Slashdot Mirror
Nobody Is Sure What Should Count As a Cyber Incident
chicksdaddy writes: Despite a lot of attention to the problem of cyber attacks against the nation's critical infrastructure, The Christian Science Monitor notes that there is still a lot of confusion about what, exactly, constitutes a "cyber incident" in critical infrastructure circles. The result: many incidents in which software failures affect critical infrastructure may go unreported.
Passcode speaks to security experts like Joe Weiss, who claims to have a list of around 400 incidents in which failures in software and electronic communications lead to a failure of confidentiality, integrity or availability (CIA) — the official definition of a cyber incident. Few of them are considered cyber incidents within critical infrastructure circles, however. His list includes some of the most deadly and destructive public sector accidents of the last two decades. Among them: a 2006 emergency shutdown of Unit 3 at the Browns Ferry nuclear plant in Alabama, the 1999 Olympic Gas pipeline rupture and explosion in Bellingham Washington that killed three people and the 2010 Pacific Gas & Electric gas pipe explosion in San Bruno, Calif., that killed eight people and destroyed a suburban neighborhood.
While official reports like this one about the San Bruno pipeline explosion (PDF) duly note the role software failure played in each incident, they fail to characterize them as 'cyber incidents' or note the cyber-physical aspects of the adverse event. Weiss says he has found many other, similar omissions that continue even today. He argues that applying an IT mindset to critical infrastructure results in operators overlooking weaknesses in their systems. "San Bruno wasn't malicious, but it easily could have been," Weiss notes. "It's a nonmalicious event that killed 8 people and destroyed a neighborhood."
Passcode speaks to security experts like Joe Weiss, who claims to have a list of around 400 incidents in which failures in software and electronic communications lead to a failure of confidentiality, integrity or availability (CIA) — the official definition of a cyber incident. Few of them are considered cyber incidents within critical infrastructure circles, however. His list includes some of the most deadly and destructive public sector accidents of the last two decades. Among them: a 2006 emergency shutdown of Unit 3 at the Browns Ferry nuclear plant in Alabama, the 1999 Olympic Gas pipeline rupture and explosion in Bellingham Washington that killed three people and the 2010 Pacific Gas & Electric gas pipe explosion in San Bruno, Calif., that killed eight people and destroyed a suburban neighborhood.
While official reports like this one about the San Bruno pipeline explosion (PDF) duly note the role software failure played in each incident, they fail to characterize them as 'cyber incidents' or note the cyber-physical aspects of the adverse event. Weiss says he has found many other, similar omissions that continue even today. He argues that applying an IT mindset to critical infrastructure results in operators overlooking weaknesses in their systems. "San Bruno wasn't malicious, but it easily could have been," Weiss notes. "It's a nonmalicious event that killed 8 people and destroyed a neighborhood."
Probably the first hurdle to pass in defining "cyber incidents" (and setting aside the overuse of the cyber- prefix in the present day and age) is the fact that non-technical, and in some cases even non-IT Security people really don't have a good basis for discerning what is or isn't significant. I'm reminded of one news article where the NYPD (or some similar state/local agency) announced that they suffered something like 500,000 "cyber attacks" from Chinese and other IP addresses in the span of several months. The nature of those attacks?
Port Scans.
Further complicating this is the fact that there's a lot of money involved. "There are lots of attacks, so you should buy my services" or "My agency gets attacked, so I need funding for security" are common themes. That's not to say there isn't a threat, or that attacks don't occur; just that some people have an incentive to turn up the threat meter, which makes establishing a clear answer more difficult. It's very easy to play with the definitions to turn out numbers of "incidents" without sufficient context. I easily see untold numbers of bad things in any given day; but most of those are automatically handled by the existing systems. Should those be counted, or are we only concerned with things that actually cause noticeable impact beyond my monitoring screen?
Lastly, when we say "incident", are we talking about operator/programmer/etc error, or are we talking about deliberate malicious action? By Weiss's definition, we're including the former, but that's quite a stretch to equate them to "attacks." Even if those incidents should probably be of concern, though, do they fall under Security's purview, or should they have been handled by some other business unit? As an IT Security professional, my job is to protect the network - it's not to make sure that everyone in the company is doing their jobs correctly.