The move from proprietary, non-networked control systems in the plant to off-the-shelf, open applications that share information across industrial and business networks is a double-edged sword for manufacturers. On one side, people are more productive; on the other side, SCADA and process control systems are falling victim to hackers and network viruses.

Getting a handle on how to manage cyber-threats, however, has always been a bit tricky. Reporting an industrial incident to organizations such as the government-backed CERT program, which tracks Internet and network security attacks, accidents, and failures, could expose a company’s network vulnerability or create a legal liability. As a result, many manufacturers keep a lid on their own security issues, which limits knowledge sharing that could help the industrial community as a whole.

Enter the Security Incidents Organization, a newly formed non-profit group that provides public access to its Repository of Industrial Security Incidents (RISI). Established in July, the group maintains an industry-wide repository for collecting, investigating, analyzing, and sharing critical information regarding cyber-security incidents that directly affect SCADA and process control systems.

The RISI database dates back to 2001, when it was housed at the British Columbia Institute of Technology (BCIT) as part of a research project that was shut down in 2006. At that time, BCIT faculty member Eric Byres purchased the database and continued to collect data on incidents. His company, Byres Research, was acquired by safety and security services firm exida earlier this year.

Exida’s intent was to resurrect the database and make it available to the industry in a cost-effective model. “We also had to figure out a way to incentivize companies to report incidents so that it is not a static database, but dynamic and growing,” said John Cusimano, exida’s director of security services and the executive director of the Security Incidents Organization.

To encourage participation, the group, which is directed by an advisory board of manufacturers, vendors, and consultants, will provide a complimentary three-month membership (or extend a current membership for three months) with each unique incident reported. Basic introductory membership is $195 per year for an individual, but corporate memberships are available, as well as incident and analysis reports for an additional fee.

The group researches each reported incident before posting it in the database, which is the real value of the service. “The purpose of the database is to separate fact from fiction,” Cusimano said.

Currently, there are 154 incidents in the database related to industry cyber-security. The majority of cases have been from outside attacks. Some are accidental events, such as a virus or worm that gets into the business network and works its way into the control system. Then there is the problem of the disgruntled employee. “There are not a lot of those, but the amount of damage they do is significant,” Cusimano said.

While the vast majority of cases reported involve a line shutdown that disrupts production, worst-case scenarios involve disabling safety systems or altering production so that a product is not salable or does not meet specification. The goal of the RISI database is to provide manufacturers with a tool that helps avoid such catastrophic situations.