It’s been a long wait. But finally, the database of industrial cyber security incidents formerly housed at the British Columbia Institute of Technology (BCIT) is coming back to life.
Automation World first reported in April 2008 that Eric Byres—the former BCIT research faculty member who oversaw the database—had secured funding from “a large government body” to revive the database. That funding, as it turned out, was not enough to make it happen, reports John Cusimano, director of security services at exida (www.exida.com), a Sellersville, Pa.-based safety and security services firm.
But when exida earlier this year acquired Byres Research Inc., of Lantzville, British Columbia, Canada, the deal provided the catalyst to resuscitate the database, which had been dormant since Eric Byres left BCIT in mid-2006. “When we got the exida deal together, we finally found the resources, the analysts, the money…all the stuff you need to jump-start something like this,” says Byres, chief technology officer of Byres Research, now part of exida.
The result was the July 20 announcement of the newly formed non-profit Security Incidents Organization (www.securityincidents.org), which will provide public access to the Repository of Industrial Security Incidents (RISI), as the database will be called going forward. Cusimano, whom Byres says has “done all the heavy lifting” on the initiative, will serve as managing director for the Security Incidents Organization, overseeing an advisory board of industrial automation users, consultants and suppliers.
RISI is an industry-wide repository for collecting, investigating, analyzing and sharing critical information regarding cyber-security incidents that directly affect supervisory control and data acquisition (SCADA) systems, manufacturing and process control systems. The kind of information collected can serve as a valuable resource to industrial organizations in developing their own cyber-security strategies, sources agree.
“When we acquired Byres and we got the RISI database along with it, a number of companies expressed an interest in getting access to the data, so we started putting together a model for taking it public, and making it accessible to everybody,” Cusimano explains. That model turned out to be a 501(c)(3) non-profit organization that will depend upon product sales to achieve break-even financial status for the Security Incidents Organization. “It’s not trying to make a profit, but obviously, we need to cover costs,” Cusimano observes.
The RISI database includes accidental cyber-related incidents, as well as deliberate events such as external hacks, denial-of-service attacks and virus or worm infiltrations that did or could have resulted in loss of control, loss of production or a process safety incident. Security incident data is obtained from three sources—private incident reports submitted by industrial companies, searches for publicly reported incidents and data sharing agreements with various organizations.
Is it real?
Once an incident report is received, it is reviewed and investigated by RISI researchers to verify its accuracy. Each incident is then assigned one of four reliability ratings, ranging from “confirmed” to “known hoax/urban legend.” To protect the confidentiality of contributors, information that could identify the source of the incident is removed.
The Security Incidents Organization has already hired an investigator/analyst to handle this work, says Cusimano. The RISI database contained between 110 and 120 incidents at the time that it was acquired by exida, and that has now been expanded to 151, as of the end of the second quarter, according to Cusimano. He expects that new incidents will be added to RISI at a rate of about eight to 10 per month going forward.
RISI “products” will include both online and hard-copy reports providing analysis and details of incidents. Quarterly reports will be available on an individual or annual subscription basis, with prices ranging from $1,995 for a single online RISI Analysis Report up to $10,595 for a subscription bundle providing a total of eight hard-copy analysis and comprehensive incident reports.
Anyone can purchase a report or subscription, but RISI members receive a 10 percent discount, which more than offsets the $195 annual individual membership fee, Cusimano points out. Additionally, anyone who contributes a unique incident to the database receives a complimentary three-month membership. Members receive various benefits, including monthly e-newsletters and “Incident of the Month” reports. “Our goal is to have around 200 members within the first year,” says Cusimano.
Beyond product sales, the non-profit Security Incidents Organization is also pursuing various public grant sources to help offset costs, adds Cusimano. “Our goal is to make this information affordable for everyone.” More information is available on the Security Incidents Organization Web site.
Security Incidents Organization