Who's vulnerable-- is anybody NOT? #pauto #scadasec #pjcoyle #cybersecurity #ics #stuxnet

P J Coyle has an interesting article on his blog:

http://chemical-facility-security-news.blogspot.com/2010/10/who-is-responsible-for-ics-security.html

Couple of things he says, though, should be taken issue with. One is that not every industrial facility with a control system needs to worry about an attack. He specifically mentions food processing. In 2009 at AutomationXchange, in a discussion about cybersecurity one of the attendees said, "I never thought anybody would attack us. We just make [snack foods] for pete's sake! But the guy is now in Federal prison. He was a disgruntled employee."

The other unstated assumption Coyle makes is that any cyber incident has to be externally caused ( i.e., terrorism). There have been over 100 cases where significant harm (including deaths and injuries) have resulted from cyber "oopsies" and the end result of such accidental cyber incidents is essentially indistinguishable from the end result of a cyber terrorist attack.

Much of Coyle's commentary is spot on. But there were those couple of things that were unspoken assumptions that needed to be challenged.