Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT

Nobody Is Sure What Should Count As a Cyber Incident 49

chicksdaddy writes: Despite a lot of attention to the problem of cyber attacks against the nation's critical infrastructure, The Christian Science Monitor notes that there is still a lot of confusion about what, exactly, constitutes a "cyber incident" in critical infrastructure circles. The result: many incidents in which software failures affect critical infrastructure may go unreported.

Passcode speaks to security experts like Joe Weiss, who claims to have a list of around 400 incidents in which failures in software and electronic communications lead to a failure of confidentiality, integrity or availability (CIA) — the official definition of a cyber incident. Few of them are considered cyber incidents within critical infrastructure circles, however. His list includes some of the most deadly and destructive public sector accidents of the last two decades. Among them: a 2006 emergency shutdown of Unit 3 at the Browns Ferry nuclear plant in Alabama, the 1999 Olympic Gas pipeline rupture and explosion in Bellingham Washington that killed three people and the 2010 Pacific Gas & Electric gas pipe explosion in San Bruno, Calif., that killed eight people and destroyed a suburban neighborhood.

While official reports like this one about the San Bruno pipeline explosion (PDF) duly note the role software failure played in each incident, they fail to characterize them as 'cyber incidents' or note the cyber-physical aspects of the adverse event. Weiss says he has found many other, similar omissions that continue even today. He argues that applying an IT mindset to critical infrastructure results in operators overlooking weaknesses in their systems. "San Bruno wasn't malicious, but it easily could have been," Weiss notes. "It's a nonmalicious event that killed 8 people and destroyed a neighborhood."
This discussion has been archived. No new comments can be posted.

Nobody Is Sure What Should Count As a Cyber Incident

Comments Filter:
  • by Anonymous Coward on Monday March 23, 2015 @06:02PM (#49323969)

    it is a cyber incident. That is all.

  • Cyber "Attacks" (Score:5, Interesting)

    by Fire_Wraith ( 1460385 ) on Monday March 23, 2015 @06:04PM (#49323983)
    Probably the first hurdle to pass in defining "cyber incidents" (and setting aside the overuse of the cyber- prefix in the present day and age) is the fact that non-technical, and in some cases even non-IT Security people really don't have a good basis for discerning what is or isn't significant. I'm reminded of one news article where the NYPD (or some similar state/local agency) announced that they suffered something like 500,000 "cyber attacks" from Chinese and other IP addresses in the span of several months. The nature of those attacks?

    Port Scans.

    Further complicating this is the fact that there's a lot of money involved. "There are lots of attacks, so you should buy my services" or "My agency gets attacked, so I need funding for security" are common themes. That's not to say there isn't a threat, or that attacks don't occur; just that some people have an incentive to turn up the threat meter, which makes establishing a clear answer more difficult. It's very easy to play with the definitions to turn out numbers of "incidents" without sufficient context. I easily see untold numbers of bad things in any given day; but most of those are automatically handled by the existing systems. Should those be counted, or are we only concerned with things that actually cause noticeable impact beyond my monitoring screen?

    Lastly, when we say "incident", are we talking about operator/programmer/etc error, or are we talking about deliberate malicious action? By Weiss's definition, we're including the former, but that's quite a stretch to equate them to "attacks." Even if those incidents should probably be of concern, though, do they fall under Security's purview, or should they have been handled by some other business unit? As an IT Security professional, my job is to protect the network - it's not to make sure that everyone in the company is doing their jobs correctly.
    • According to the article, they define incident as..

      failure in electronic communications leads to a loss confidentiality, integrity, or availability.

      So a operator or programmer error making privileged information available is an incident.

      Someone trying to brute force their way into a FTP server and reaching the connection limit, is a denial of service, and therefor also an "incident".

      I've used it both ways, depending on the context. I break it down to "tries" and "got in".

      "Tries" justifies the budget for I

  • Comment removed (Score:3, Insightful)

    by account_deleted ( 4530225 ) on Monday March 23, 2015 @06:10PM (#49323997)
    Comment removed based on user account deletion
  • that means ever-dam-thang.
    • by beh ( 4759 ) *

      Nonsense man!

      You should just know, that it ONLY qualifies as a cyber incident, if it hits _OTHERS_.

      If we are hit ourselves, it was nothing to begin with and doesn't need reporting... ;-)

  • The "critical infrastructure results in operators overlooking weaknesses in their systems" is to be expected with the removal of local staff on site 24/7 replaced by automated or vast networked systems.
    That reduced expensive union staff and allowed a smaller set of skilled workers to do the jobs of many. Great for profits as paying for less workers but the huge networks used might not always be dedicated and hardened or secure.
    So vast amounts of maintenance, observation and operational use is expected
  • Really anything that has to do with online, sexual harassment should qualify. I don't see why we should restrict it.
  • There's a cabal of irresponsible (at best) and insane (at worst) organizations that publicly disclose the private information of citizens and members of government to further their own financial and political ends. We call them businesses.
  • by fuzzyfuzzyfungus ( 1223518 ) on Monday March 23, 2015 @06:31PM (#49324071) Journal
    Isn't 'cyber-incident' the sort of bullshit term that is more or less designed to be slippery, and thus useful for both alarmism and obfuscation as the situation requires?

    It's vague enough that the most harmless script-kiddie probing for easy targets could theoretically be totted up as a 'cyber incident', regardless of harm, if you were attempting to make the world out to be a place so dangerous that your budget definitely needs to increase; but also allows some classes of security failure to not be 'cyber'(if, say, social engineering was employed at some point); and also leaves considerable flexibility over what qualifies as an 'incident'(potentially pulling tens or hundreds of individual occurrences under one 'incident' if you are trying to look more competent, or breaking out every record spilled in one DB breach if you are attempting to look more embattled).

    Why try to define it if we can just set it on fire, salt the ashes, and pretend it was never coined?
    • Isn't 'cyber-incident' the sort of bullshit term that is more or less designed to be slippery, and thus useful for both alarmism and obfuscation as the situation requires?

      And for everybody and their brother to grab power.

      Schneier had a good analogy with the Sony hack, and his rubrik is a good one - take what happened online and make the closest physical-world analogy you can. The Sony hack was equivalent to somebody sneaking into Sony HQ and photocopying a _lot_ of documents.

      Clearly a violation, but now t

    • by Anonymous Coward

      *Any* use of the term "cyber" in front of anything except maybe "cyberpunk" is not only slippery, it implies that you're a .gov idiot who believes that term makes you sound like you know how to turn on your computer without the assistance of the IT department.

  • ..any incident that involves control and feedback systems [wikipedia.org].
  • Wow, to classify the 1999 Bellingham Pipeline Explosion a "Cyber Incident" is a BIG stretch. That was an industrial accident, with mechanical failure as a significant component. Just because there was computer monitoring equipment, does not mean it was a "Cyber Incident".
  • should involve these guys. [wikipedia.org]
  • A growing number of elite athletes competed in Nike footwear. Runner Mark Covert was the first athlete to wear Nike shoes across a finish line. Nike shoes got their first endorsement by a professional athlete when Romanian tennis personality Ilie Nastase signed on to wear Nikes on the court. It is a time for Nike to increase visibility Nike Free pas cher [linfrtn.com] . The year 1984 saw the signing of basketball megastar Michael Jordan to an endorsement contract, followed by the 1985 release of his signature shoe, the A
  • In the time it will take me to type this post I will get at least one wp-admin request from my server (without WordPress) plus I will probably have an assortment of other odd requests looking to exploit various server weaknesses for web servers that are different than mine; Various cgi attacks and so on.

    Needless to say these aren't terribly troubling, generally the worst they do is to pollute my logs with crap. The main problem with these sort of "attacks" is that fear mongers will use them to justify gi
  • Just who in their right minds connects critical infrastructure to the cybertubes? I call BS on this whole story ..
  • From what I've learned so far, people who use the word "cyber" should not decide about anything concerning security.

    (btw, "to cyber" means "to have a dirty talk/chat online" from what I've seen how people use this awful term)

    • Agree 100% -- Cyber is the word these security clowns that just confirms it used by idiots. We don't need to replace "Virtual" or "Online" with yet another dumb term.

      Almost as bad as the retards who use "Task Force"

  • "Nobody is sure" ... yeah, right. How about coming up with some kind of scale first? There's scales to classify everything from nuclear accidents to signs of extraterrestrial intelligence.
  • How about if the severity is a not a polarized boolean value for.... wait for it.... shades of grey!

    Here are some words to add to your dictionary for those troubled by such a story:
    continuum, continuous, polarized, grey shades, black and white, degrees, magnitude.
  • I thought the official definition was once the event shows up as a thinly veiled plot on CSI:Cyber. Just like a regular crime used to become an important national conversation once it was an episode of Law and Order...

  • Certainly the free market will sort all of this out. Companies/government that fail to secure their critical infrastructure will crash and burn, those that don't profit!

  • Comment removed based on user account deletion
  • Comment removed based on user account deletion

Fast, cheap, good: pick two.

Working...