Wednesday, February 3, 2010
Reader Comment – 02-01-10 Cyber Sec Resp
D3 continued our discussion of responsibility for cyber security education with his recent comments appended to my earlier response. His lengthy response is well worth reading by anyone concerned with general cyber security issues. Unfortunately, our discussion is straying from the cyber security issues of greater interest to the chemical security community; providing security for industrial control systems. And that is part of the problem with discussions of cyber security. Most people are more concerned about the identity theft, or larceny, or industrial espionage aspects of cyber security than they are with ICS security. The reasons are two fold, first more people understand how these more common topics could affect them personally. The second reason is even more problematic, most people have a hard time understanding how an attack on an ICS could affect them. The surprising part is that the second issue is prevalent even in the chemical process community. Control systems are arcane tools, used by many but understood by only a couple of people at most facilities. When operators manipulate electronic controls, they don’t understand the sophistication of the communications and decision making protocols involved. Subtle disruptions of those interactions can have catastrophic consequences. The problem is magnified by the intended and unintended linkages of the control system computers with the enterprise software that runs the business side of chemical operations. Since the enterprise systems normally have electronic connections that cross the fence line, they potentially allow unauthorized personnel access to the control systems upon which facility safety so clearly relies. A successful attack on an ICS at a high-risk chemical facility could have a wide range of potential effects. They could be as benign as out-of-spec product. A product spill or release of hazardous chemicals could be the result. A worst case result could be a catastrophic runaway reaction with safety devices disabled. It would all depend on the knowledge and skill of the attacker. So yes, general cyber security issues are important, but it is time that we also started taking cyber security issues seriously.