Something that I keep on hearing from engineers (power, water, etc) on the SCADASEC mailing list is that they are more concerned about human error causing an outage than an attack over the internet. Most of the incidents that I hear about are operator error and they involve accidentally shutting down a computer system or perhaps configuring one improperly (The utility guys like to call these "cyber" incidents). When that happens things "go to hell in a hand basket" fast and people can and do die. They seem to be more concerned about those types of "cyber" incidents than they are the hacker threat... but they're not getting it right?
The fact of the matter is that a malicious hacker could trigger any number of these "cyber" incidents either deliberatley or accidently, and the end result is the same. How do we get these guys to take the threat more seriously? I think its happening, but I don't feel like its happening fast enough.
While a malicious attack is likely to have a much higher impact to critical infrastructure, it is my perception from anecdotal news that operator error is still a lot more common and still has a fairly high impact. Unless I'm wrong on that, it still makes sense to focus the greater amount of effort on systems to make simple mistakes less common and reduce their impact, rather than directing limited funding to preventing actual attacks. Many of the measures that utilities might take to reduce the impact of operator error would probably also reduce the impact of a malicious attack. Perhaps wider adoption of better risk assessment methodologies than what I currently see happening would answer this question better. The difficulty I see here is that risk assessment is not sufficiently emphasized in the current NERC CIPs and the utilities have their hands quite full trying to cover their regulatory risk.
ReplyDelete