[Infowarrior] - Non-Profit Targets Cyber-Security in Plants

[Richard Forno]

Non-Profit Targets Cyber-Security in Plants
by Stephanie Neil, MA Editorial Staff

http://www.managingautomation.com/maonline/news/read/NonProfit_Targets_CyberSecurity_in_Plants_33037

The move from proprietary, non-networked control systems in the plant  
to off-the-shelf, open applications that share information across  
industrial and business networks is a double-edged sword for  
manufacturers. On one side, people are more productive; on the other  
side, SCADA and process control systems are falling victim to hackers  
and network viruses.


Getting a handle on how to manage cyber-threats, however, has always  
been a bit tricky. Reporting an industrial incident to organizations  
such as the government-backed CERT program, which tracks Internet and  
network security attacks, accidents, and failures, could expose a  
company’s network vulnerability or create a legal liability. As a  
result, many manufacturers keep a lid on their own security issues,  
which limits knowledge sharing that could help the industrial  
community as a whole.


Enter the Security Incidents Organization, a newly formed non-profit  
group that provides public access to its Repository of Industrial  
Security Incidents (RISI). Established in July, the group maintains an  
industry-wide repository for collecting, investigating, analyzing, and  
sharing critical information regarding cyber-security incidents that  
directly affect SCADA and process control systems.


The RISI database dates back to 2001, when it was housed at the  
British Columbia Institute of Technology (BCIT) as part of a research  
project that was shut down in 2006. At that time, BCIT faculty member  
Eric Byres purchased the database and continued to collect data on  
incidents. His company, Byres Research, was acquired by safety and  
security services firm exida earlier this year.


Exida’s intent was to resurrect the database and make it available to  
the industry in a cost-effective model. “We also had to figure out a  
way to incentivize companies to report incidents so that it is not a  
static database, but dynamic and growing,” said John Cusimano, exida’s  
director of security services and the executive director of the  
Security Incidents Organization.


To encourage participation, the group, which is directed by an  
advisory board of manufacturers, vendors, and consultants, will  
provide a complimentary three-month membership (or extend a current  
membership for three months) with each unique incident reported. Basic  
introductory membership is $195 per year for an individual, but  
corporate memberships are available, as well as incident and analysis  
reports for an additional fee.


The group researches each reported incident before posting it in the  
database, which is the real value of the service. “The purpose of the  
database is to separate fact from fiction,” Cusimano said.


Currently, there are 154 incidents in the database related to industry  
cyber-security. The majority of cases have been from outside attacks.  
Some are accidental events, such as a virus or worm that gets into the  
business network and works its way into the control system. Then there  
is the problem of the disgruntled employee. “There are not a lot of  
those, but the amount of damage they do is significant,” Cusimano said.


While the vast majority of cases reported involve a line shutdown that  
disrupts production, worst-case scenarios involve disabling safety  
systems or altering production so that a product is not salable or  
does not meet specification. The goal of the RISI database is to  
provide manufacturers with a tool that helps avoid such catastrophic  
situations.