Eric Byres’ and Justin Lowe’s statistical analysis of industrial control system security incidents is available online at the tswg site. The main points in the analysis are:

1. The source of attacks has shifted towards external attackers (from 31% pre 2000 to 70% post 2000).
2. The number of reported events is increasing (from 13 in the period of 1982 - 2000 to 21 in the period of 2001 - 2003).

This is important research, but point 2 indicates the difficulty for the researchers. There are too few reported incidents to feel confident about the research. From a statistical research point of view, drawing conclusions from a sample size of 13 or 21 raises problems, and the common sense and experience raises other problems.

In the 90’s, Citibank was hit with a cyber attack, had a nice sum of money stolen, and was the example given in every security presentation, article, and tv report for the next 20 years. How many times have you heard about the SCADA cyber attack that caused the sewage spills in Australia. No one wants to be the next poster child for the need for SCADA security. BCIT does restrict access to non-public incident information which may encourage more participation in the study.

Look at your own organization. Have you or would you report an incident? We are aware of incidents that will never be reported.

Are insider incidents less likely to be reported because they include HR issues? Are there certain types of incidents or sources of incidents you would be more likely to report?

This is important and interesting research, but more data would sure be nice.