Under-reporting Bedevils Estimates of Cyber Threat

Dec. 2, 2009
Just how few really serious cases have been added to the list of documented incidents over the years?

Our observation, in reporting publication of a new white paper from cybersecurity specialist Innominate, that the most surprising aspect of the cybersecurity issue as it relates to process plant and critical infrastructure is "just how few really serious cases have been added to the list of documented incidents over the years" did not go unnoticed.

Frank Dickman, who wrote the original paper, entitled "Hacking the Industrial Network" and downloadable from www.innominate.com/white_paper_registration, emailed us to point out that, while most of the published incidents he quoted were already familiar, that was because "I specifically chose published source documents to allow the reader to readily check every statement of fact, rather than write unsupported opinion." And he cites a number of references to support the argument that the principal reason for the dearth of reported incidents is non- or under-reporting. For example, the U.S. General Accounting Office (GAO) report "Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems" of 2004 estimates that "as much as 80% of actual security incidents go unreported in most cases because (1) there were no indications of penetration or attack, (2) the organization was unable to recognize that its systems had been penetrated, or (3) the organization was reluctant to report."

Similarly Idaho National Laboratory’s 2005 report, "Cyber Incidents Involving Control Systems" states that ". . . the confidential nature of cyber incidents makes it difficult to collect data and project future losses."

Reliable data

Clearly there is a problem in arriving at a reliable estimate of the level of attacks, both successful and unsuccessful, and in assessing how valid is the widely accepted contention that actual incidents are many times more numerous than the few that are reported.

Nonetheless, it is still surprising, for example, that the Repository for Industrial Security Incidents (RISI), which is maintained by Byres Security on behalf of Idaho National Laboratories and logs incidents directly affecting SCADA and process control systems, including those reported in confidence by organizations, currently holds data on a total of only some 150 incidents, according to the Byres web site. Nevertheless that makes it, so it is claimed, the largest known repository of SCADA security data in the world.

Nor is the problem getting any easier. Dickman writes that "Hackers and malware authors have metastasized from teenagers seeking peer recognition to professionals seeking profit within recent years" and concludes that "it is my expectation that we will see more efforts at profit-centered extortion in the future." With organizations and companies almost certainly even more reluctant to admit that they have been blackmailed than that they have simply been attacked, the need for more reliable data on the scale of the threat is even more pressing.