ICS cyber security and plausible deniability

Jan. 1, 2000

I believe way too many people and organizations particularly in the electric and water industries have a severe case of plausible deniability - “if I have not heard about it to my face, I do not have to address it.” However plausible deniability may have just sprung a leak. The recent Target hack may be the needle causing the leak. Target, seen from their perspective, is the victim. Seen from their customers’ perspectives Target didn’t do enough to protect their data. Target says they did all they could and are doing all they can after the hack. Unfortunately, plausible deniability will not save them from lawyers.

Matt Luallen wrote a very timely and cogent article in the December 2013 issue of Control Engineering called “Plausible deniability is not a security strategy”.

For years, too many in the ICS community have lived with the concept of “security by obscurity”. At least in this case, there was the concept of addressing the subject even if it was to dismiss it as a non-problem. I believe way too many people and organizations particularly in the electric and water industries have a severe case of plausible deniability - “if I have not heard about it to my face, I do not have to address it.”

Plausible deniability is the root of “compliance” too.

I believe Aurora is probably the epitome of plausible deniability. I personally know of several utilities that have made it clear they will not talk to me about Aurora so they can plausibly state it is not a problem to them.

Who attends (or not) the ICS Cyber Security Conference is another example of plausible deniability. As long as people are not there when discussions happen, they can claim they were unaware and it doesn’t affect them. NERC and the CIP Committee are in this category as it would be difficult to continue pushing their agenda when it is clearly not adequate to prevent ICS cyber incidents that have already occurred and openly discussed at the Conference.

However plausible deniability may have just sprung a leak. The recent Target hack may be the needle causing the leak. Target, seen from their perspective, is the victim. Seen from their customers’ perspectives Target didn’t do enough to protect their data. Target says they did all they could and are doing all they can after the hack. Unfortunately, plausible deniability will not save them from lawyers. It will also be interesting to see how insurance companies respond to ICS cyber security following the Target hack. One wonders what will happen to the electric utilities when another major cyber-related incident like the 2008 Florida outage or the 2010 PG&E San Bruno natural gas pipeline explosion occurs. Similar to Target, the utilities will claim they met the NERC CIPs and therefore should be held blameless even though the NERC CIPs are clearly inadequate to protect substations and power plants and there is insufficient ICS cyber security guidance to protect pipelines. The same is true of many industries, not just the electric utilities.

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...