I was reading Cybersecurity Expert Warns Not Enough Being Done to Prevent Highly Destructive Cyberattacks on Critical Infrastructure wherein Steve Mustard, an industrial cybersecurity subject-matter expert of the International Society of Automation (ISA), etc., is reported to be sounding the horn for more industrial security.
From the post:
Mustard points to the steady flow of cyberattacks on industrial automation control systems (IACS) and supervisory control and data acquisition (SCADA) networks being tracked by the Repository of Industrial Security Incidents (RISI).
“There have been many incidents in the past 10 to 15 years that can be traced back to insufficient cybersecurity measures,” he says. “There are many every year, most of which escape public notice. In fact, it’s widely believed that there are many more that are never reported,” he discloses. “The RISI analysis shows time and again that these incidents are generally the result of the same basic cybersecurity control failures. It is often only the presence of external failsafe and protection mechanisms that these incidents do not lead to more catastrophic consequences. Many use these protection mechanisms to argue that the concern over the consequences of cyberattack is exaggerated, and yet incidents such as Deepwater Horizon should teach us that these protection mechanisms can and do fail.”
In case you didn’t follow the Deepwater Horizon link, let me give you the snippet from Wikipedia that covers what you need to know:
On 20 April 2010, while drilling at the Macondo Prospect, an explosion on the rig caused by a blowout killed 11 crewmen and ignited a fireball visible from 40 miles (64 km) away.[12] The resulting fire could not be extinguished and, on 22 April 2010, Deepwater Horizon sank, leaving the well gushing at the seabed and causing the largest offshore oil spill in U.S. history.[13] (emphasis added)
Do you see anything in the description of the events on the Deep Horizon that says “cybersecurity?” I’m not an “oil man” as they say in Louisiana but even I know the difference between a blowout (too much pressure from the well) and a cyberattack. Apparently Steve Mustard does not.
But the point of this post is that you can’t form an opinion about the rest of Steve Mustard’s claims. Or at least not at a reasonable cost.
Why?
Follow the link to the Repository of Industrial Security Incidents (RISI) and you will find that access to the Repository of Industrial Security Incidents is $995 for three months or $2995 per year.
So long as the “security” industry continues to play status and access games with security data, hackers are going to remain ahead of defenders. What part of that isn’t clear?
Sony scale hacks will become the norm if the computer security industry continues its “security by obscurity” stance.