Why are unintentional ICS cyber incidents important to address
NIST defines a cyber incident to be communications between systems (or people and systems) that affect confidentiality, integrity, or availability. The NIST definition does not require an incident to be malicious to be defined as a cyber incident. There are several issues associated with unintentional cyber incidents:
- They can cause significant impacts. There have already been four unintentional control system cyber incidents in the US that caused major damage and killed people.
- It may not be possible to tell the difference between a malicious attack versus an unintentional incident. As an example, the only difference between 2008 Florida Outage being a malicious attack versus an unintentional incident was the motivation of the engineer in the substation in removing all equipment protection?
- An unintentional incident can make a system less robust making it easier to attack
The following actual case best explains the situation: Engineers at a major brewery thought the company's bottling systems were secured until someone with access logged in and inadvertently changed a timer for a maintenance device on a bottle filler. It was supposed to squirt grease into the bearing every 20 minutes but was changed to once every 8 hours. The bearing soon froze. The line that filled 1,200 bottles/minute ground to a halt creating a $100,000 loss. The plant engineer stated: "With well-intentioned engineers monkeying around in the automation system, who needs terrorists or disgruntled employees?"