The Verizon Data Breach Investigations Report (DBIR) is as interesting for the unexamined risks as it is for the examined ones. If you look at the cyber assets on which the report gathered security data (page 10), there is not a single industrial control system (ICS) category listed. Why is this important? Because ICS are the systems that have direct responsibility for running volatile chemical and oil refining processes, producing electricity and clean water, and delivering many other products and services upon which we rely in our daily lives. They are the systems that prevent industrial accidents, which can have severe environmental, safety, or financial consequences for a company. So, if we are examining risk in critical infrastructure industries, such as manufacturing and utilities, why are we missing data on the systems that matter most?
Yes, cyber espionage and ransomware are bad; they can cause serious financial loss, and we must defend against these kinds of attacks. The problem is that corporate budgets and resources are finite, which means we need to look at risk comprehensively if we are to make good allocation decisions. Unfortunately, reports that only focus on information technology (IT) systems and don’t include ICS perpetuate an environment of risk that outsider and insider threats will eventually exploit.
As an industry and a country, we must prioritize protecting our critical infrastructures including the vulnerable and complex control systems that run them. Leaving these out of the conversation will not protect us. Cyber attacks are the weapons of choice for nation-states, hackers, and criminal gangs, making them the new WMD. The consequences are high when it comes to industrial control systems. Let’s start talking about them.