The SIO is a non-profit organization formed last July to manage and provide public access to the database of industrial cyber incidents formerly housed at the British Columbia Institute of Technology (BCIT).
The database, now known as the Repository of Industrial Security Incidents (RISI), currently houses about 175 confirmed cyber incidents affecting control systems, with some going back to the 1980s, says John Cusimano, SIO managing director, and director of security services at exida (www.exida.com), a Sellersville, Pa., safety and security firm.
Incidents rising
“We track the number of incidents per year. And even though the rate has moved up and down, when we do a linear interpolation, we can definitely see that the trend is increasing at probably 20 percent to 25 percent per year over the last decade,” says Cusimano. On average, confirmed industrial cyber incidents are now being reported at a rate of about 10 each calendar quarter, he notes.
The RISI database includes accidental cyber-related incidents, as well as deliberate events such as external hacks, denial-of-service attacks and virus or worm infiltrations that did or could have resulted in loss of control, loss of production or a process safety incident. About 25 percent of all reported incidents are the result of intentional, directed attacks, says Cusimano. Security incident data is obtained from three sources—private incident reports submitted by industrial companies, searches for publicly reported incidents and data-sharing agreements with various organizations.
The body of the 2009 Annual Report provides detailed analyses of the incident data and compares recent data to historical data to identify shifts or trends of interest. The analysis determines where and when the incidents occurred. It also identifies the types of incidents and the threat factors that executed them, the methods and techniques used to gain entry. Results achieved vs. the results that were attempted and the financial and operational impacts on the “victims” are included as well.
To listen to a podcast of an interview with John Cusimano on the new report and current trends in cyber security incidents affecting control systems, visit www.automationworld.com/podcast-6872.
A section of the report is dedicated solely to incidents occurring in 2009, including brief case studies for all incidents reported during that time. The report also includes, for the first time, an overview of industrial control system vulnerabilities reported in 2009, courtesy of Critical Intelligence Inc. (www.critical-intelligence.com), Idaho Falls, Idaho.
Industry trends
A significant shift has been observed in the incident rates by industry over the past five years, according to the report. This includes an overall decline in the incident rate in the petroleum and chemical industries (more than 80 percent), but an increase in the incident rate in the water/wastewater (more than 300 percent) and the power and utilities industries (30 percent).
While the reason for these trends are not known, some have speculated that the emphasis on disclosure in water/wastewater and power utilities may be playing a role in the rising rate of reported incidents, says Cusimano. Recently enacted Critical Infrastructure Protection (CIP) standards covering the electric power industry require that cyber incidents be reported, for example. Others have speculated that industries such as petroleum and chemicals have been more proactive and are doing a better job than others at managing cyber-security risk, Cusimano adds.
Despite a decline in recent years, the vast majority of control system cyber-security incidents (almost 50 percent) reported to RISI have been caused by malware, including viruses, worms and Trojans. However, incidents involving unauthorized access or sabotage perpetrated by internal sources—such as a disgruntled former employee or contractor who uses inside knowledge or access privileges to cause harm to the company—are up considerably in the same time period comparison. Also on the rise are incidents in which network anomalies induced failures in control system equipment.
The kind of data collected and reported through RISI can serve as a valuable resource to industrial organizations in developing their own cyber-security strategies, sources agree. The 2009 Annual Report can be purchased individually or as part of a RISI Company or Corporate Membership, and is available through the
SIO Web site.
Critical Intelligence Inc. www.critical-intelligence.comexida www.exida.comSecurity Incidents Organization:www.securityincidents.org