I want to address an issue from Dale Peterson’s Digital Bond website – the difference between unintentional incidents and malicious attacks that arose from my blog about the BP oil spill being a control system cyber incident. Matt Gibson states: “I and many of my colleges (sic) would agree that malicious and non-malicious cyber events should be kept separate. This dichotomy is important as we transition to a regulated cyber security environment with mandatory reporting. The operational focus and response to a malicious attack is vastly different than a non-malicious. In terms of time scale, correlations of multiple attack vectors and actors, coordination with physical security response and potential national security response malicious attack will involve much different stakeholders. Further, effective corrective actions must take into account any “intent” related to the failure of a system because a failure driven by a malicious attack has a fundamentally different failure mode than a non-malicious equipment malfunction, design fault, or improper operation because intent skews the probability and consequence of an event in the negative direction. We really need to start training the ICS community that these two types of incidents are different and each requires a different response and reporting protocol (even though many of the response tasks are very similar) and save our emotional energy for practical security and relability (sic) solutions.”
There are a number of issues to be addressed in Matt’s response. As Matt is from a nuclear utility, I am including a nuclear industry perspective. The nuclear plant security rule (10CFR 73.54) mentions cyber attack, but Regulatory Guide 5.71 offers clarification and states:
- For systems within the scope of 10 CFR 73.54, this RG 5.71 provides a comprehensive approach to comply with 10 CFR 73.54 for cyber security, by using the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 3, “Recommended Security Controls for Federal Information Systems”.
- The Regulatory Guide defines a cyber attack as: The manifestation of either physical or logical (i.e., electronic or digital) threats against computers, communication systems, or networks that may (1) originate from either inside or outside the licensee’s facility, (2) have internal and external components, (3) involve physical or logical threats, (4) be directed or non directed in nature, (5) be conducted by threat agents having either malicious or non malicious intent,…
As NIST addresses malicious and unintentional cyber incidents and the definition of cyber attack includes non malicious intent, unintentional incidents need to be addressed.
For all industries:
- It is difficult to identify an incident as cyber much less distinguishing whether it is malicious or unintentional - there were almost 20 malicious cyber attacks against the Maroochy waste water system before it was diagnosed as a cyber attack. At best, there is minimal logging for control system cyber incidents. The Stuxnet worm targeting Siemens PLCs was disclosed July 22nd. Since that time, there has been a continuously changing story by the cyber research experts as to the worm and its payload. Last Tuesday, Industrial Defender held a webinar on Stuxnet. The recent Symantec security response dated August 6th (http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices) provides a completely different scenario. This demonstrates it can be a significant period of time before we understand what is happening independent of whether it is malicious or unintentional. The failure modes from a malicious attack and an unintentional incident are often the same. Skilled attackers can make the incident look non-malicious, especially if motivated by such ill-advised policy. Additionally, an unintentional incident can be exacerbated by malicious actions making it even more severe. Consequently, how would the response be different for a malicious attack compared to an unintentional incident? The right question to ask is if it is possible to identify the incident as cyber.
- How is it possible to identify “intent” without actually having interviewed the person responsible? You can’t get inside the perpetrator’s head to determine motivation; lots of errors and omissions are careless acts (such as stepping out for a smoke). Often it takes skilled investigators days or weeks of analysis to determine the source of an incident. You don’t have the time or ability to determine intent.
Unintentional impacts have shown to be significant (see Bellingham, Deepwater Horizon, Florida Outage, DC Metro,…). ISA99 includes both malicious and unintentional cyber threats. I do agree with Matt – partly. We really need to start training the ICS community not that these two types of incidents are different but about ICS cyber security. Industry obviously needs appropriate training and nuclear needs to be out in front.
Joe Weiss
