Several people, including a thread on the A-List at
www.control.com have taken notice of the CIA disclosure at SANS last week and have been asking about the veracity of the report. I posted the following, earlier today, on the A-List.
Joe Weiss (
www.controlglobal.com/unfettered) and I believe the CIA report to be credible. Why we believe that is not for this public forum. Sorry to be mysterious. CIA is not the only agency of the US Government that takes this position.
And much of the US Government is apolitical, in case you want to go there.
There are in fact documented cases of cyber incidents in power, water, and wastewater utilities. There have been documented cases of cyber incidents in a variety of process and discrete manufacturing industry verticals.
Is this issue real? Yes.
Joe will again hold his Realtime ACS Cyber Security Conference this August (the 8th since he started doing it, the second since he left KEMA and started ACS). For info, see
www.realtimeacs.com.
You can also read Joe's testimony before the congressional committee that held hearings late last year on the subject. Just search "Unfettered" (
www.controlglobal.com/unfettered) for the blogposts where we published it.
It is real enough that in April of 2006, a group of vendors and end users including Honeywell, Invensys, ABB, Siemens, Exxon, Chevron, Shell, and others (myself, Eric and Joanne Byres of Byres Security, etc.) formed an ad hoc group to work on creating a consortium to produce compliance testing in parallel with ISA's SP99 Cyber Security Standard Committee and NIST. This has become the ISCI (
www.isa.org/ISASecure/) ISA Security Compliance Institute.
In fairness, it must be said that the CEOs of the North American power utilities disagree with Joe, myself, Eric Byres, the CIA and others. It remains to be seen whether we are alarmists or they are ostriches.