There are many people that believe an event must be a malicious attack to be considered a cyber incident. There are many reasons why this assumption may not be correct.
According to The Threat Brief, http://threatbrief.com/context-on-the-nyse-wsj-and-united-airlines-issues/ dated 7/9/15: “The computer security industry has long had a philosophical debate on how to define a cyber threat. For many of us, the use of the term Threat is reserved for hostile actors: organizations and individuals that mean to cause harm. But cybersecurity professionals and enterprise CTO’s, CIO’s and business executives must lead in ways that keep the IT up and running and it is sometimes very helpful to have a broader definition of the threat. There are threats to IT that come from natural disasters, for example. There is also the threat of cascading failures due to complexity. And there is the threat of system failure due to overloading. These last types of threats more than likely account for the issues seen 8 July 2015 by United Airlines and the NYSE and WSJ. United Airlines operates a very complex IT system that requires always on, low latency communications globally and when reconstruction is done we believe it will turn out to be that an IT failure caused the issues of yesterday. The NYSE suspension of trading was a huge attention getter and although there is a chance it was an intrusion and we hope this is being investigated, but all indications so far is that this was just a failure. The Wall Street Journal outages may have been caused by the massive flood of people seeking info on the issues at the NYSE and United.”
There are a number of reasons it is wrong to only address cyber attacks such as being done by the NERC CIPs and NEI-0809.
- You want a reliable, safe system regardless of whether the threat is malicious or not.
- There are minimal ICS cyber forensics so it may not be possible to tell whether an incident is unintentional or malicious, assuming the incident is even identified. Considering the vast majority of the 500+ ICS cyber incidents in my database were not identified as cyber, the probability of identifying an ICS incident as cyber is not very high.
- There have been a number of ICS cyber incidents where the only difference between the incident being malicious versus unintentional was the motivation of the individual involved. The impact was the same. Consequently, it is more important to understand the “what” than the “who” to prevent a recurrence.
- Many times, if it can be done unintentionally, it can be done intentionally and often times worse.
- An unintentional ICS cyber incident can “weaken” a system potentially opening a path into what was considered a secure system. Additionally, responders may be so focused on the initiating event they won’t be paying attention to the “secondary infection”.
Cyber threats, whether malicious or unintentional, need to be addressed holistically.