What is a “cyber security incident?”
This past week I was listening to the Digital Bond podcast for July, 2008.
One of the topics was whether or not the Hatch Nuclear Power Plant incident constitutes a cyber security incident.
About the Hatch incident:
The computer in question was used to monitor chemical and diagnostic data from one of the facility’s primary control systems, and the software update was designed to synchronize data on both systems. According to a report filed with the Nuclear Regulatory Commission, when the updated computer rebooted, it reset the data on the control system, causing safety systems to errantly interpret the lack of data as a drop in water reservoirs that cool the plant’s radioactive nuclear fuel rods. As a result, automated safety systems at the plant triggered a shutdown.
Southern Company spokeswoman Carrie Phillips said the nuclear plant’s emergency systems performed as designed, and that at no time did the malfunction endanger the security or safety of the nuclear facility.
Phillips explained that company technicians were aware that there was full two-way communication between certain computers on the plant’s corporate and control networks. But she said the engineer who installed the update was not aware that that the software was designed to synchronize data between machines on both networks, or that a reboot in the business system computer would force a similar reset in the control system machine.
The guests on the podcast seemed to be making sometimes contradictory arguments of why the incident was not a cyber security incident.
Arguments included whether or not participant had malicious intent, or whether or not any ‘real’ damage was caused.
I suspect that if you are in a regulated space where an event that is considered “cyber security” carries significant regulatory implication, then you would be motivated to call an event anything but a cyber security event.
But lets back up a second.
Information security seeks to ensure the confidentiality, availability, and integrity of information.
If an event affects either of those three, then it is a breach of information security.
If, when we refer to cyber security, we are really talking about digital information and information system security, does that somehow preclude the provision of confidentiality, availability, or integrity?
I think not.
Indeed, I think a proper definition of cyber security is the assurance of confidentiality, availability, and integrity of digital information and information systems.
The Hatch incident was a cyber security event by definition.
Let’s not try to confuse this stuff, it’s already hard enough.
Bill