Joe Weiss has been been conflating Cyber Incidents with Cyber Security Incidents for a while now, primarily by leaning on the NIST FIPS-200 definition of an Incident:
An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability (CIA) of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Incidents may be intentional or unintentional.
Now Joe is banging the drum that the BP Oil Spill was a cyber incident, and promoting discussions on the BP Oil Spill cyber incident at his WeissCon event in September. This is a stretch because all we know is a technician said a Window’s based historian was experiencing the “blue screen of death” in the weeks prior to the spill, but let’s take the leap that the computer was out and critical data wasn’t available leading to poor decision making and the spill.
I’ve discussed this with Joe in an earlier podcast, and it is not an idea I can disagree with completely. Sound control system’s IT practices, such as backup and recovery testing or designing a resilient network infrastructure, do have an impact on control system security. However if every problem that involved a computer or data communication is lumped in with cyber security technical and administrative security controls I believe it makes it harder to progress. Sometimes there are benefits to splitting up large issues and addressing smaller components.
There is a credible discipline now for designing, implementing and maintaining security controls to address identified threats. And there is a growing discipline for applying this to control systems. Having these disciplines focus on cyber security incidents is wise — and a plenty big challenge without addressing if an addressing scheme is correct, a process is designed properly, an operating system has a memory leak, …
I’m not saying these other areas are unimportant. They are and other disciplines are addressing them, some better than others.
So after some thought I finally came up with a possible solution. Rather than rolling these up into a Cyber Incident, we should be dividing Cyber Incident’s into a small set of sub-categories and address them this way. For example, Stuxnet appears to be a Cyber Security Incident. The BP Oil Spill could be classified as IT design incident since a critical Windows computer affecting the entire rig should have redundancy. Then we can get about addressing these different types of incidents with a more focused approach.
Are there any existing taxonomies that break out “Cyber Incidents”? Any ideas?