What is Control System Cyber Security and Why is it so Pervasive and Important

Sept. 19, 2007

What is cyber security? According to the National Institute of Standards and Technology (NIST), a Cyber Incident  is an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability (CIA) of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security...

What is cyber security? According to the National Institute of Standards and Technology (NIST), a Cyber Incident  is an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability (CIA) of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Incidents may be intentional or unintentional. (FIPS PUB 200, Minimum Security Requirements for Federal Information and Information System, March 2006.) What is important about this definition is it addresses Intentional or unintentional events, actual or potential compromises of CIA, or violations or imminent threats to CIA.

Why do we care? Cyber threats to Industrial Control Systems (ICSs) are real. Even though organizations are unlikely to report incidents, there have been more than 90 cases (intentional and unintentional) in all industries. Effects range from trivial to significant equipment and environmental damage to deaths. Almost every time I have given a presentation on control system case histories, I have had at least one person approach me with another case history that has not been reported. The business case for addressing control system cyber security is a combination of maintaining reliability and availability, reducing corporate liability, and maintaining regulatory compliance. It is irrelevant whether the cyber event is intentional or unintentional, the business impact is the same. Shutdown of manufacturing facilities and power plants, damage to major plant equipment, and loss of power to large swaths of customers are worth a lot of money yet senior management doesn't see this as an important area. What are we missing?Are we getting better? I don't believe so. In the electric industry, the NERC CIP Cyber Security Standards are arguably making utilities LESS secure. It is the reason that the Federal Energy Regulatory Commission (FERC) had to issue a Notice of Public Rulemaking (NOPR). The nuclear utilities have continued to shun non-nuclear cyber security activities even though the non-nuclear organizations have significantly more experience and expertise. Water (with very few exceptions) like nuclear is nowhere to be found either.

Why is it such a big deal? This is a very difficult, arcane, and complex problem. We are still at the infancy of understanding the issues. Many vendors and consultants are pushing IT solutions which are actually making things worse. Additionally, almost all new instrumentation and control systems are now digital, many with built-in cyber vulnerabilities. Topping that, corporate has discovered that control system data is important and they want access to it. Even worse (because they are often such a sieve), our regulators want access to the data. What this means is that it will be significantly more challenging to secure our future systems.

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.