Overhyped Media Reports Bad For ICS Security, Experts Say
(SecurityWeek / Ed Kovacs) – Overblown media reports describing critical infrastructure incidents can have a negative impact on cybersecurity in the industrial control systems (ICS) sector, experts have warned.
The number of attacks aimed at ICS has reportedly increased in the past year and several incidents have been disclosed to the public. However, some of the mainstream media reports covering these attacks have been sensationalized or inaccurate.
For instance, reports of an incident involving the Burlington Electric Department in Vermont initially led the public to believe that the electric grid was breached, when in reality only a computer that was not connected to the grid was affected. In some cases, such as the attack targeting a small dam in New York, overhyped reports are fueled by statements made by representatives of the government.
SecurityWeek has reached out to several industrial security companies and some believe that media reports can have a positive impact on ICS security, especially when it comes to raising awareness, but only if the reports are accurate.
“Reporting on these types of incidents is a very good thing, if and only if the reporting is accurate and objective,” said Lane Thames, software development engineer and researcher at Tripwire. “Awareness is very important here. However, there is too much reporting hype in our industry, so sensationalized reporting is a very bad thing.”
Robert M. Lee, CEO and founder of Dragos, Inc., is also convinced that overblown reports can have a negative effect.
“It is common for folks to want to believe that a bit of hype or sensationalism will help encourage folks to invest more in security, but it often has one of two negative impacts,” Lee said. “Either the company invests resources in security to fight off the hyped threat, which means that the resources are not focused on the real threats, or the company gets fatigue from the hyped stories and decides to not invest at all.”
Eddie Habibi, CEO of PAS, agrees and believes there is a “quiet desperation” to report on incidents disclosed to the public.
“Unfortunately, when we cry wolf on minor incidents, such as the Vermont laptop infection, it becomes harder and harder for critical infrastructure companies to discern what the real threats are. Focusing on real, confirmed risks allows industry to make better, more targeted investment decisions,” the expert said.
Stephen Ward, senior director at Claroty, believes the key is collaboration between the media and the industry.
“Raising awareness of ICS security is always a good thing – especially given how far behind ICS security is in comparison to IT…that said, when these conflations occur it has the dual effect of raising awareness on the one hand and then ‘writing off’ the seriousness when the conflation is realized,” Ward said. “Better understanding across the board is required – we’re happy to be helping drive that with our friends in the media.”