March 12, 2015, DHS's ICS-CERT issued the ICS CERT Monitor. The ICS-CERT report identified 245 total incidents in 2014. The report broke out the incidents by sector and by access vector. The report stated that the majority of incidents had an "unknown" access vector which implies lack of appropriate monitoring. The report identified network access vector categorization which made up 62% of the incidents were traditional IT attack vectors which can affect control systems but doesn't address control system-unique vectors such as unauthorized control system logic changes, unauthorized breaker control, etc.
I have the following questions about the ICS-CERT report data:
- Are there any international cases?
- As there are few end-users monitoring their CONTROL SYSTEM networks, how many of the Network Scanning/Probing incidents come from monitoring the control system networks?
- How many of the control system incidents were from field control systems (controllers, sensors, actuators, analyzers, etc)?
- Of the 38% unknown access incidents, how many accessed the field control systems?
- How many of these incidents are from control systems directly connected to the Internet with no cyber security protection?
- Arguably the most important question is how many of the control system incidents actually affected facility reliability and/or safety. The report stated that the majority of the incidents were from an "unknown" access vector but the organization was confirmed to be compromised. What does "compromised" mean? Did the compromise affect the reliability and/or safety of the facility?
I have been collecting actual control system cyber incidents since 2000. The criteria used for identifying incidents as control system cyber incidents is the NIST definition – electronic communications between systems or systems and people affecting Confidentiality, Integrity, or Availability. There are minimal control system cyber forensics and logging for control system field devices and minimal training for Operational personnel to identify control system cyber incidents. Consequently, there are few publicly identified control system cyber incidents. My database now has 400+ incidents and counting. The incidents are global and cover electric, nuclear, oil/gas, water/wastewater, pipelines, chemicals, manufacturing, medical, and transportation. The same systems are used in multiple industries world-wide making the incident database of greater interest as the results can be extended to many industries. Additionally, there are common threads to many of the ICS cyber incidents beyond the traditional IT breakdowns given in the ICS CERT report (see blog from 2/8/15). Consequently, there is a need to connect the dots and provide guidance to industry.
From a statistical perspective, 400+ incidents over 15 years may not make up a statistically significant sample size. Therefore, it may not be possible to identify statistically significant trends or frequency. What can be said are control system cyber incidents continue to occur in industries globally. The impacts from these incidents range from trivial to significant environmental damage to significant equipment damage to significant equipment/facility down-time to wide-spread electric outages, to deaths. It is not always evident which incidents are malicious and which are unintentional. However, it is the impacts that are important.
There is a need to use the knowledge from previous control system cyber incidents when developing cyber forensics and monitoring technologies, cyber security technologies, training, and to adjust requirements such as the NERC CIPs, Regulatory Guide 5.71/NEI-0809, and CFATS to address what has actually been happening.
Joe Weiss