A cyber event is electronic communications between systems and/or people (e.g., operator displays that can mislead the operator) that can affect confidentiality, integrity, or availability. The incident can be either unintentional or malicious.
Cyber incident response starts with the assumption that you can recognize a control system cyber-related event as being a cyber event. However, there is no training for the engineers to recognize an event as being cyber-related and these events are generally not seen on Internet Protocol (IP) networks. Globally, there have been more than 17 million control system cyber incidents that have killed more than 34,000, yet most of the incidents were not identified as being cyber-related.
The gap in identifying control system cyber-related events as being cyber-related occurs throughout all industries as well as in books on process safety where they discuss catastrophic safety incidents without mention of them being cyber-related. It is also evident in US government safety reports and required incident disclosures such as with chemical plants, nuclear power plants, and pipelines not being identified as being cyber-related. The US DOE OE-417 reporting requirements had significantly different results from the NERC CIP results because the definition of reportable cyber incidents was dramatically different. If you define the event as not being cyber-related, you don’t have reportable cyber incidents which has been NERC’s approach for many years to downplay the cyber security threat to the grid.
A recent criminal case highlights some of the ambiguity surrounding what counts as a cyber event and what is considered malicious.
April 25, 2023, eleven people were charged in a scheme to evade air-pollution rules by tampering with software and hardware in heavy-duty diesel engines. At least 362 vehicles, from 2015 to late 2018, were involved. The government said tools and emissions-cheating software were developed by an Italian company and distributed in North America. If you can change engine emission controls, you can change other critical engine configurations. In an April 26, 2023 call with representatives from the automotive and heavy duty truck industry, these incidents were not classified as cyber-related or malicious.
Lack of control system cyber incident reporting internationally
Government and industry approaches on information sharing are focused on vulnerabilities and threats not actual incidents. Examples are given from multiple industries and countries.
An industry approach was launched April 24, 2023 at the RSA Conference - ETHOS. ETHOS is the Operational Technology (OT)-centric, open-source platform for sharing anonymous early warning threat information. ETHOS is a cooperative development in the OT security industry, with the goal of sharing data to investigate early threat indicators and discover new and novel attacks. ETHOS is sharing of threat indicators not actual events.
US government approaches include the Energy Threat Analysis Center (ETAC) and the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
It is not clear how viable the ETAC will be based on the lack of accurate control system cyber incident disclosures by the electric industry as seen by the OE-417 cases compared to the NERC CIP reporting.
CIRCIA requires CISA to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. According to CISA, these reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims. CIRCIA is focused on ransomware, not the thousands of control system cyber incidents that continue to occur.
Internationally, according to the March 2022 Canadian IACS Cyber Security Incident Response Playbook, “A cyber security incident must be declared before proceeding with incident classification. Companies must rely on technical expertise from IACS/OT support team to investigate cyber security or system events and declare a cyber security event when appropriate.” However, there is no guidance to identify cyber security or systems events that could be cyber-related.
The NIS2 Directive is the European Union-wide legislation on cybersecurity. According to NIS2, affected companies must submit an early warning to the CSIRT or competent national authority within 24 hours of becoming aware of an incident, which also allows them to seek assistance for implementing possible mitigation measures. Within 72 hours of becoming aware of the incident, they should provide an incident notification, followed by a final report no later than one month later. However, neither NIS1 nor NIS2 identifies what is a control system cyber event or reportable incident. According to Sinclair Koelemij’s April 10, 2023 blog, “Under reporting is still a serious problem in the European community. If it doesn’t work for safety incidents, how will it ever work for security incidents? Is the NIS directive pursuing an illusion?”
Response
Based on my database and more than twenty years of discussions with governments and industry, it was evident there is a need to clarify what is a control system cyber event. Consequently, I have written a Micro Learning Module for ISA on identifying control system cyber incidents. In the module, I have distinguished between OT network-based events vs engineering-based cyber events because engineering-based cyber events are not addressed by the network security organizations. Engineering-based cyber events can either be independent of the IP networks or use the IP networks to facilitate “changes” without any IP network compromise. Engineering-based cyber events can cause physical damage and deaths. However, there are no cyber forensics nor training to identify engineering-based cyber events as being cyber-related. What will it take for the network security community to recognize that IP network attacks are not the only cyber incidents that require cyber incident response?