What Went Wrong?

A Look at Industrial Cyber Security

Incidents
Standards John Cusimano RISI
Certification
Education & Training
Publishing
Conferences & Exhibits
SCADA Security is Making Headlines

A excess of rumour and a shortage of facts

© 2010 The Security Incidents Organization 2

 Separating Fact from Fiction

• How much of what is reported is real versus hype?

• Need a realistic assessment of the risks to our critical infrastructures:
– What is fact and what is urban myth?
– How urgent is the security risk?
– What vulnerabilities are exploited?
– What are the threat sources?
– How serious are the effects?

© 2010 The Security Incidents Organization 3

 What is RISI?

• Database of incidents of a cyber security nature that directly affect industrial

Supervisory Control and Data Acquisition (SCADA) and process control
systems
• Includes accidental cyber-related incidents, as well deliberate events such
as external hacks, Denial of Service (DoS) attacks, and virus/worm
infiltrations
• Data is collected through research into publicly known incidents and from
private reporting by member companies that wish to have access to the
database
• It is highly coveted by Critical Infrastructure personnel worldwide.

© 2010 The Security Incidents 4

Organization
 History
Industrial Security ISID was discontinued Project initiated to Exida acquired
Incidents Database in 2006. Byres develop the Byres Research
(ISID) developed Research acquired Repository of and created the
through academic the rights to ISID from Industrial Security Security Incidents
research project at inventors Incidents (RISI) using Organization™, a
the British Columbia ISID data plus 501c(3) non-profit,
Institute of incidents collected to operate and
Technology (BCIT). since 2006 maintain RISI

© 2010 The Security Incidents 5

Organization
The Security Incidents Organization™
• The Security Incidents Organization is a 501(c)(3) non-profit company that
operates the Repository of Industrial Security Incidents (RISI)
• Funding for operating The Security Incidents Organization is provided by
private membership dues and public grants

© 2010 The Security Incidents 6

Organization
 Value

• Identify common factors contributing to incidents, such affected equipment,

entry point, type of incident, impact, etc. to prevent future incidents
• Sharing of lessons learned through historical data
• Provide an industry benchmark for continuous improvement
• Provide statistics for business cases that security managers must write to
get funding

© 2010 The Security Incidents 7

Organization
 Type of Data Collected
• Incident Title • Industry (e.g. Petroleum, Pulp,
• Date of Incident Automotive, etc.)
• Reliability of Report 1=Confirmed, • Entry Point
2=Likely But Unconfirmed, • Perpetrator
3=Unlikely 4=Hoax/Urban Legend • Brief Description
• Type of Incident (e.g. Accident, • Impact on Company
Outside Hack, Virus, etc.) • References
• And more…

© 2010 The Security Incidents 8

Organization
 Security Incidents Organization™
Mission Statement

The mission of the Security Incidents Organization™ is to collect, track, analyze

and share high-value information regarding industrial cyber security incidents
that directly affect SCADA, manufacturing, and process control systems so
member companies can:
•Learn from the experiences of others
•Gain a realistic understanding of the risks associated with industrial cyber-
threats
•Adapt their current security policies to reflect the changing dynamics of
industrial cyber-security

© 2010 The Security Incidents 9

Organization
 Highlights from Analysis Report
• Issued quarterly
• Most recent report issued 16 Mar 2010
• 161 incidents (confirmed or likely)
• Averaging about 10 new incidents per quarter
• Only confirmed or likely incidents are included
in the report

© 2010 The Security Incidents Organization 10

 Time will tell

The number of
Industrial
cybersecurity
incidents has
remained
stable but is
expected to
rise based on
recent
reporting
rates.

© 2010 The Security Incidents Organization 11

 Who is getting attacked?

Power and
Utilities,
Petroleum and
Transportation
industries
experience the
majority of
cybersecurity
incidents

© 2010 The Security Incidents Organization 12

 Incident Types

Outsider attacks
account for nearly
half of the Intentional
incidents reported.
Accidental incidents
account for 40% of
the Unintentional
incidents.

© 2010 The Security Incidents Organization 13

 Incident Type

Malware accounts
for most of the
unintentional
attacks. However,
the remaining 22%
are some form of
targeted attack

© 2010 The Security Incidents Organization 14

 What incident types are on the rise?

Accidental
Equipment
Failure is
proving to be on
the rise in the
past 5 years.

© 2010 The Security Incidents Organization 15

The effects of security incidents

The number of
environmental
spills due to
cyber security
issues, has
increased
350% in the
past 5 years
when
compared to
the prior 5 year
period

© 2010 The Security Incidents Organization 16

 Accidents happen
• Accidental cyber incidents account for 44% of all incidents reported in RISI.
• Consequences can range from nuisance to catastrophe.

© 2010 The Security Incidents Organization 17

 Example Accidental Incident

© 2010 The Security Incidents Organization 18

 Example Accidental Incident

© 2010 The Security Incidents Organization 19

 Example Accidental Incident

© 2010 The Security Incidents Organization 20

 Keep your friends close…

• Internal attacks account for 10% of reported incidents

© 2010 The Security Incidents Organization 21

 Disgruntled Contractor Disables Pipeline
Leak Detection System

• March 2009
• A Los Angeles federal grand jury indicted a disgruntled IT
Technician on allegations of temporarily disabling a Pacific
Energy Resources Ltd. (PER) computer system
• The computer system was responsible for detecting pipeline
leaks for three oil derricks off the Southern California Coast.
• Mario Azar, 28, pleaded guilty on Sept. 14

© 2010 The Security Incidents Organization

Source: The Repository of Industrial Security Incidents (www.securityincidents.org) 22
 RISI Individual Membership
• $195/year
• Benefits
– 10% Discount on Products
– Monthly newsletter
– Powerpoint of the Month
– Invitations to special member only events
– RISI News Service

© 2010 The Security Incidents 23

Organization
 Reporting to RISI
• You and your company’s identity remains completely confidential. It will not
be shared with any legal or government entities.
• How to submit:
– Download a reporting form (editable PDF) from:
http://www.securityincidents.org/register.asp
– Email to submit@securityincidents.org (PGP key available)
– Fax paper form to: 215-257-1657
• You will get free membership for 3 months

© 2010 The Security Incidents 24

Organization