President Obama laid the blame on the recent Detroit bomber (Umar Farouk Abdulmutallab) fiasco on a “mix of human and systematic failures”. His withering assessment indicated the extent of the failure is deep and widespread. The same sort of failures in sharing information were cited in the aftermath of the 9/11 attacks. Prior to 9/11, intelligence agencies were unable to connect the dots between disparate clues that alone didn’t seem to add up to much. But when taken together – if only in hindsight – it was clear they had the makings of a huge and sophisticated terrorist plot.
Compare what happened with 9/11 and the Detroit incident to the lack of “connecting the dots” in Industrial Control System (ICS) cyber security. According to my ICS incident database there have been more than 170 control system cyber incidents – many of these of common origins and continuing to recur. There are many government, industry, and commercial organizations providing guidance for traditional IT threats – put in firewalls, isolate networks, etc. However, there is no guidance on what to do or even what to look for to prevent ICS-unique cyber incidents. And, it is ICS-unique cyber incidents that have caused some of the most significant cyber events to date including those that have killed people, and caused major outages and equipment impacts.
ICS security is difficult to detect and prevent because:
- There is still limited use of ICS-unique policies and procedures to prevent incidents,
- The work force still is not trained to detect ICS-unique cyber incidents (this is not what IDS/IPS monitor)
- ICS cyber forensics are still lacking in even some of the newest systems, and
- Industry is still in denial about ICS security.
The Bellingham, WA pipeline rupture that killed three people and the Maroochy sewage spill incidents are the two most comprehensively documented ICS-cyber cases. There were a number of ”red flags” that were missed (the Bellingham report prepared by MITRE is on the NIST website and we presented it at RSA in 2008). Many of the non-publicly identified ICS cyber incidents also had red flags that were missed. Does that sound similar to 9/11 and Detroit? As for continuing industry denial, Mike Assante’s April 9th letter criticized the utility industry for their lack of identifying Critical Assets and the Control Engineering survey results from December 22nd had almost 25% of the respondents stating ICS cyber threats are not a risk to their business. Complicating this is the headlong dash for Smart Grid that will create untold number of cyber vulnerabilities with a scarcity of ICS cyber experts (see 12/29/09 blog). One can only hope government and industry take ICS cyber security seriously before consequences are unrecoverable. And make no mistake, ICS cyber incidents can cause consequences such as loss of electric power for months or major toxic releases.
Joe Weiss
