What do 9/11, the Detroit bomber, and ICS security have in common

Jan. 3, 2010

President Obama laid the blame on the recent Detroit bomber (Umar Farouk Abdulmutallab) fiasco on a “mix of human and systematic failures”. His withering assessment indicated the extent of the failure is deep and widespread.  The same sort of failures in sharing information were cited in the aftermath of the 9/11 attacks. Prior to 9/11, intelligence agencies were unable to connect the dots between disparate clues that alone didn’t seem to add up to much. But when taken together – if only in hindsight – it was clear they had the makings of a huge and sophisticated terrorist plot.

Compare what happened with 9/11 and the Detroit incident to the lack of “connecting the dots” in Industrial Control System (ICS) cyber security. According to my ICS incident database there have been more than 170 control system cyber incidents – many of these of common origins and continuing to recur. There are many government, industry, and commercial organizations providing guidance for traditional IT threats – put in firewalls, isolate networks, etc. However, there is no guidance on what to do or even what to look for to prevent ICS-unique cyber incidents.  And, it is ICS-unique cyber incidents that have caused some of the most significant cyber events to date including those that have killed people, and caused major outages and equipment impacts.

ICS security is difficult to detect and prevent because:
- There is still limited use of ICS-unique policies and procedures to prevent incidents,
- The work force still is not trained to detect ICS-unique cyber incidents (this is not what IDS/IPS monitor)
- ICS cyber forensics are still lacking in even some of the newest systems, and
- Industry is still in denial about ICS security.

The Bellingham, WA pipeline rupture that killed three people and the Maroochy sewage spill incidents are the two most comprehensively documented ICS-cyber cases. There were a number of ”red flags” that were missed (the Bellingham report prepared by MITRE is on the NIST website and we presented it at RSA in 2008). Many of the non-publicly identified ICS cyber incidents also had red flags that were missed. Does that sound similar to 9/11 and Detroit? As for continuing industry denial, Mike Assante’s April 9th letter criticized the utility industry for their lack of identifying Critical Assets and the Control Engineering survey results from December 22nd had almost 25% of the respondents stating ICS cyber threats are not a risk to their business. Complicating this is the headlong dash for Smart Grid that will create untold number of cyber vulnerabilities with a scarcity of ICS cyber experts (see 12/29/09 blog). One can only hope government and industry take ICS cyber security seriously before consequences are unrecoverable. And make no mistake, ICS cyber incidents can cause consequences such as loss of electric power for months or major toxic releases.

 Joe Weiss

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.