Viable cybersecurity programs require organizations to recognize incidents as being cyber-related. That is generally straightforward for IT and OT network-based cyber incidents. However, the same can’t be said for control system cyber incidents in any sector. There have been numerous government organizations’ calls for cyber information-sharing for critical infrastructures. Government organizations share cyber vulnerability disclosures. However, government organizations rarely share control system cyber incidents. It’s a question of awareness—it’s difficult to deal with a risk if you’re not equipped to recognize it.
Control system cyber incidents continue to occur with potential or actual catastrophic consequences. In 2023 and 2024, malicious and unintentional control system cyber incidents occurred in water/wastewater, electric power transmission and distribution, power generation, nuclear plant operation, data centers, aircraft, rail, medical devices, ships, food, space and other sectors. However, the training to recognize control system incidents as being cyber-related is missing.
Identifying control system incidents as being cyber-related is complicated when government and industry organizations rush to judgement by stating the incidents weren’t cyberattacks without knowing the actual cause (the Dali container ship that crashed into the Key Bridge) or set reporting thresholds that exclude many actual incidents as being identified as cyber-related (the NERC CIPs).
In the water sector there have been more than 150 control system cyber incidents but very few of these incidents were identified as being cyber-related. Since November 2023, the government-identified malicious control system cyberattacks against water systems from Iran and Russia (though not China) because the attackers made the attacks public. However, other water sector control system cyber incidents were not identified as being cyber-related even though some caused significant impacts such boil water orders.
The electric sector has had more than 1,500 control system cyber incidents with very few having been identified as being cyber-related. The electric utilities are required to alert the DOE within one to six hours via the Electric Emergency Incident and Disturbance Report (Form OE-417) after experiencing any event that interrupts the electric systems or has the potential to impact power system adequacy and reliability.
The OE-417 reports have been used to collect information furnished by the utilities on electric incidents and emergencies since 2000. The OE-417 reports are not explicitly for cyber incidents and so must be analyzed further to address those incidents that are cyber-related. Many actual control system cyber incidents were not identified as being cyber incidents. Other control system cyber incidents that either did not affect reliability or did not meet the reporting threshold were not included in the OE-417 data. Reporting incidents with no immediate impact is important because threats can remain latent and could have future impact. That impact could range from nuisance to catastrophe.
Since 2000, the OE-417 reports have identified more than 40 cyberattacks against the grid though these numbers are much larger than NERC has identified. There have been seven US cyber-related outages that affected at least 80,000 customers though none of these were identified as being cyber-related. Since 2018, the OE-417 reports have added a category: “Complete loss of monitoring or control capability at its staffed Bulk Electric System control center for 30 continuous minutes or more.” It should be evident that this category is cyber – whether unintentional or malicious, it’s still a cyber incident. There have been more than 200 of these incidents since 2018 yet less than five were categorized by DOE as being cyber-related. A number of these incidents occurred in multiple states. Some occurred and ended at the same time. Others resulted in significant loss of power.
Cyber incidents don’t need to be malicious
July 17, 2024, I gave a presentation to the Military Operations Research Society (MORS) on “Issues with Identifying Control System Cyber Incidents.” Government and industry organizations tend to under-report and under-share control system cyber incidents. In the discussion session after the presentation, Dr. Doug Samuelson from the Dupuy Institute brought up the 1990 AT&T Long Distance Network collapse. In this case, technicians had upgraded the software to speed processing of certain types of messages.
Although the upgraded code had been rigorously tested, a one-line bug was inadvertently added to the recovery software of each of the 114 switches in the network leading to its collapse. The impact was the same, whether malicious or unintentional and the impact obviously was not acceptable. Yet many still tend to think that only malicious, intentional attacks— “hacks”—count as cyber incidents.
The July 18, 2024, global Microsoft outage (the day after the MORS briefing) was from a CrowdStrike security update – unintentional but devastating (there were many people on Linked-in saying this was not a cyber incident). This wasn’t the first time a well-meaning security update has caused more impact than a malicious cyberattack as the impact was caused by a fully trusted organization (I personally was affected by the McAfee corrupt update many years ago). That is, the “cure can be worse than the disease.”
One would think that following the recent CrowdStrike event, identifying cyber threats would become a priority issue for critical infrastructures. Unfortunately, that is not the case. One week after the CrowdStrike event, a major electric utility rejected a small internally solicited proposal to get access to the information from the MORS presentation. In many cases, water utilities, large and small, are less willing to address control systems rather than IT cyber issues effectively masking the identification of control system incidents as being cyber-related.
Summary
People in cybersecurity are comfortable with saying that insider threats (to data and IT systems) can be either unintentional or malicious. Yet they're not, apparently, doing so when it comes to control system cyber incidents. By sharing “sanitized” control system cyber incidents, organizations’ OT, IT and engineers could become more aware of risk and be better enabled to take appropriate prevention measures. However, that is not yet happening.
