Wednesday, February 3, 2010

Reader Comment – 02-01-10 Cyber Sec Resp

D3 continued our discussion of responsibility for cyber security education with his recent comments appended to my earlier response. His lengthy response is well worth reading by anyone concerned with general cyber security issues. Unfortunately, our discussion is straying from the cyber security issues of greater interest to the chemical security community; providing security for industrial control systems. And that is part of the problem with discussions of cyber security. Most people are more concerned about the identity theft, or larceny, or industrial espionage aspects of cyber security than they are with ICS security. The reasons are two fold, first more people understand how these more common topics could affect them personally. The second reason is even more problematic, most people have a hard time understanding how an attack on an ICS could affect them. The surprising part is that the second issue is prevalent even in the chemical process community. Control systems are arcane tools, used by many but understood by only a couple of people at most facilities. When operators manipulate electronic controls, they don’t understand the sophistication of the communications and decision making protocols involved. Subtle disruptions of those interactions can have catastrophic consequences. The problem is magnified by the intended and unintended linkages of the control system computers with the enterprise software that runs the business side of chemical operations. Since the enterprise systems normally have electronic connections that cross the fence line, they potentially allow unauthorized personnel access to the control systems upon which facility safety so clearly relies. A successful attack on an ICS at a high-risk chemical facility could have a wide range of potential effects. They could be as benign as out-of-spec product. A product spill or release of hazardous chemicals could be the result. A worst case result could be a catastrophic runaway reaction with safety devices disabled. It would all depend on the knowledge and skill of the attacker. So yes, general cyber security issues are important, but it is time that we also started taking cyber security issues seriously.

1 comment:

D3 said...

I absolutely agree with you...industry needs to really pay attention to the single point of failure that is ICS. Much of the enterprise software used by control systems has so-called "signed code" running within it. An attack at that level could go unnoticed for a long time.

That said, it is my experience that before you can teach someone to run, you must first show him or her how to walk. Cyber security is no different--ICS is important (even critical) to our nation's infrastructure. But, as you point out, a lot of the focus has been on "lesser" aspects of security (most of it personal).

I'd submit that identity theft isn't such a big deal anymore. Yes, it's painful and annoying, but it doesn't destroy someone's life like it used to. Add to that the fact that SSNs and credit card numbers sell for pennies (or fractions of pennies) on the open market and you find that there's just not that much incentive anymore.

I don't mean to hijack your blog--I've been reading some of your posts and I like much of what I see. I just think that we in the security industry (whether general or specific) need to observe the entire spectrum of issues.

/* Use this with templates/template-twocol.html */