The Advanced Persistent Threat and Industrial Control Systems – does it make sense

Digital Bond’s Dale Peterson, SAN’s Alan Paller, and others have been sounding the alarm about Advanced Persistent Threats affecting the electric power industry.  APTs are sophisticated and organized cyber attacks to access and steal information from compromised computers. The attacks used by APT intruders are not very different from any other intruder. The main differentiator is the APT intruder’s perseverance and resources. They have malicious code (malware) that circumvents common safeguards such as anti-virus. The recommended mitigation is detection, collection, analysis, and remediation. 
These warnings sound ominously similar to last year’s Wall Street Journal article about the Chinese and Russians being in the power grid. Addressing APT threats make sense in the traditional IT domain and at the SCADA and DCS master stations which are essentially IT systems.  However, APT attacks don’t make as much sense for field devices. Many utilities are not even looking at field devices as many of these systems are not considered NERC critical assets. Secondly, detection and collection are difficult at best when minimal (if any) cyber forensics exist for these systems. Thirdly, it is not clear what cyber attack signatures against field devices look like.  Those yelling the most appear to be unaware that many of the most significant ICS cyber incidents that have occurred are not the sexy IT attacks they keep trying to prevent. In fact, many of the most significant ICS cyber incidents to date did not involve the Internet. Even more troubling, many of these critical cyber incidents including those that killed people, caused nuclear plant shutdowns, and caused wide spread power outages did not violate any IT security policies.
Let industry develop the appropriate forensics and security at the field device layer and actually look before crying wolf.  My book will help to provide clarity about these types of issues.
Joe Weiss