1. Home

ICS cyber security and plausible deniability

Jan. 1, 2000

I believe way too many people and organizations particularly in the electric and water industries have a severe case of plausible deniability - “if I have not heard about it to my face, I do not have to address it.” However plausible deniability may have just sprung a leak. The recent Target hack may be the needle causing the leak. Target, seen from their perspective, is the victim. Seen from their customers’ perspectives Target didn’t do enough to protect their data. Target says they did all they could and are doing all they can after the hack. Unfortunately, plausible deniability will not save them from lawyers.

Matt Luallen wrote a very timely and cogent article in the December 2013 issue of Control Engineering called “Plausible deniability is not a security strategy”.

For years, too many in the ICS community have lived with the concept of “security by obscurity”. At least in this case, there was the concept of addressing the subject even if it was to dismiss it as a non-problem. I believe way too many people and organizations particularly in the electric and water industries have a severe case of plausible deniability - “if I have not heard about it to my face, I do not have to address it.”

Plausible deniability is the root of “compliance” too.

I believe Aurora is probably the epitome of plausible deniability. I personally know of several utilities that have made it clear they will not talk to me about Aurora so they can plausibly state it is not a problem to them.

Who attends (or not) the ICS Cyber Security Conference is another example of plausible deniability. As long as people are not there when discussions happen, they can claim they were unaware and it doesn’t affect them. NERC and the CIP Committee are in this category as it would be difficult to continue pushing their agenda when it is clearly not adequate to prevent ICS cyber incidents that have already occurred and openly discussed at the Conference.

However plausible deniability may have just sprung a leak. The recent Target hack may be the needle causing the leak. Target, seen from their perspective, is the victim. Seen from their customers’ perspectives Target didn’t do enough to protect their data. Target says they did all they could and are doing all they can after the hack. Unfortunately, plausible deniability will not save them from lawyers. It will also be interesting to see how insurance companies respond to ICS cyber security following the Target hack. One wonders what will happen to the electric utilities when another major cyber-related incident like the 2008 Florida outage or the 2010 PG&E San Bruno natural gas pipeline explosion occurs. Similar to Target, the utilities will claim they met the NERC CIPs and therefore should be held blameless even though the NERC CIPs are clearly inadequate to protect substations and power plants and there is insufficient ICS cyber security guidance to protect pipelines. The same is true of many industries, not just the electric utilities.

Joe Weiss

Continue Reading

Sponsored Recommendations

2024 Industry Trends | Oil & Gas

We sit down with our Industry Marketing Manager, Mark Thomas to find out what is trending in Oil & Gas in 2024. Not only that, but we discuss how Endress+Hau...

Level Measurement in Water and Waste Water Lift Stations

Condensation, build up, obstructions and silt can cause difficulties in making reliable level measurements in lift station wet wells. New trends in low cost radar units solve ...

Temperature Transmitters | The Perfect Fit for Your Measuring Point

Our video introduces you to the three most important selection criteria to help you choose the right temperature transmitter for your application. We also ta...

2024 Industry Trends | Gas & LNG

We sit down with our Industry Marketing Manager, Cesar Martinez, to find out what is trending in Gas & LNG in 2024. Not only that, but we discuss how Endress...

Latest from Home

Source: Trihedral

Most Read

Sponsored