I wanted to address an issue that causes great confusion – what is cyber?Cyber is not just a 12-year pimply-faced hacker sitting in front of a computer drinking Dr. Pepper and writing malware. Moreover, cyber does not have to be an intentional attack. According to NIST, a cyber incident is an occurrence that actually or potentially jeopardizes the Confidentiality, Integrity, or Availability (CIA) of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Incidents may be intentional or unintentional. (FIPS PUB 200, Minimum Security Requirements for Federal Information and Information System, March 2006.) What is important about this definition is that a cyber incident can be intentional or unintentional, an actual or potential compromise of CIA, or a violation or imminent threat to CIA.To date, most control system cyber incidents have been unintentional. However, these unintentional incidents have shut down industrial facilities (including nuclear plants), caused significant equipment damage, and even killed people. As mentioned in previous blogs, cyber incidents are not just exploits of traditional IT vulnerabilities such as buffer overflows. Cyber incidents also occur at, and between, devices and systems because of how they are connected. Consequently, cyber is a reliability issue, not just a security issue, and needs to be addressed accordingly. What we need is a new definition to describe impacts on electronic communications between systems whether they be intentional or unintentional.Joe Weiss
