Does ICS Need A DEFCON Readiness Condition?

With attacks increasing on Industrial Control Systems, it has been suggested that this critical infrastructure in particular have a state of readiness similar to the DEFCON status used in warfare.

Writing in Digital Bond, Dale G Peterson, a SCADA expert and founder of Digital Bond, makes the case for a new SCADACON system. He outlines the conditions for SCADACON 5 (initial spear phishing attacks) to SCADACON 1 (a full on attack). He suggests this a means of sifting through all the warnings and not-quite-warnings that DHS has posted recently around ICS vulnerabilities and attacks. For example, the recent vague warning issued by DHS to gas utilities.

I’m not suggesting anyone actually use this SCADACON scale, but hopefully it is useful in understanding what we are looking for in monitoring actual ICS attacks and useful data.

In my view, DHS / ICS-CERT should not even be issuing warnings until SCADACON 3, and if they cannot provide some level of detail about the ICS-specific nature of the attack it is crying wolf. There are legitimate concerns about protecting data and keeping promises to the companies that have shared the information, but even the following generic statements are examples that would not give any owner/operator identifying information away and still be helpful:

# The attacker has targeted computers on the corporate network with access to the ICS network.
# The attacker included control system information relevant to the ICS in the target company as part of a spear-phishing attack.
# The attacker has attempted to gather information about the control system
# The attacker was probing the network for ICS protocol ports
# The attacker was attempting to login with ICS default credentials
# The attacker was trying to find a way through the corporate / ICS firewall
# The attacker had a rogue HMI / EWS attempting to issue commands to ICS devices
# The attacker was using ICS specific Metasploit modules
# The attacker was trying to load rogue ladder logic and firmware on a PLC