What Is The Meaning of One Documented Attack?
Recently I was called by a major news organization who I understand has been calling many in the control system community for a potential story. He was hunting for an unreported, clear and vivid example of a successful cyber attack on a critical infrastructure control system that had serious consequences to build their story around. All they needed was one titillating attack to make the story, and evidently this had proven to be difficult.
My question to him and loyal blog readers is what if you find this example? What are we suppose to draw from this? One of a large number of complex systems highly reliant on IT hardware and software was compromised. I’m shocked! This would likely be true even if we did a great job of cyber security in control systems.
There is a story on how vulnerable control systems are, but until actual threats and compromises take place it does not have the required sizzle and requires to much technical detail for the average reader.
Now if the news organization showed a significant and growing number of attacks targeting critical infrastructure control systems that would be interesting and valuable. Or investigations showing bad actors studying control systems. Or … The community is in desperate need of credible threat information and then the stories to drive it home to the decision makers.
Author: Dale Peterson
Posted: September 23rd, 2009 under Big Picture, Calculating Risk, Vulnerability Disclosure.
Comments: 4
Comments
Comment from Jake Brodsky
Time: September 23, 2009, 2:01 pm
Despite the databases of incidents, there are still very few well documented attacks against control systems. In other words, we can’t look backwards. We need to think like attackers and build pre-emptive measures against likely sources of attack from within as well as outside.
Part of what is wrong, in my highly inflated, self-centered opinion, is that many people are focusing on metrics where there are too few commonly accepted benchmarks.
We need to consider a feed forward system here to jumpstart efforts instead of a feed-back mechanism. I don’t think many of us could afford a feedback approach.
Comment from Ralph Langner
Time: September 24, 2009, 4:43 am
The meaning of one attack is zero. As long as we are caught in the paradigm of risk, we will not make significant progress. Time to re-read Taleb’s “The black swan” and his remarks on the 9/11 attacks.
Other than Jake (and his highly inflated, self-centered opinion) I do not believe that it will help us to think like attackers. It will not change a thing of the epistemological problem that is associated with the question: When am I secure?
One other thing. I tend to get nervous these days when people ask for incidents. Actually they don’t. What they want to hear is stories of crime and suspense. Anybody who is really interested in real-life incidents cannot overlook the fact that about 99.99% of all industrial cyber security incidents are not caused by malicious attackers. But that’s not something that a WSJ (or similar publication) journalist would find newsworthy.
Comment from Ron Southworth
Time: September 27, 2009, 11:33 pm
Hi Gents,
Well I don’t have a lot of time for the media generally (there are exceptions of course). Engineering stuff is pretty booring. It seems that to those guys, accurate reporting, well, that does not “sell” papers does it. nuff time wasted on that…
The metrification of threat is always gong to be difficult to get a handle on . I hope people will stop trying to measure it and just try to keep a handle on what forms and techniques are being used. {how you can measure what you don’t know about I’ll never know}
The attack surface, the mean time to compromise a system or part of the system, these sorts of measurement I think we can do and with some success of them being relivant.
The consequence of the compromise this too I think we can quantify into the risk environment with a reasonable degree of success.
Lastly Ralph, we need to change the culture of people so that they understand their question is really am I happy with this level of risk.
Ron
Comment from Jeffrey Carr
Time: October 20, 2009, 11:29 am
Dale, with all due respect, I believe that you’re missing the point. It’s not about finding one attack. As you say, that a successful attack exists shouldn’t surprise anyone. The point of such an investigation, including the one that Project Grey Goose just kicked off is why is it so hard to find an example of the very thing that you, myself, and so many others knows exists?
It’s this overly secretive culture that is so committed to hide and obscure any and every cyber-related event that is the problem, because it only serves to set back authentic advancement in securing our critical infrastructure.
Write a comment