How does RISI collect security incident data?

RISI obtains security incident data from three sources. The primary source is through private incident reports submitted by member companies. Second, RISI analysts continuously search public sources such as legal databases, news groups and the Internet for indications of publicly-reported incidents (such as the Australian sewage spill or the Davis Besse incident). Finally, incidents are collected through data sharing agreements with strategic partner organizations (such as the various ISACs).

What kinds of incidents are contained within RISI?

RISI tracks ANY incident of a cyber security nature that directly affects industrial control systems and processes of any type. This includes events such as accidental cyber-related incidents (assessment related, upgrades, etc.), as well deliberate events such as external attacks, internal attacks, Denial of Service (DoS) attacks, virus/worm infiltrations, remote access attacks, and any other cyber incident that impacted the process environment.

Who can contribute to RISI?

Anyone can contribute an incident to RISI. You don’t need to be a member but in appreciation for submitting a unique incident you will receive complimentary membership for 3 months (or we will extend your current membership for 3 months).

How is confidentiality insured?

All reporting to RISI is strictly confidential. The security of all submitted information is of critical importance to RISI and all sensitive references are removed (and not masked) so there is no risk to the contributor or company. In addition, the investigative database is not available on line so identity data is not at risk from cyber theft.

What is a Reliability Rating and why does RISI do this?

Every incident submitted to RISI is rated according to reliability on a scale of 1 to 4 (1=Confirmed, 2=Likely but Unconfirmed, 3=Unlikely or Unknown, 4=Hoax/Urban Legend). For example, those events where the contributor is a reliable and firsthand witness or where there are official documents available (such as Nuclear Regulatory Commission reports or court documents) are considered Confirmed incidents. In contrast, incidents with secondhand data with limited detail, have unknown sources, or that appear to the researcher to be improbable are given the rating of Unknown or Unlikely. Incidents with a reliability of 3 (Unknown or Unlikely) or 4 (Hoax/Urban) are tracked in the database for historical purposes, but are excluded from all statistical analysis.

What are the methods used for submitting an incident?

There are several methods for submitting. (1) Reporting entities can download the incident reporting form, complete it, and fax it in to the RISI program at the fax number provided (2) Reporting entities can use the provided RISI PGP key to send secure email to the RISI project, and (3) entities can call the reporting team and verbally submit incident information.