Control System Cyber Incident Reporting Protocol

Information sharing about cyber incidents that affect the normal, safe operation of industrial control systems is not well coordinated or standardized across critical infrastructure sectors of the economy. Consequently there is little situational awareness about the frequency, type and extent of control system cyber incidents - a deficiency with potential national security implications. Control system disruption due to cyber rather than physical means is increasingly a concern of industry and government. More and more control systems utilize commercial off-the-shelf computer technology, and are inter-connected with business enterprise systems and the Internet. Not only are control systems in different sectors interdependent but the commonality of technology means that all sectors face a common cyber threat. These common cyber threats and vulnerabilities present the opportunity for common solutions to be adopted across industry sectors. The solutions include the elimination of vulnerabilities in control system designs and implementations. But with constantly evolving technology and the ever-present threat of cyber attack, tools are needed to support the early detection and timely reporting of control system cyber incidents. A Raytheon-led team is working in consultation with industry and government to define a standard protocol and data schema for the timely reporting of actual and potential cyber attacks on industrial control systems. Previous efforts to share cyber incident information have encountered barriers, including data confidentiality and detection of novel cyber attack methods. Potential solutions to these barriers and deployment approaches for information sharing tools based on the protocol standard are described.