I had the opportunity to listen to the Oct 21, 2009 Control Engineering podcast on “Recovery from a Cyber Incident” with Kevin Staggs, Shawn Gold, and Andrew Wray from Honeywell. It was very well done. The assumptions were that forensics would be available to identify a cyber incident and that emergency plans would be activated when the cyber incident was identified.
Last month at the Applied Control Solutions Control System Cyber Security Conference, I had two control system engineers from two different companies that had installed new DCSs early this year talk about their lessons learned. They used different vendors. Each had already experienced a number of cyber incidents. In one case, it actually shut the plant down. In all instances, the logging from these new control systems were not adequate to identify "who" or "when". In the more than 140 control system cyber incidents I have identified, none were explicitly identified by the affected party as “cyber”. I brought this issue up at the DHS ICSJWG in Idaho Falls when the discussion focused on disclosures. How can you disclose what you don’t know?
I have had discussions with numerous control system suppliers about cyber forensics. Suffice it to say, we have a long way to go. Moreover, the real professionals that deal with cyber forensics have had little involvement with industrial control systems.
On another front, three years ago at the last KEMA Control System Cyber Security Conference, we held an exercise to determine how industry would respond to a cyber incident. There were approximately 125 attendees representing domestic and international utilities, water, chemicals, IT vendors, control system vendors, and governments. The attendees were broken into 5 groups with similar representation in each group. Each group was then given the same scenario of a threat to hack critical control systems. Each group ended up paralyzed. That is, each group had people that wanted to immediately initiate the emergency plant and either isolate or shut down the threatened control systems. Each group also had representation that didn’t want to do anything until more information was available including even informing senior management about the threat.
What will really happen is anyone’s guess.
Joe Weiss