Friday, October 29, 2010

Reader Comments 10-28-10 ICS Security

Yesterday’s posting on who is responsible for ISC security has attracted more response than any other blog that I have written over the last three years. There have been two comments posted on this site from an anonymous reader, a couple of comments over on the SCADASEC list, a blog post over on, and at least one Tweet. The comments have been generally positive, but they do point out some issues that were not adequately addressed in the original blog.

Not Likely to be Attacked

My anonymous reader and a commenter over on SCADASEC had nearly identical responses to my comment that the local widget manufacturer was unlikely to be attacked by terrorists. They noted that the local widget manufacturer was more likely to be “the victim of a successful attack than a major installation” because it would be less likely to be adequately protected due to resource issues.

Vulnerability is not typically the key factor in determining who is likely to be attacked by terrorists. One of the key factors considered in terror target selection is the consequence of the attack. While this assessment will be made based upon differing values depending on the terror group involved, we can make the general statement that the more spectacular the result the more likely the facility is to be targeted. Once potential targets are selected the question of vulnerability is raised; more vulnerable spectacular targets are most likely to be attacked.

Having said that, I must agree that everything is a potential terrorist target. There are just too many terrorist groups out there to be able to judge in advance all target selection criteria. An al Qaeda group is more likely to attack an Israeli owned widget manufacturer than an Iranian owned chemical plant. Still, the likelihood of the average widget manufacturer being targeted is much lower than the large chemical plant, there just isn’t enough potential political gain from attacking the admittedly weaker target.

But the point I was making in my blog was that a complete reworking of our SCADA systems to a more secure, non-Windows platform, would be a very expensive undertaking. Spending that money would not be a reasonable response at the widget manufacturer. The expense would be much greater than the reduction in risk would justify. That doesn’t mean that the widget manufacturer shouldn’t take security measures; just that those measures don’t need to be as elaborate. This is the whole basis for risk-based security procedures embodied in CFATS.

To use an extreme example for illustrative purposes lets look at political kidnappings. In Mexico, it is becoming more common for various drug cartels to use kidnappings to convince the local governments to look the other way when it comes to anti-cartel law enforcement. Now everyone in Mexico is a potential target for these kidnappers, but Mayors are much more likely targets. It is reasonable to provide extensive personal security measures to Mayors, but the same measures would not be reasonably provided to street vendors.

In a similar vein Walt Boyes over at notes “Couple of things he says, though, should be taken issue with. One is that not every industrial facility with a control system needs to worry about an attack. He specifically mentions food processing.”

Obviously I wasn’t as clear as I had hoped when I asked: “How about food processing companies or drug manufacturers?” I was juxtaposing auto manufacturers and food processors, two types of manufacturers that have not been much mentioned in public terror target discussions. I certainly think that, given the very public food recall issues in recent years, we certainly must consider food and drug manufacturers to be potential terror targets; though probably not as high a risk as a petrochemical facility but more at risk than an auto parts supplier. There is a continuum of risk to consider.

Other Attacks

Walt also pointed out that I ignored two other types of ‘assaults’ on industrial control systems, insider attacks and accidental cyber incidents. Both of these should certainly b e of concern to process control system developers and the system users. The later concern is not an attack and the former is not a terrorist attack. As such they require different types of preventive measures than terror attacks.

Walt and Joe Weiss have long been proponents of paying as much attention to the issue of accidental control system upsets as to potential terrorist attacks. Such problems are certainly much more likely to occur at any given facility than a terror attack, and are infinitely more common than any terror attack. Walt and Joe argue that the vulnerabilities demonstrated in these incidents are illustrative of the potential risks of a terrorist attack. Besides, their relatively common occurrence demands its own preventive response. I certainly agree with both of these points.

At the risk of being accused of using a buzz word, I think that control systems need to be made much more resilient. Making sure that these systems are less likely to accidentally cause severe, life-threatening incidents should be a priority for venders. Many of the resilience enhancing measures would also help protect against terror attacks, but should not have to rely on counter-terror issues to be considered. Remember, the widget manufacturer is probably more likely to be affected by these problems than the large chemical manufacturer because of the lack of trained programming staff.

While many of the counter-terror security measures would also provide some measure of protection against an insider attack by a disgruntled employee (or terrorist associated employee, which may be the same thing in some instances) the protective measures that will be most effective will have nothing to do with counter-terrorism measures. They include proactive employer-employee relations, active problem resolution mechanisms, access to counseling and mental health services as well as supervisor training to recognize potential problem employees.

9/11 References

Matt Franz had an interesting Twitter® comment about the blog post noting that “I could use one less 9/11 reference”. I must admit that, on reflection, three separate references to 9/11 in a single blog post might be a bit much. As a writer, the phrase is such good shorthand for a wide variety of ideas that it has almost becomes a cliché.

One thing that we must never loose sight though of as we ponder counter-terror security measures is that 9/11 is a bright-line boundary in the history of counter-terrorism in the United States. Before that date most Americans, including politicians and industrial planners, considered terrorism to be an overseas threat, not something to be seriously worried about here in the ‘good ole USofA'.

Before that date the terror attacks had been the purview of lone-wackos like McVeigh or Kazinsky; random events that most people wouldn’t get any more concerned about than being involved in a car wreck. The foreign attacks were considered to be more of a joke than a real threat (A truck bomb to bring down a skyscraper? Get real. Contaminated salad bars in Idaho? Come on.). After that date, the terror threats that the rest of the world had been dealing with for decades were finally real to most Americans.

One a final point about 9/11; security professionals and politicians think very seriously about the American public’s response to the 9/11 attack. Americans were upset at the lack of protection they had been provided against such an attack, almost as upset as they were about the attack itself. Everyone knows that there will be serious political blood-letting if there is another major attack on US soil. And, the security community knows that such an attack is almost inevitable.

Francis Turner reminds us in his posted comment of this quote from Admiral Mike McConnell, the former head of the NSA and former DNI; “The USA will do nothing to stop cyber attacks until a large attack against the country is successful – and at that point the government will step in and do the wrong thing”. Violent knee-jerk reactions are usually painful.

More Discussion Needed

While it is certainly good for this writer’s ego to see this blog post being discussed so widely, it is even more important that more people be brought into the discussion. Providing serious protection to the highest risk control systems is going to be very expensive and even the lower risk systems are going to need costly upgrades to provide the minimum level of terror-attack preventive measures.

What level of protection is needed is a very important discussion to have, important at the corporate level, the community level, and the national level. Make no mistake about it, the average American is going to have to pay for the protection. The payments will be made in higher prices, higher taxes, or more likely both. This is why this should be an important political discussion not just a technical conversation.

As an industry, as a community we need to push the discussion outwards to the political arena. If we don’t we will be forced to shoulder the blame after the attack. We will be held accountable by the American public and their politicians.

No comments:

/* Use this with templates/template-twocol.html */