The move from proprietary, non-networked control systems in the plant to off-the-shelf, open applications that share information across industrial and business networks is a double-edged sword for manufacturers. On one side, people are more productive; on the other side, SCADA and process control systems are falling victim to hackers and network viruses.
Getting a handle on how to manage cyber-threats, however, has always been a bit tricky. Reporting an industrial incident to organizations such as the government-backed CERT program, which tracks Internet and network security attacks, accidents, and failures, could expose a company’s network vulnerability or create a legal liability. As a result, many manufacturers keep a lid on their own security issues, which limits knowledge sharing that could help the industrial community as a whole.
Enter the Security Incidents Organization, a newly formed non-profit group that provides public access to its Repository of Industrial Security Incidents (RISI). Established in July, the group maintains an industry-wide repository for collecting, investigating, analyzing, and sharing critical information regarding cyber-security incidents that directly affect SCADA and process control systems.
The RISI database dates back to 2001, when it was housed at the British Columbia Institute of Technology (BCIT) as part of a research project that was shut down in 2006. At that time, BCIT faculty member Eric Byres purchased the database and continued to collect data on incidents. His company, Byres Research, was acquired by safety and security services firm exida earlier this year.