Slashdot Mirror
Nobody Is Sure What Should Count As a Cyber Incident
chicksdaddy writes: Despite a lot of attention to the problem of cyber attacks against the nation's critical infrastructure, The Christian Science Monitor notes that there is still a lot of confusion about what, exactly, constitutes a "cyber incident" in critical infrastructure circles. The result: many incidents in which software failures affect critical infrastructure may go unreported.
Passcode speaks to security experts like Joe Weiss, who claims to have a list of around 400 incidents in which failures in software and electronic communications lead to a failure of confidentiality, integrity or availability (CIA) — the official definition of a cyber incident. Few of them are considered cyber incidents within critical infrastructure circles, however. His list includes some of the most deadly and destructive public sector accidents of the last two decades. Among them: a 2006 emergency shutdown of Unit 3 at the Browns Ferry nuclear plant in Alabama, the 1999 Olympic Gas pipeline rupture and explosion in Bellingham Washington that killed three people and the 2010 Pacific Gas & Electric gas pipe explosion in San Bruno, Calif., that killed eight people and destroyed a suburban neighborhood.
While official reports like this one about the San Bruno pipeline explosion (PDF) duly note the role software failure played in each incident, they fail to characterize them as 'cyber incidents' or note the cyber-physical aspects of the adverse event. Weiss says he has found many other, similar omissions that continue even today. He argues that applying an IT mindset to critical infrastructure results in operators overlooking weaknesses in their systems. "San Bruno wasn't malicious, but it easily could have been," Weiss notes. "It's a nonmalicious event that killed 8 people and destroyed a neighborhood."
Passcode speaks to security experts like Joe Weiss, who claims to have a list of around 400 incidents in which failures in software and electronic communications lead to a failure of confidentiality, integrity or availability (CIA) — the official definition of a cyber incident. Few of them are considered cyber incidents within critical infrastructure circles, however. His list includes some of the most deadly and destructive public sector accidents of the last two decades. Among them: a 2006 emergency shutdown of Unit 3 at the Browns Ferry nuclear plant in Alabama, the 1999 Olympic Gas pipeline rupture and explosion in Bellingham Washington that killed three people and the 2010 Pacific Gas & Electric gas pipe explosion in San Bruno, Calif., that killed eight people and destroyed a suburban neighborhood.
While official reports like this one about the San Bruno pipeline explosion (PDF) duly note the role software failure played in each incident, they fail to characterize them as 'cyber incidents' or note the cyber-physical aspects of the adverse event. Weiss says he has found many other, similar omissions that continue even today. He argues that applying an IT mindset to critical infrastructure results in operators overlooking weaknesses in their systems. "San Bruno wasn't malicious, but it easily could have been," Weiss notes. "It's a nonmalicious event that killed 8 people and destroyed a neighborhood."
because people didn't do their jobs, not because of software. Whoever wrote this is a fucking idiot.
I think a good candidate for a 'cyber incident' is when a discussion is censored and railroaded in a certain direction by overzealous post deletion and long-winded flames that contextually reframe the entire debate.
it is a cyber incident. That is all.
Probably the first hurdle to pass in defining "cyber incidents" (and setting aside the overuse of the cyber- prefix in the present day and age) is the fact that non-technical, and in some cases even non-IT Security people really don't have a good basis for discerning what is or isn't significant. I'm reminded of one news article where the NYPD (or some similar state/local agency) announced that they suffered something like 500,000 "cyber attacks" from Chinese and other IP addresses in the span of several months. The nature of those attacks?
Port Scans.
Further complicating this is the fact that there's a lot of money involved. "There are lots of attacks, so you should buy my services" or "My agency gets attacked, so I need funding for security" are common themes. That's not to say there isn't a threat, or that attacks don't occur; just that some people have an incentive to turn up the threat meter, which makes establishing a clear answer more difficult. It's very easy to play with the definitions to turn out numbers of "incidents" without sufficient context. I easily see untold numbers of bad things in any given day; but most of those are automatically handled by the existing systems. Should those be counted, or are we only concerned with things that actually cause noticeable impact beyond my monitoring screen?
Lastly, when we say "incident", are we talking about operator/programmer/etc error, or are we talking about deliberate malicious action? By Weiss's definition, we're including the former, but that's quite a stretch to equate them to "attacks." Even if those incidents should probably be of concern, though, do they fall under Security's purview, or should they have been handled by some other business unit? As an IT Security professional, my job is to protect the network - it's not to make sure that everyone in the company is doing their jobs correctly.
According to modern convention a 'cyber event' is any event where government or private industry is exposed to extended and unwarranted yet catastrophically revealing scrutiny that serves to radically alter a citizen or consumers outlook on the state or the product respectively. These incidents are generally prosecuted rigorously in a kangaroo court, and involve numerous fisa submissions and foia redactions.
by contrast if a substantial subset of consumers experience the unauthorized release of their personal credit card, social security numbers, addresses, and bank information then this is just an 'incident' or a 'breech.' it involves 'data security' and 'unintentional disclosure' and is in no way a cyber event, although the FBI will be invoked just as predictably as a benediction at sunday mass in order to maintain the illusion the company affected has some purchase in the matter.
the ultimate difference being "cyber events" are ginned up to sell wars and products. data incidents and breeches are to be forgotten as fast as the public can, and covered quite minimally by the news media.
Good people go to bed earlier.
that means ever-dam-thang.
The "critical infrastructure results in operators overlooking weaknesses in their systems" is to be expected with the removal of local staff on site 24/7 replaced by automated or vast networked systems.
That reduced expensive union staff and allowed a smaller set of skilled workers to do the jobs of many. Great for profits as paying for less workers but the huge networks used might not always be dedicated and hardened or secure.
So vast amounts of maintenance, observation and operational use is expected to move along random networks.
In the past a real person doing shift work sat at a site and had control using a closed network. Now that network might reach a tri state area on many different networks with years of code and complexity.
The huge amounts of cash floating around after incidents is the new boondoggle. The networks need fixing, upgrading and a new cyber bureaucracy can point to cyber intrusions to get more political power, budget growth.
The real fix is in more maintenance, more staff and the correct use of real internal networks.
Working, well understood critical infrastructure is not difficult. Nations around the world can secure their own sites. Low quality networks over vast areas is not the best way to keep thinking about the issue.
Domestic spying is now "Benign Information Gathering"
Really anything that has to do with online, sexual harassment should qualify. I don't see why we should restrict it.
I art more snarky, and terse than thou. I art Slashdot!
There's a cabal of irresponsible (at best) and insane (at worst) organizations that publicly disclose the private information of citizens and members of government to further their own financial and political ends. We call them businesses.
Isn't 'cyber-incident' the sort of bullshit term that is more or less designed to be slippery, and thus useful for both alarmism and obfuscation as the situation requires?
It's vague enough that the most harmless script-kiddie probing for easy targets could theoretically be totted up as a 'cyber incident', regardless of harm, if you were attempting to make the world out to be a place so dangerous that your budget definitely needs to increase; but also allows some classes of security failure to not be 'cyber'(if, say, social engineering was employed at some point); and also leaves considerable flexibility over what qualifies as an 'incident'(potentially pulling tens or hundreds of individual occurrences under one 'incident' if you are trying to look more competent, or breaking out every record spilled in one DB breach if you are attempting to look more embattled).
Why try to define it if we can just set it on fire, salt the ashes, and pretend it was never coined?
n/t
'cyber' attacks - whatever the hell that means - is just being set up as the next everybody think of the children freak out fest for the world's media/political machinery. It will generate lots of money for defence contractors making 'cyber weapon', allow politicians to push through unpopular laws and deflect attention from their inability to solve real problems, and give the 24 hour new cycle something even more abstract and undefinable then the war on the last abstract noun.
The used car salesmen have well and truely arrived at the doors of the technology industry and we can expect the rate of uselessness to accelerate from here.
..any incident that involves control and feedback systems.
Escher was the first MC and Giger invented the HR department.
Among them: a 2006 emergency shutdown of Unit 3 at the Browns Ferry nuclear plant in Alabama, the 1999 Olympic Gas pipeline rupture and explosion in Bellingham Washington that killed three people and the 2010 Pacific Gas & Electric gas pipe explosion in San Bruno, Calif., that killed eight people and destroyed a suburban neighborhood.
So here's the actual 3-page NRC report on the Brown's Ferry incident: http://www.nrc.gov/reading-rm/doc-collections/gen-comm/info-notices/2007/in200715.pdf
"I have ADD" summary: The VFD that controls the circulation pumps is connected to a plant-wide ethernet. Excessive traffic made it poop its pants and shut off. The reactor was scrammed because full power without coolant circulating is Bad. They power cycled the controller and it came back up; Then they found another controller in the condenser, also networked, also failed.
Was it acceptable to have installed a digital VFD for a mission-critical pump without a watchdog timer that would do automatic reset and resume? No. Whoever signed off on that ought to be fired. Was it acceptable that the operators not be allowed to review the PLC controller code even though it was going to run a large nuclear reactor coolant pump? No. But this is beside the point: fucking hell, nobody was killed, nobody was hurt, at no point during this incident was there any danger of anything, to anyone, anywhere. So why on earth would this be listed by name in a summary on a high-traffic website, next to a gas pipeline explosion that *burned down an entire neighborhood*, when dropping names of a few of the "most deadly and destructive public sector accidents of the last two decades" caused by software failures?
Oh, right, because nookular skeery. Way to be responsible, Slashdot. When's our next Two Minutes' Hate for the fearmongering assholes that run the media?
fear mongering of the lefties and climate-changers, I imagine they'll blow things ridiculously out of proportion and say any incident involving the internet is a cyber incident.
Wow, to classify the 1999 Bellingham Pipeline Explosion a "Cyber Incident" is a BIG stretch. That was an industrial accident, with mechanical failure as a significant component. Just because there was computer monitoring equipment, does not mean it was a "Cyber Incident".
should involve these guys.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Something happens. That's an incident.
On-site sabotage of equipment? That's a physical incident.
Social engineering was involved? You have a social incident.
A computer was involved as one of the attack vectors? Make sure to include cyber-incident on the report.
It's all an incident.
There. You're done.
There was a time when making the main /. page broke many a bandwidth budget. Seems like only reddit can do that reliably anymore.
Seems the term rightly would refer to an attack from the outside. In the San Bruno event, it appears PG&E did it to themselves (well, to the neighbors unfortunate enough to live near a PG&E line)... due purely to corporate ineptitude and laziness.
"Whether such anomalous chemistry and strength is systemic throughout the 150 miles of uncharacterized legacy gas transmission piping in the PG&E system is unknown." Has anything improved since 2011 when the report was issued? Have the even shifted away from default values that obscure threats? I'd be guessing not a whole lot has changed.
A growing number of elite athletes competed in Nike footwear. Runner Mark Covert was the first athlete to wear Nike shoes across a finish line. Nike shoes got their first endorsement by a professional athlete when Romanian tennis personality Ilie Nastase signed on to wear Nikes on the court. It is a time for Nike to increase visibility Nike Free pas cher . The year 1984 saw the signing of basketball megastar Michael Jordan to an endorsement contract, followed by the 1985 release of his signature shoe, the Air Jordan. Originally, the NBA banned this new shoe because it didn't match the league's dress code, but the ban simply served to give the design a higher profile and extensive publicity. So Nike with Jordan come across. In Jordan times, it is a little hard for Jordan to choose Nike shoes, but after long time consult, Jordan choose Nike shoes as basketball shoes. Since then Nike becomes famous, however, Nike Jordan shoes just designed for Jordan is memory of that great moment.
"Nobody Is Sure What Should Count As a Cyber Incident"
The linked to San Bruno pipeline explosion PDF is a little short on actual details regarding the software responsible for the explosion.
In the time it will take me to type this post I will get at least one wp-admin request from my server (without WordPress) plus I will probably have an assortment of other odd requests looking to exploit various server weaknesses for web servers that are different than mine; Various cgi attacks and so on.
Needless to say these aren't terribly troubling, generally the worst they do is to pollute my logs with crap. The main problem with these sort of "attacks" is that fear mongers will use them to justify giving them lots of consulting money.
What does annoy me about these attacks is that while they are fairly ineffective I would still love to see a concerted effort to nail the people who do them to the wall. I see it like those people who aim laser pointers at airplanes.
That said, there are genuine attacks from sophisticated but unless the companies involved have political pull these attacks too go unpunished. What bothers me the most is that these attacks originate from a very few countries. How about we shut those countries internet connections down for a few days until those attacks stop.
Just who in their right minds connects critical infrastructure to the cybertubes? I call BS on this whole story ..
From what I've learned so far, people who use the word "cyber" should not decide about anything concerning security.
(btw, "to cyber" means "to have a dirty talk/chat online" from what I've seen how people use this awful term)
"Nobody is sure" ... yeah, right. How about coming up with some kind of scale first? There's scales to classify everything from nuclear accidents to signs of extraterrestrial intelligence.
https://www.youtube.com/watch?v=-3ODe9mqoDE
To detect a "cyber incident" first note the state of the keys involved.
There has been a "Cyber Incident" if your keys are leaking or sticky.
Joe Weiss Is not a credible "expert". He got the water treatment attack wrong. Every year before hosting his conference he tries to make a splash. Retire Joe. Check the facts.
http://www.washingtonpost.com/blogs/checkpoint-washington/post/foreign-hackers-broke-into-illinois-water-plant-control-system-industry-expert-says/2011/11/18/gIQAgmTZYN_blog.html
http://www.greentechmedia.com/articles/read/illinois-water-utility-wasnt-hacked-feds-say
How about if the severity is a not a polarized boolean value for.... wait for it.... shades of grey!
Here are some words to add to your dictionary for those troubled by such a story:
continuum, continuous, polarized, grey shades, black and white, degrees, magnitude.
Why OpalCalc is the best Windows calc
I thought the official definition was once the event shows up as a thinly veiled plot on CSI:Cyber. Just like a regular crime used to become an important national conversation once it was an episode of Law and Order...
Certainly the free market will sort all of this out. Companies/government that fail to secure their critical infrastructure will crash and burn, those that don't profit!
That is all.
In a utility, almost all systems now have a cyber component. From your meter to the SCADA system, almost every component has some kind of IT aspect. You could maybe consider them OT (Operational Technology). This means that every incident would be or is a "cyber" incident.
What really needs to happen is that we learn to report and address these incidents in their own context instead of trying to break them down into multiple and broadly common contexts. Treating the UPS swap incident in the article, for instance, as a cyber incident rather than a utility/scada incident does a dis-service to the customers as well as the utility. Requiring that it be treated as both doubles down the regulatory burden for the incident and creates a punitive atmosphere that results in the very under-reporting they are concerned with.
The whole focus of dealing with incidents in critical infrastructure needs to shift to something more constructive than it currently is. It's currently all about the stick. Compliance and non-compliance both feel like punitive environments. This needs to change. We can argue for eternity about the importance for accountability, etc. But, these are human institutions and the regulations need to focus as much on enabling good operation as they do punishing imperfection.
"Any crime involving electronic devices is by definition cyber" - Patricia Arquette, CSI: Cyber. (and she should know!)
Okay for the millionth time, we DO NOT NEED NEW LAWS FOR "CYBER" ANYTHING! You know what, I won't win that uphill battle, I'm just going to assume there should be a whole new set of laws on using phones, we can call them telephony incidents!
Comment removed based on user account deletion