Has all the recent news about Stuxnet got you worrying more about malware these days, and the risks to your company’s control systems? Well then, the Security Incidents Organization (SIO, www.securityincidents.org) has got a deal for you!
“For a limited time,” says a recent announcement from the non-profit organization, the SIO is offering a 25 percent discount on all new RISI memberships and membership renewals. What’s more, if you sign up now, your company will also receive a newly released RISI report providing a study of more than 50 control system incidents caused by malware such as viruses, Trojans and worms.
What’s RISI? It is the Repository of Industrial Security Incidents, a member-supported database of industrial control-system cyber-security incidents that is billed as the largest known database of its kind. Its purpose is to collect, investigate, analyze and share important industrial security incidents among member companies so that they can learn from the experiences of others. RISI includes accidental cyber-related incidents, as well as deliberate events that have resulted in loss of control, loss of production or a process safety incident.
50 new incidents
Initially established in 2001 at the British Columbia Institute of Technology, the RISI database fell dormant for a time after 2006, but was revived in mid-year 2009, when the Security Incidents Organization was formed as a non-profit organization to oversee it. The organization is supported through corporate memberships. Since its formation, the SIO has confirmed and added about 50 new cyber incidents to the database, bringing the total to more than 200 incidents today, including one caused by the now infamous Stuxnet virus, says John Cusimano, SIO managing director.
Stuxnet is a highly sophisticated piece of malware discovered last summer that specifically targets industrial systems using Siemens WinCC supervisory control and data acquisition (SCADA) systems. The worm has been the subject of much investigation and press coverage. “There’s been a lot of speculation about the number of sites that have been affected by Stuxnet, but so far, we’ve only been able to absolutely confirm one,” says Cusimano, who notes that only incidents that can be reliably verified are included in RISI. While Siemens has reported that as of Nov. 22, it was aware of 22 Stuxnet infections in industrial environments at customer sites, the vendor “has not provided any detail on where they are,” Cusimano notes.
The single Stuxnet incident that has been included in the RISI database involves an attack on uranium enrichment centrifuges in Iran, which has been confirmed by an official of the Iranian nuclear program, says Cusimano. The SIO is attempting to track down more verifiable cases, he adds. “We’re trying to team up with some of the antivirus companies to see if we can get more leads.”
The Security Incidents Organization currently offers three levels of membership. Non-discounted prices range from $995, which includes three months access to the RISI online database, up to $9,995 for an annual Corporate membership that includes 12 months of RISI access, plus various reports and services. All three levels, including the mid-range $3,995 membership, are subject to the 25 percent discount special, which runs through the end of 2010. To receive the discount, those who sign up on the RISI Web site should use the Coupon Code 252010 upon checkout, according to the announcement.
SIO membership now totals around 50 companies, says Cusimano. The addition of two recent member sign-ups has now enabled the organization to reach its goal of breaking even financially, he says, about 18 months after its formation. “It’s a non-profit, so if we start operating in the black, we can actually either invest in new services or lower our rates.” The 25 percent discount is designed to provide some added sign-up incentive for companies “that might have some residual budget that they need to spend” before the end of this year.
The new “Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems Resulting from Malware Infections,” which new members will also receive, should provide added incentive, Cusimano adds. It specifically focuses on incidents from the RISI database that were caused by malware, as opposed to other causes, such as outside hacking incidents, disgruntled employees or accidental occurrences.
Not the first
“We thought it would be of interest to people, in light of Stuxnet, to understand more about the threat of malware in control systems, and to show that although Stuxnet is the first targeted piece of malware for control systems, it’s definitely not the first piece of malware that has gotten into a control system and caused problems,” says Cusimano.
In fact, for companies that do not appear to have been the target of Stuxnet attacks, the impact of Stuxnet infections so far appear to have been “rather benign,” according to Cusimano. Other malware in the past has done more widespread damage, he says. “There are numerous incidents of the SQL Slammer that came out around 2003 that caused millions of dollars in lost production.”
Security Incidents Organization