Hidden In Plain Sight

Control system cyber incidents are more plentiful and impactful than most observers expect - more than 17 million directly resulting in more than 34,000 deaths. Most of the incidents were engineering-based cyber attacks used to camouflage a deficiency in the design of the product or to cause physical damage.

The engineering-based cyber attacks did not involve the Internet, Windows, or Operating Technology (OT) networks to carry out the attacks. Consequently, these incidents were not identifiable by network cyber forensics and would not fall under the Chief Information Security Officer's domain.

This means most of these incidents would not be addressed by existing government and industry cyber security guidance, nor make their way to company  boards and regulatory authorities as cyber events.

While there have been more than 1,200 electric grid cyber-related incidents, that doesn’t adequately reflect the true impact on customers and the economy as some of the cyber-related outages have affected tens of millions of people. In addition, the diesel emissions scandal lays bare the philosophical differences in how offensive cyber attackers and cyber defenders’ approach cyber security.

The impacts from the 'dieselgate' were huge, more than $35 Billion in damages and several people went to jail, yet many defenders would not consider these to be malicious cyber attacks because they weren’t the type of attacks they were expecting.

Until the OT network-focused regulators and practitioners are willing to address engineering-based incidents and attacks, critical infrastructures cannot be secured.

Recommendations are provided to address the gaps in control system cyber security monitoring and control system cyber incident disclosure as existing disclosure requirements are geared toward vulnerabilities not incidents. It is also evident that monitoring the process sensor signals at the physics layer would have identified most of the incidents regardless of cause.

Joe Weiss is Managing Partner at Applied Control Solutions

This article is shortened version of the original Control Global Blog

You Might Also Read:

Many Cyber Security Experts Don’t Understand The Systems They Are Trying To Secure:

 

« Five Ways Executives Can Optimize Cyber Security Spending
It’s Well Past 230 For The US Communications Decency Act »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

OASIS Open

OASIS Open

OASIS Open is where individuals, organizations, and governments come together to solve some of the world’s biggest technical challenges through the development of open code and open standards.

Zivver

Zivver

Zivver is the effortless, secure email platform, powering the next generation of secure communications.

Digital Infrastructure Association (DINL)

Digital Infrastructure Association (DINL)

DINL is the leading representative for companies and organisations which are active within the Dutch digital infrastructure sector.

Focal Point Data Risk

Focal Point Data Risk

Focal Point is a pure-play data risk management provider capable of offering end-to-end consulting, implementation, and training services.

Arete

Arete

Arete is a global cyber risk company whose mission is to transform the way organizations prepare for, respond to, and prevent cybercrime.

Xage Security

Xage Security

Xage is the world’s first blockchain-protected security platform for Industrial IoT.

Appvisory

Appvisory

Appvisory by MediaTest Digital is the leading Mobile Application Management-Software in Europe and enables enterprises to work secure on smartphones and tablets.

Optra Security

Optra Security

Optra Security specializes in information security with a focus on Application Security.

Prove Identity

Prove Identity

Prove (formerly Payfone) is a leader in mobile & digital identity authentication for the connected world.

eXate

eXate

eXate provides pioneering technology that empowers organisations to protect, control and manage their sensitive data centrally, providing a complete data privacy solution.

Data Privacy Office (DPO)

Data Privacy Office (DPO)

Data Privacy Office is a company that specializes in privacy and personal data protection, following the highest standards in its sector.

Axio Global

Axio Global

Axio is a leading cyber risk management SaaS company. Our Axio360 platform gives companies visibility to their cyber risk, and enables them to prioritize investments to protect their business.

SRG Security Resource Group

SRG Security Resource Group

SRG Security Resource Group is a Canadian company dedicated to providing world-class Physical and Cyber Security services.

Ipstack

Ipstack

Ipstack offers one of the leading IP to geolocation APIs and global IP database services worldwide. Protect your site and web application by detecting proxies, crawlers or tor users at first glance.

Cygna Labs

Cygna Labs

Cygna Labs is a software developer and one of the top three global DDI (DNS, DHCP, and IP address management) vendors.

Cyber Industrial Networks

Cyber Industrial Networks

Cyber Industrial Networks objective is to service the needs of industry in achieving reliable, robust and secure infrastructure that supports productivity.