About a year ago there was some good SCADA noise on the SBN & in the IRM blogger world. I’m sure real world issues (like NERC’s InfoSec standards) have kind of quieted that.
Hopefully, with “simulated hack” videos showing impact more graphically than probable dollars amounts on a spreadsheet, those who learn by movie plot line will re-evaluate their risk tolerance.
“It’s equivalent to 40 to 50 large hurricanes striking all at once,” (Economist Scott) Borg said. “It’s greater economic damage than any modern economy ever suffered. … It’s greater then the Great Depression. It’s greater than the damage we did with strategic bombing on Germany in World War II.”
Sometimes, I wonder if sensational analogies like the above quote have the opposite effect of their intention. Does placing the impact in “unimaginable” terms cause the consumer of such analogy to be more distanced from reality and, therefore in their own minds, automatically link to a lower probability of frequency?
And maybe impact is being stressed rather than frequency as noted (much) later in the article:
While acknowledging some vulnerability, DHS’s Jamison - (Robert Jamison, acting undersecretary of DHS’s National Protection and Programs Directorate) said “several conditions have to be in place. … You first have to gain access to that individual control system. [It] has to be a control system that is vulnerable to this type of attack.”
“You have to have overcome or have not enacted basic security protocols that are inherent on many of those systems. And you have to have some basic understanding of what you’re doing. How the control system works and what, how the equipment works in order to do damage. But it is, it is a concern we take seriously.”
“It is a serious concern. But I want to point out that there is no threat, there is no indication that anybody is trying to take advantage of this individual vulnerability,” Jamison said.
Having been through lots of Pen Test results presentations, lots of OCTAVE/NIST risk assessment presentations, etc… I wonder if this isn’t the old trick “look what we could possibly do - aren’t you frightened?” You know, the FUD play that ignores frequency and compensating controls within the context of the business process along with the ever important Threat Capability consists of Skills and Resources (an equation we find in FAIR, btw).
Regardless of the above, given my small, small sample size in the industry, I also thought it was interesting to hear the following:
“Of all our industries, there are only a couple — perhaps banking and finance and telecommunications — that have better cyber-security or better security in general then electric power,” Borg said.
One final thing to note: It’s not like we don’t have priors here…
2003 blackout images from wikipedia…
(via RiskAnalys.is)
September 27, 2007, 8:41am Comments
