Questions from Senate Hearing Blog

March 25, 2009
Ralph Langer asked two questions about the blog on my Senate testimony that I thought would be of interest to all:
"When can we let Vitek Boden rest in peace?”
"Why NIST? Why not ISA-99?”

"
Ralph Langer asked two questions about the blog on my Senate testimony that I thought would be of interest to all: "When can we let Vitek Boden rest in peace?” "Why NIST? Why not ISA-99?” "When can we let Vitek Boden rest in peace? If the case proves anything, it's that intentional attacks are extremely rare and result in minor damage. If we forget about Boden, we can still make our point, probably even better. The point is that the risk is bigger by several magnitudes than the Boden case suggests. The point is that right now, aggressive malware targeting control systems might knock out significant portions of various industries simultaneously. The Boden case is misleading." Dale Peterson in his Friday blog also wants to let the Vitek Boden (Australian sewage spill) case die. There is no argument the Vitek Boden case is “old”. However, because there is so little information-sharing (we really do need a CERT for Control Systems), it is one of the very few control system cyber security incidents with specific details. I agree that intentional control system cyber attacks are currently extremely rare. However, with the economy creating so many disgruntled ex-employees, the number of cyber attacks by these people may soon significantly rise to all of our detriment. I believe the Boden case has many relevant lessons that still need to be learned because: 1) It was real with deleterious results- opening a valve resulting in a large sewage spill. Since it was taken to court, there is detailed, public information. The Bellingham, WA gasoline pipeline rupture is probably the only other control system cyber incident with such documented detail. 2) It is similar to several other disgruntled cases that have subsequently occurred including very recent ones. They are not nearly as well known which leads to less chance for training and awareness. 3) It was a water case which is important to get the focus off cyber being just an electric industry problem. 4) It demonstrates several key issues not clearly demonstrated elsewhere such as defining who is an insider and how soon a control system cyber incident can be identified and mitigation taken. "Why NIST? Why not ISA-99? NIST makes heavy references to ISA-99, which is also accepted as an international standard, as the adoption by IEC makes clear." I am a member and strong proponent of ISA S99. There is significant cross-pollination between NIST and ISA. The technical requirements work in ISA99 Working Group 4 (WG4) is drawn directly from the content of the NIST documents. This is because the WG4 members saw the NIST documents as the most complete treatment of the subject. I believe the NIST Standards has attributes needed for near-term US regulatory purposes and an ancillary benefit for all industries - domestic and international. 1) The Industrial Control System version of NIST SP800-53 (NIST SP8-00-53, Revision 2, Appendix I) is currently available, referenceable, and is mandated for all US federal agencies. 2) It is the only document that includes both IT and control systems which means it has the best chance for getting those two functional areas currently in conflict at most locations to work together. Once ISA 99 Part 4 is complete, it will be referenceable and potentially made into an IEC standard. Joe Weiss

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.