ISA MLM-38A ‘Identifying Control System Cyber Incidents’ has been issued
The International Society of Automation (ISA) ISA99, Industrial Automation and Control Systems Security, has approved the peer-reviewed Micro Learning Module (MLM) 38A – “Identifying Control System Cyber Incidents.” Those wishing to see the MLM should send their request to [email protected].
Need for MLM 38A
Every operational technology (OT)/industrial control system (ICS) cybersecurity program ASSUMES that control system cyber incidents can be detected and identified as such. U.S. Supreme Court Justice Potter Stewart famously said in his 1964 opinion that he could not use words to describe pornography, but “I know it when I see it.” Control system cyber impacts are visible – lights go out, pipes leak or break, trains crash, planes crash, etc. However, unlike Justice Potter’s statement, it is very often not evident that cyber played a role which is a hole in the OT/ICS cybersecurity program. It is not just the control system community that is not always able to expeditiously identify an incident as being cyber-related – recall Solarwinds.
In most cases, IT and OT cybersecurity is under the purview of the Chief Information Security Officer (CISO). In most cases, the CISO and CISO’s staff are network security-related experts whose focus is the malicious compromise of IP networks. However, unlike IT cyber incidents, control system cyber incidents do not need to be malicious, nor do they require a compromise of the Internet Protocol (IP) networks. Also, unlike information technology (IT) and OT network cyber incidents that can be identified as being cyber-related with cyber forensics and network security training, many control system cyber incidents are viewed as electrical or mechanical failures because there are seldom cyber forensics at the process sensors, actuators, and serial and point-to-point networks.
Control system engineers and network security engineers are often simply not trained to determine if the control system incident was cyber-related. Many times, sophisticated cyber attackers will make a cyberattack look like an equipment malfunction which makes it difficult to distinguish between a control system cyber incident vs a control system cybersecurity incident. All of this has led to the current confusion as to what a control system cyber incident actually is. Identifying control system cyber incidents without immediate impact is important due to latent threat capabilities and risk of future impacts.
Cybersecurity requirements, technologies, monitoring, testing and incident response planning are based on lessons learned from IP network cyber vulnerabilities and incidents. Not only have control system cyber incidents not been addressed, but operator errors have been identified as cyberattacks leaving a hole in control system cybersecurity programs.
Government and industry approaches on information sharing are focused on IP network cyber vulnerabilities, threats, and IP network cyber incidents, not control system cyber incidents. My non-public control system cyber incident database has identified more than 17 million control system cyber incidents that have directly killed more than 34,000, yet the vast majority were not identified as being cyber-related as they were not IP network compromises. Control system cyber incidents have occurred in every sector. If you can’t identify a control system incident as being cyber-related, the cyber incident response program will not be initiated.
Current state – government
- NIST’s Cybersecurity Framework includes the “Detect” function but doesn’t address control system cyber incidents.
- An industry approach was launched April 24, 2023 at the RSA Conference – ETHOS which is an OT-centric, open-source platform for sharing anonymous early warning threat information but does not address control system cyber incidents.
- The electric industry is recognized as the most critical of critical infrastructures. Consequently, it would be expected that control system cyber incident reporting would be an integral part of DOE and NERC’s response. The electric industry has requirements for reporting electric disturbance events to DOE for the Electric Emergency Incident and Disturbance Report (Form OE-417). NERC’s definition of a “cyber incident” has enabled them to obscure how prevalent control system cyber incidents are in the electric industry. Many actual control system cyber incidents were not identified as being cyber incidents. Other control system cyber incidents that either did not cause a reliability impact or did not meet the reporting threshold also were not included in the OE-417 data. According to the OE-417 data for 2022, there were 35 incidents of complete loss of monitoring or control capability at staffed Bulk Electric System control centers for 30 continuous minutes or more. However, these incidents were not identified as being cyber-related in the OE-417 submittals.
- The Energy Threat Analysis Center (ETAC) is based on the electric industry providing cyber incident disclosures which, as mentioned, is not occurring for control system cyber incidents.
- The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires CISA to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. CIRCIA is focused on ransomware, not control system cyber incidents.
- Nuclear plant cybersecurity standards (Regulatory Guide 5.71, Revision 1 and International Atomic Energy Agency -IAEA) do not address the need to identify control system incidents as being cyber-related.
- According to the March 2022 Canadian IACS Cybersecurity Incident Response Playbook, “A cybersecurity incident must be declared before proceeding with incident classification. Companies must rely on technical expertise from IACS/OT support team to investigate cybersecurity or system events and declare a cybersecurity event when appropriate.” However, there is no guidance to identify system events that could be cyber-related.
- The NIS2 Directive is the European Union-wide legislation on cybersecurity. According to NIS2, affected companies must submit an early warning to the CSIRT or competent national authority within 24 hours of becoming aware of an incident, which also allows them to seek assistance for implementing possible mitigation measures. However, neither NIS1 nor NIS2 identifies what is a control system cyber event or reportable incident. According to Sinclair Koelemij’s April 10, 2023 blog, “Under reporting is still a serious problem in the European community. If it doesn’t work for safety incidents, how will it ever work for security incidents? Is the NIS directive pursuing an illusion?”
Current state – industry
The following are four recent examples illustrating the gap in identifying control system incidents as being cyber-related.
- A natural gas utility recently had a shutdown of their gas distribution system. According to the utility, “We don’t access our controllers, we have a third-party supplier, and only they can access the controllers. So those controllers are not on the web, so no one can access them, so it’s not hacking, it’s not a cyber-attack.” In this case, all three controllers shut down at the same time, which knocked out the power and the plant shut down. After several hours of investigations, rogue code was found. The utility doesn’t know how or when the code got there. The utility doesn’t believe this a cyberattack but can’t rule out that when they were doing the last update, someone didn’t hack in and put the code there and it was unnoticed.
- I received the following: “We do ask for open reporting from our Energy cohort in downstream gas and electricity sector. Often the root causes relating to cyber intrusion and loss aren't understood and failure is wrongly attributed to others causes.”
- Chlorine dosing pumps failed from a power outage. Following the power failure, some of the automatic alarms activated to a ‘low priority setting’ and therefore did not issue relevant notice of the pump failure. The poor water quality only came to light after complaints from residents.
- According to Channel News Asia, the Equinix Singapore data outage on Saturday, October 14, 2023, which caused DBS and Citibank banking and payment services to go offline, happened after a planned system upgrade at one of Equinix's data centers. This raised the temperatures in some of the halls in the data center and impacted some customers’ operations. The issue was pinpointed to a power outage at an Equinix data center. There was no mention of this being cyber-related.
- August 30, 2023, the Microsoft Azure East Asia Data Center experienced a utility power surge, which tripped a subset of the cooling units in a data center, taking them offline and causing a data center shutdown. There was no mention of this being control system cyber-related.
Reasons for not identifying incidents as being cyber-related
There can be many reasons for not identifying control cyber incidents as being cyber-related. Some examples include:
- Lack of understanding by engineering and network security of what is a control system cyber incident (the MLM can help),
- Fear of identifying a cyber incident as being cyber-related because of internal and external disclosure requirements (e.g., insurance, SEC disclosures, etc.),
- Fear of an extended shutdown to do detailed cyber root-cause analysis, rather than simply restart a system which is what happened with the Triton cyberattack in Saudi Arabia,
- Lack of engineering and network security working together.
Summary
It is not possible to have an effective OT/ICS cybersecurity program if you can’t identify control system incidents as being cyber-related. Yet, OT cybersecurity is under the purview of the CISOs whose focus is the malicious compromise of IP networks and whose staff are not trained to identify control system incidents as being cyber-related. Those people that can identify control system cyber incidents are not under the purview of the CISO.
This peer-reviewed ISA work product can help organizations meet their cyber incident reporting requirements. By identifying control system cyber incidents, OT, IT, and engineers could become more aware of risk and be better enabled to take appropriate prevention measures leading to a more holistic approach to cybersecurity.
Cybersecurity requirements, technologies, monitoring, testing, and incident response planning are based on lessons learned from IP network cyber vulnerabilities and incidents. Not only have control system cyber incidents not been addressed, but operator errors have been identified as cyberattacks leaving a hole in control system cybersecurity programs.
By identifying control system cyber incidents, industry and government can determine if their cybersecurity program and requirements are adequate.
For more detailed support, I can help organizations establish a control system cybersecurity incident identification program (including “train-the-trainer”) based on actual control system cyber incidents.
Leaders relevant to this article: