Pulled from a posting I made to SCADASEC:
Hard to believe that only 54 percent of those surveyed knew who to call in the event of a cyber incident or attack.
Why is this hard to believe? I think it’s not only hard to believe but
also somewhat astounding that we live in a world where we legitimately
expect a substantial percentage of our control systems operators to
have to know this information. Think about it. We’re not asking them
to be prepared for a hurricane, we’re asking them – businesses – to
have the knowledge and capability to participate (even if, in some
cases, minimally) in what is becoming global conflict (the delineation
between crime, war, espionage, vandalism, etc is really immaterial to
that statement). This isn’t a series of potential incidents, it’s an
effective siege environment. Sieges drain resources, drain morale,
and need a serious strategy to break, or those inside get overwhelmed
eventually. Even with or without actual (public) incidents, the effect
is the same here.
Fifty-three percent of respondents have experienced at least one malicious cyber attack on their control system networks and/or cyber assets— ** that they were aware of- ** within the past 24 months“. – WOW!
I can’t emphasize enough how…irrelevant….”incident” and “attack”
incidences are when taken individually, or even as concepts that can
be individualized and counted. The long term damage will be in
environmental predictability, resource allocation, trust, and
increasing cost of doing business. Maybe something really bad might
happen as an event, but whether it does or not, the foundational
environment can’t sustain this level of conflict and risk indefinitely
without cascading consequences.
Instead of concentrating on managing incidents, responding to
incidents, etc, we should be taking a serious look at what
environmental (technical, legal, social, political) changes we can
make to break the overall siege. Anything focused on incident
management directly is a two edged sword: It keeps us feeling like
we’re treading water at the cost of resources dedicated to fixing the
long term problems (and incident management capability for individual
organizations is *not* solving a long term problem).
All In My Late Night Humble Opinion. Take it as you will.