Defining ICS Cyber Security Incidents

I'm not so much worried Jon S. and Joe Weiss PE CISM CRISC ISA Fellow about people using the "ICS" term, although I clearly and accurately differentiate among ICS, OT, SCADA, DMS, DCS, etc. Dear all' I'm strongly worried about those whose blindly and negligently stick to the never-defined term "IT-OT Convergence". I often receive a comment "that train already left the station". To those saying that, I reply "welcome the attacker to your organization". ICS Cyber security is a role for experts who know accurately differentiating among IT and ICS and not letting non-experts confusing them.

There are only TWO types causes to manifestations to Cyber incidents: 1. Insider or 2. Network/Supply chain. 1. Insider threat is clear - someone, paid or not, infects a certain "trusted" node and from there it propagates to other ICS network nodes. 2. Malware is entering the ICS network from an external node by infecting a "trusted" node. This could be directly by a trusted vendor (in return the vendor is infected by one of these ways) or by taking advantage of vulnerability (a poor design - engineering!). In this sense the diagram is somewhat misleading - supply chain sometimes gets updates directly (over the network) directly to the PLC/RTU. That is the reason why means to defeat malware/hacking needs to be also installed directly in the PLC/RTU level! Note: Focus on solving vulnerabilities is the Legacy engineering approach. More focus needs to be made in hardening the design to defeat malware AFTER infection.

NIST and US GAO have adequate definitions for cyber incidents (not cyber security incidents) even though the term “safety” was not included. The important point is it does not have to be malicious (or least “known malicious”) to be a cyber incident. Additionally, the “I” in ICS is too limiting as “I” means Industrial. There are many organizations that feel they are not affected because they do not consider themselves to be industrial. Additionally, the definitions Daniel lays out are too constraining. As a result, many control system cyber incidents that have caused damage have not been identified as cyber incidents (suffice it to say it is very significantly more than 25 as my non-public control system cyber incident database includes almost 12 million incidents). This is why appropriate control system cyber security training is needed.

Thanks for Sharing

Good definition, but propose that we find a place for the "unintentional" industrial cyber incidents. Not following procedure, human error or just things malfunctioning can result in an industrial cyber incident. In numbers the unintentional probably far out number the incidents that come from malicious intent and tend to get the news media's attention. Forgetting to place the sensors on the new gas pipe (Colonial gas explosion in Boston), not knowing the function of a computer in a control system before performing an update (Hatch reactor shutdown), a sensor on a train track failing to note the presence of a passing train (D.C. Metro crash) are just a few examples of incidents that do not come from the malicious acts of an adversary. Thanks.