What do 9/11, the Detroit bomber, and ICS security have in common

Category:

Ics Cyber Security 9/11 Detroit Bomber

Submitted by jweiss on Mon, 01/04/2010 - 01:10.

President Obama laid the blame on the recent Detroit bomber (Umar Farouk Abdulmutallab) fiasco on a “mix of human and systematic failures”. His withering assessment indicated the extent of the failure is deep and widespread. The same sort of failures in sharing information were cited in the aftermath of the 9/11 attacks. Prior to 9/11, intelligence agencies were unable to connect the dots between disparate clues that alone didn’t seem to add up to much. But when taken together – if only in hindsight – it was clear they had the makings of a huge and sophisticated terrorist plot.

Compare what happened with 9/11 and the Detroit incident to the lack of “connecting the dots” in Industrial Control System (ICS) cyber security. According to my ICS incident database there have been more than 170 control system cyber incidents – many of these of common origins and continuing to recur. There are many government, industry, and commercial organizations providing guidance for traditional IT threats – put in firewalls, isolate networks, etc. However, there is no guidance on what to do or even what to look for to prevent ICS-unique cyber incidents. And, it is ICS-unique cyber incidents that have caused some of the most significant cyber events to date including those that have killed people, and caused major outages and equipment impacts.

ICS security is difficult to detect and prevent because:
- There is still limited use of ICS-unique policies and procedures to prevent incidents,
- The work force still is not trained to detect ICS-unique cyber incidents (this is not what IDS/IPS monitor)
- ICS cyber forensics are still lacking in even some of the newest systems, and
- Industry is still in denial about ICS security.

The Bellingham, WA pipeline rupture that killed three people and the Maroochy sewage spill incidents are the two most comprehensively documented ICS-cyber cases. There were a number of ”red flags” that were missed (the Bellingham report prepared by MITRE is on the NIST website and we presented it at RSA in 2008). Many of the non-publicly identified ICS cyber incidents also had red flags that were missed. Does that sound similar to 9/11 and Detroit? As for continuing industry denial, Mike Assante’s April 9th letter criticized the utility industry for their lack of identifying Critical Assets and the Control Engineering survey results from December 22nd had almost 25% of the respondents stating ICS cyber threats are not a risk to their business. Complicating this is the headlong dash for Smart Grid that will create untold number of cyber vulnerabilities with a scarcity of ICS cyber experts (see 12/29/09 blog). One can only hope government and industry take ICS cyber security seriously before consequences are unrecoverable. And make no mistake, ICS cyber incidents can cause consequences such as loss of electric power for months or major toxic releases.

Joe Weiss

Login or register to post comments
2618 reads
Permalink
1 Comment

On Dot Connecting

Submitted by LOARJA1 on Fri, 01/08/2010 - 09:12.

A few thoughts, first your comment:

<cite>Prior to 9/11, intelligence agencies were unable to connect the dots... </cite>

I think a more accurate assessment of the time would be 'intelligence agencies were forbidden to connect the dots' as it was not legal for the agencies to share information with each other - or that in sharing the information they would compromise their legal standing with it in court. Now, that has changed and the agencies are now able to share information. But now, even with the sharing, the dots were not connected.

Second then, doesn't this all get into the general concept we have read about here with Knowledge Management (KM) -- turning lots of information into knowledge that can be used for decision making. It seems like the same discussion to me.

There was an incident with a big retail pricing error (or something like that) and people were asking - "isn't there someone checking for mistakes (or for connectable dots)?" - But checking for errors is against LEAN and the idea of don't make mistakes in the first place. With companies downsizing there are no extra people around to do this -- to look through the vast information resources and assemble 'knowledge'. Is this the new role of neural nets and database analysis? Seems we still have a long way to go.

Well that's a few quick thoughts for this for now.

About This Blog:

Control Systems Cybersecurity Expert, Joseph M. Weiss, is an international authority on cybersecurity, control systems and system security. Weiss weighs in on cybersecurity, science and technology, security emerging threats and more.

	reads
The first annual Manufacturing IT Forum brings great content, no attendance	54119
If you can't read a P&ID diagram, you need this self-study course	23006
Directory of Lost Companies	22804
Water System Hack - The System Is Broken	18944
Loop checking and field instrument testing procedure	14579
Paulett Eberhart leaves Invensys	11396
Involving Operators in HMI Design	11254
List of Companies	10893
2009 Control System Cyber Security Conference - Mark Your Calendar	10479

Search Posts

more tags