The fallacy of not sharing ICS incident information

Jan. 1, 2000

This blog is not about people but organizations and the fallacy of not sharing information. I believe there are many people in industry willing to share information about ICS cyber incidents. However, in too many cases, they are not allowed to do so. The fact is that legal departments too often are afraid that somehow this will make them a target, or that this will be reflected in a lower stock price, or other irrational fears. These fears are irrational because properly done, disclosure should not cause these problems, but help prevent problems.

This blog is not about people but organizations and the fallacy of not sharing information. I believe there are many people in industry willing to share information about ICS cyber incidents. However, in too many cases, their organizations, particularly lawyers, will not allow them to do so. The fact is that legal departments too often are afraid that somehow this will make them a target, or that this will be reflected in a lower stock price, or other irrational fears. These fears are irrational because properly done, disclosure should not cause these problems, but help prevent problems.

Several years ago, I had two engineers attend the ICS Cyber Security Conference to discuss actual ICS cyber incidents because they thought it was so important to share the information with their peers. Neither engineer’s company would support their travel expenses. However, the engineers came and shared their information in a non-attributable manner (they did not identify their organizations). The conference was in the DC area but none of the major industry organizations attended nor did NIST yet all these organizations seem to be vociferous about the need to share information. This year I will have another utility share information about a recent significant cyber incident. Again, the information sharing is being done without the formal support of the organization and in a non-attributable manner.

In February 2013, NERC issued a lessons-learned report on four incidents. All were clearly cyber incidents but NERC went to great lengths not to identify the incidents as cyber. The irrational fear of cyber incident disclosure is not only preventing the affected organization from sharing of information but also the non-affected organizations from hearing the information. It also means that the security guidance being disseminated and the table top exercises being required do not reflect what is actually occurring and can actually lead to organizations taking the wrong actions during an actual cyber incident.

When I was managing the control system programs at EPRI (before security was an issue), information sharing was common and supported by the organizations. Until organizations realize there will be more benefit than impact by sharing this important information, there will continue to be minimal improvements by either end-user organizations or the support community if they can’t share information on the problems be they unintentional or malicious.

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...