RISI Established-- nongovernmental organization to collect and investigate industrial cyber security incidents

July 20, 2009

Joe Weiss and I have been pushing for several years for a NGO to operate as a CERT for Control Systems. There are many disparate databases of information in both the public domain and the private domain...including classified information in the DHS CERT for Control Systems...but there is no public repository of actual incidents. Until now. John Cusimano, of exida, Eric Byres of Byres Security div. of Exida, Todd Stauffer, also of exida, Aris Espejo of Syncrude Ltd., Eric Cosman of Dow Chemical Company and I have been working on this for several months. Weiss, Byres, Cosman, Stauffer, Mark Fabbro of Lofty Perch, Espejo and I are the members of the Advisory Board for RISI.

We now have our NGO CERT for Control Systems. Report incidents now! 


SELLERSVILLE, PA (July 20, 2009) – The newly formed, non-profit Security
Incidents Organization™ today announced it will provide public access to The
Repository of Industrial Security Incidents (RISI).

RISI is an industry-wide repository for collecting, investigating, analyzing and
sharing critical information regarding cyber security incidents that directly affect SCADA,manufacturing and process control systems. With over 150 incidents, RISI is the largest known collection of industrial cyber security incidents.
Modeled after similar safety incident databases, RISI provides subscribers with
reliable information that allows them to learn from others’ experiences, understand the risks associated with industrial cyber-threats and adapt their current security policies in step with changing industrial cyber-security dynamics.

RISI has a history dating back to early 2001, when academic researchers
developed a database called the Industrial Security Incidents Database (ISID). In 2008 several private cyber security experts, building on ISID, began collaboration on the RISI project with a goal of making the information available to the entire industrial automation community.

The Security Incidents Organization was established in 2009 to fulfill this goal by
operating the RISI database, researching incidents and making the results of that
research publically available. For more information about The Security Incidents
Organization or RISI log on to

About the Security Incidents Organization:
Founded in 2009, the Security Incidents Organization is a 501(c)(3) non-profit
organization whose mission is to collect, investigate, analyze and share critical
information regarding industrial cyber security incidents on a nondiscriminatory basis.

Security Incidents is guided by an Advisory Board comprised of leading industrial
automation users, consultants and suppliers.