Cyber incidents continue to be disclosed. However, they are almost all IT, ransomware, or some other Internet Protocol (IP) network attack. There are very few disclosures of control system cyber incidents. On the other hand, there have been control system cyber incidents that were identified as cyberattacks that weren’t such as the 2021 incident at the Oldsmar, FL water treatment facility. I believe this is because there is no universally accepted definition of a control system cyber incident and lack of control system cyber security training on actual incidents for both the network and control system engineers.
Background
On November 18, 2022, I wrote More than 17 million control system cyber incidents are hidden in plain sight. Most of the 17 million control system cyber incidents in my database were malicious though not IP network-related and therefore wouldn’t be addressed by the National Cybersecurity Strategy or other government cyber security requirements.
On March 23, 2023, I wrote NERC cybersecurity incident reporting is obscuring the truth because it was clear that DOE’s definition of reportable cyber incidents was VERY different than NERC’s.
March 29, 2023 Marin Ivesic wrote the following on the SCADASec blog site in response to my NERC CIP blog: “Last year we ran a survey among OT security owners in Canada. We had over 200 respondents, almost all from CI and asset-intensive industries. The survey asked: “Which of the following consequences has your organization experienced as a result of a cybersecurity incident associated with OT/ICS systems?” and gave them a list of 15 or so choices. In addition to the usual suspects (loss of information, operational downtime, etc.) we got these results:
- 14% Damage to equipment
- 10% Environmental damage
- 7% Injury or death of employees
- 6% Injury or death of general public
We know that cyber-kinetic incidents are happening. Because we respond to some. And Joe is telling us this for years. And because we can see them in unrelated public information (e.g., industrial accident databases I mentioned before). But these numbers shocked even us.”
Equipment damage, major environmental spills, and injuries can’t be hidden. However, without appropriate training and forensics, these incidents are often not identified as being cyber-related. Marin’s results are different from most survey results of OT/ICS cyber incidents but consistent with the cases in my database.
Examples of inadequate government guidance
The February 2021 Oldsmar wastewater treatment plant “cyberattack” was the driving force behind EPA writing their water/wastewater cyber security requirements. However, Oldsmar was NOT a cyberattack, but rather an accident caused by user error associated with insecure remote access. Once this incident was misidentified as a cyberattack, industry didn’t bother to look closer but went “all-in” on it being a cyberattack. CISA issued a risk advisory on the Oldsmar incident. To date, there has been no correction from EPA, AWWA (Kevin Morley from AWWA blogged about Oldsmar being a user error March 30, 2023), Water ISAC, CISA, FBI, or any other industry organization to account for the incident not being a cyberattack. There have been many water/wastewater incidents from insecure remote access including one that enabled remote access from Russia into a wastewater utility’s SCADA system resulting in an equipment impact. It is not clear if the EPA requirements would address these issues. However, it is clear the EPA requirements do not address control system device issues and would not have addressed many of the most significant water/wastewater cyber incidents including those that have caused major environment spills, multiple water hammer incidents, and pumping water from toxic waste sites into drinking water systems. Moreover, most of these incidents were not identified as being cyber-related.
The Colonial Pipeline ransomware attack was not a control system cyberattack but was the impetus for the TSA Pipeline cyber security requirements. Consequently, they were not written to protect the control systems, but the IP networks. Most troubling, the TSA requirements would not have addressed the cyber-related pipeline ruptures that have occurred to date.
The railroad cybersecurity requirements don’t address control system cyber issues. This includes the control system cyber-related issues associated with the 2009 DC Metro Red Line train crash or the recent East Palestine derailment as these were not IP network-related issues.
Conclusions and recommendations
Control system cyber incidents are engineering issues that are more than just IP network issues and need engineering input. The control systems used in industrial and manufacturing environments are common not only in the US but globally. The global aspect is often ignored. Without a common definition for identifying control system cyber incidents, many control system cyber incidents are not being recognized as such. This becomes an issue for the various industry cyber analysis centers such as the Energy Threat Analysis Center (ETAC) which depend on industry input on control system cyber incidents.
Many of the government recommendations are common to all industries as they use the same equipment from the same vendors. Yet the guidance is specific to each industry. Issuing industry-unique recommendations is not helping with information sharing and mutual cooperation between industries. This is why the ISA/IEC-62443 control system cyber security standards are “horizontal” to address multiple industries.