New Life for Industrial Security Incident Database

The Industrial Security Incident Database (ISID) is coming back to life.

That’s the word from Eric Byres, who oversaw the database—a repository of information on industrial cyber security incidents—during his years as a research faculty member at the British Columbia Institute of Technology (BCIT), in Burnaby, British Columbia, Canada.

After Byres left BCIT in mid-2006, the ISID fell dormant. “There was no internal support [at BCIT] and nobody driving it,” says Byres, chief technology officer at Byres Security Inc. (www.byressecurity.com), in Lantzville, British Columbia, Canada. But now, “we’ve finally found a little funding, and we’re going to start an organization we call the ISID Institute to run the Database,” Byres told Automation World recently.

The source of the funding cannot yet be revealed, says Byres, pending an official announcement, which he expects will come this month. “But let’s just say it’s a large government body.”

During several years of operation at BCIT, reports from the database were issued intermittently, based on individual funding obtained on a report-by-report basis from corporate or government sources. But the new source of funding will be more stable and ongoing, according to Byres.

As was the case at BCIT, the ISID Institute will collect information on cyber security incidents affecting industrial controls and supervisory control and data acquisition (SCADA) systems. Industries covered will include water/wastewater, power, oil and gas, and manufacturing.

The kind of information collected in the database can serve as a valuable resource to industrial organizations in developing their own cyber security strategies, sources agree. Among other initiatives, Wurldtech Security Technologies Inc. (www.wurldtech.com), a Vancouver, British Columbia, Canada-based provider of cyber security solutions, recently announced the launch of its Delphi industrial cyber security incident database (Automation World, April, p. 21). But there is currently no central repository for industrial cyber security incidents.

“They’re hard to run,” says Byres. “I know DHS (the U.S. Department of Homeland Security) tried to build a database, but I don’t think they had a lot of traction. People are really reluctant to give you their dirty laundry unless they’re really sure that it’s not going to show up in the ‘The New York Times’ the next morning, or in a government file somewhere,” he asserts. “So the system that we set up at BCIT, and that we’re going to set up here, really is able to protect the identity of the contributors.”

Byres says he is uncertain whether BCIT will maintain any involvement with the new ISID Institute.

Wes Iversen
More in Control