Security definitions - or our own Tower of Babel

May 16, 2007
I wanted to focus on some key definitions that can, and have, created misunderstandings. The term "cyber security" is an IT artifact that does not reflect the need to assure control system reliability and availability. Generally, the term cyber security refers to protection against attackers. For my working definition, the term cyber security refers to all electronic communications that could impact the performance of control systems. This definition includes intentional events (eg, viruses ...
I wanted to focus on some key definitions that can, and have, created misunderstandings. The term "cyber security" is an IT artifact that does not reflect the need to assure control system reliability and availability. Generally, the term cyber security refers to protection against attackers. For my working definition, the term cyber security refers to all electronic communications that could impact the performance of control systems. This definition includes intentional events (eg, viruses and worms), malicious events (eg, hackers), and unintentional events (eg, inappropriate policies and testing). Based on the data I have collected, there have been significantly more unintentional events than intentional ones. Some of these unintentional events have caused significant damage. I believe there will be significantly more unintentional events than intentional events until appropriate awareness, policies, procedures, technologies, training, and testing are in place.   Another misnomer is equating the terms safety, reliability, and security. They are related but not the same. Making a system safe should, but does not mean you have made it cyber secure. As an example, ProfiSafe is actually connected to Profibus making a safety-instrumented system less secure than when it was hard-wired and isolated. Making a system more reliable also does not mean you have made it more secure. Following the Northeast Outage, many "cyber dumb" electro-mechanical switches and relays were replaced with "cyber-alive" intelligent electronic devices which significantly improved system reliability but at the cost of new cyber security vulnerabilities. Unless you specifically address cyber security, making systems safer or more reliable can actually increase cyber vulnerabilities.  

The last definition for this blog is "denial-of-service".  According to Wikipedia, "In computer security, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users."  However, this does not really reflect the conditions that could occur in an industrial facility when affected by a cyber event. For example, loss of a variable speed drive that causes a pump to shut down is a "denial of service"; that is, the pump doesn't work. A more subtle case is when cyber events lead to erroneous changes to operator screens. In one sense service has not been lost as the screen is still available; in another sense, it has as the screen is no longer accurate. These types of events may or not have occurred from making computing resources unavailable. They could just as easily have been caused by compromising the computing resources. There needs to be a clear way to describe the impacts when systems or facilities cannot perform their intended function because of intentional or unintentional cyber events.

Joe Weiss

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.