Process Control Certification | Industrial Cyber Security

In early 2001 a security research team at the British Columbia Institute of Technology (BCIT) was asked by a major petroleum refining facility to investigate the possibility that their control systems could be impacted by cyber-related events such as hacking or viruses. In the course of this study it became apparent that accurate historical data on cyber impacts was badly lacking in the SCADA or process industries thus making accurate risk assessment extremely difficult.

To address this shortcoming, the authors founded ISID with assistance from Justin Lowe of PA Consulting. Modelled after similar safety-related databases in the process industries, ISID is intended to serve as an industry wide repository for collecting, analysing, and sharing high value information regarding cybersecurity incidents that directly affect SCADA, manufacturing, and process control systems. It provides an historical representation of industrial cybersecurity incidents from which industry can gain a realistic understanding of the risks associated with industrial cyber threats. It also gives its members reliable information support for adapting current security policies to reflect the changing dynamics of industrial cybersecurity. ISID attempts to addresses questions such as:

Incidents are obtained from either organisations voluntarily submitting a reporting form to ISID investigators, or from ISID staff harvesting reports from public sources such as the Internet, discussions at SCADA/industrial cybersecurity conferences, and relevant industrial publications. When an event is either submitted by an ISID member or noted in a public forum, it is reviewed and verified by the ISID researchers.

As of June 30, 2006, there are 116 incidents that have been investigated and logged in the ISID database, with 12 incidents pending investigation and entry. Of these 116 records in the database, nine with a reliability of Unknown or Unlikely and one with the reliability of Hoax/Urban Legend were excluded from analysis. An additional incident was also excluded because it had null data in the event date field and could not be used to obtain trend data. This left 105 records that were used for the analysis presented in the remainder of this report.