recent disclosure that Volkswagen was cheating on emissions tests was accomplished by utilizing computers in the Volkswagen vehicles. The computers were programmed to recognize specific test conditions, reconfigure pre-designed setpoints to meet emission standards, and then return to as-designed setpoints after the testing was complete. Attackers can implant or modify sensing and/or control system logic to determine when to compromise a system and when to return to normal conditions. This is the approach taken by Stuxnet to damage the centrifuges in the Iranian uranium enrichment facility. Compromising sensing and/or control system logic are the types of ICS cyber incidents that are not traditional cyber vulnerabilities but can have very significant impacts on reliability, safety, and even regulatory requirements. There is one other aspect of the VW case that opens up some new avenues of discussion: the compromise of the computers was  obviously intentional. However, given the current accepted defintion of the term "malicious", would this be considered a malicious, therefore cyber attack? The compromise was obviously done by an "insider". Would this be considered an insider attack considering this was most likely known and sanctioned by at least several layers of management?

Not every ICS cyber vulnerability is critical. ICS cyber security should focus on what can affect ICS or system operation so the end-user can prioritize what threats are important to system reliability and safety.

Joe Weiss

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.