Jul. 17, 2024, I gave a presentation to the Military Operations Research Society (MORS) on “Issues with Identifying Control System Cyber Incidents.” I stated that government and industry organizations tend to under-report and under-share control system cyber incidents.
It’s worth beginning with an official U.S. government definition of a cyber incident. GAO defines a cyber incident as “an event that jeopardizes the cybersecurity of an information system or the information the system processes, stores, or transmits; or an event that violates security policies, procedures, or acceptable use policies, whether resulting from malicious activity or not.” Professor Ross Anderson from Cambridge explained it well when he wrote that “Security Engineering is about building systems to remain dependable in the face of malice, error, or mischance”. Stuxnet adds the complication that a sophisticated cyberattack can appear to be an equipment malfunction, not a network cyberattack.
The “cure can be worse than the disease”. The global Microsoft outage that occurred Jul. 18, 2024, was from a CrowdStrike security update – unintentional but devastating. This wasn’t the first time a well-meaning security update has caused more impact than a malicious cyberattack as the impact was caused by a fully trusted organization.
In the discussion session after the presentation, Dr. Doug Samuelson from the Dupuy Institute brought up the 1990 AT&T Long Distance Network collapse. In this case, technicians had upgraded the software to speed processing of certain types of messages. Although the upgraded code had been rigorously tested, a one-line bug was inadvertently added to the recovery software of each of the 114 switches in the network leading to its collapse. The impact was the same, whether malicious or unintentional and the impact obviously was not acceptable. Yet many still tend to think that only malicious, intentional attacks— “hacks”—count as cyber incidents.
Identifying Internet Protocol (IT and OT) network cyber incidents using existing forensics and training is part of a comprehensive cyber-security program. Identifying control system cyber incidents is much less mature with minimal applicable cyber forensics or training.
There have been more than 17 million control system cyber incidents that have killed thousands of people from chemical releases, plane crashes, train crashes, pipeline ruptures and other catastrophic incidents. These incidents (both malicious and unintentional) have occurred globally in all sectors. Very few of these incidents were identified as being cyber-related, which typically meant that cyber incident response programs were not initiated. If it’s not happening in the network, the feeling seems to be, then it’s not a hack, and if it’s not a hack, it’s not a cyber incident.
One reason critical infrastructure hasn’t been secured is because the focus in cybersecurity tends not to be on the physical process, but on the network. There are two terms that illustrate this problem: “Cyber-Informed Engineering” and “cyber-physical systems”. Having the term “cyber” in front signifies that cyber is the primary concern. A motor is a physical system with cyber connectivity. It is the operation of the motor that is important, with cyber being one possible threat to the motor’s operation.
Similarly, cyber-informed engineering implies cyber is the primary concern. As noted by the insulin pump example in the presentation, the pump was cyber secure by design. However, it was not safe by design and 244 people were hurt.
Control system cyber incidents continue to occur with potential or actual catastrophic consequences. In 2023-2024, malicious and unintentional control system cyber incidents occurred in water/wastewater treatment, electric power transmission and distribution, power generation, nuclear plant operation, data centers, aircraft, rail, medical devices, ships, food, space and other sectors. However, the training to recognize control system incidents as being cyber-related is missing. Identifying control system incidents as being cyber-related is complicated when government and industry organizations rush to judgement by stating the incidents weren’t cyberattacks without knowing the actual cause or set reporting thresholds that exclude many actual incidents as being identified as cyber-related.
There have been numerous government organizations’ calls for cyber information-sharing for critical infrastructures. Government organizations share cyber vulnerability disclosures. However, government organizations rarely share control system cyber incidents. It’s a question of awareness—it’s difficult to deal with a risk if you’re not equipped to recognize it.
If you are interested in receiving a link to the presentation, please contact me at [email protected].
