Malfunction or cyber attack – the impact is the same and it may not be possible to know the difference

March 3, 2019
It is important to do a root cause analysis of a “malfunction” whether the incident was malicious (physical or cyber) or unintentional since you may not be able to tell the difference. The root cause team should include representatives from engineering as well as network security.

Fairuz Rafique from Galactic Security had a Linked-In note concerning a March 2018 “malfunction” in the ski lift system in the Gudauri Ski Resort in the Republic of Georgia. The lift system event injured 12 people. Officials claimed it was an equipment malfunction. According to Fairuz, the same day of the malfunction, researchers found the lift vendor’s control systems exposed on the Internet. Consequently, Fairuz asked if this was a malfunction or a cyber attack. I responded that it doesn’t matter. My response elicited a number of other responses, pro and con, including from an insurance company saying it matters to them as context is everything.

There are a number of issues at play:

- From the NIST Glossary, the definition of a cyber incident is “an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.” The word “malicious” is NOT mentioned. In this case, the availability of the ski lift was lost due to the control systems – a cyber incident, malicious or not. The NIST definition is really an IT definition because safety is not addressed yet that is the concern in this case.

- Often, including in this case, the impact is the same whether it was a system malfunction (unintentional cyber incident) or a cyber attack. The 2008 Florida outage that blacked out about half the state of Florida for 8 hours originated from actions by an engineer in a substation. As the engineer’s actions did not involve network issues, there were no cyber forensics. The only difference between this event being an unintentional cyber incident versus a malicious attack was the motivation of the engineer – “I’m mad” or “oops”. Moreover, a sophisticated attacker can make a cyber attack appear to be a malfunction - Stuxnet. As mentioned earlier, this could have major significance to insurance companies if you can’t tell the difference between a malfunction and a cyber attack.

- In IT systems with significant cyber forensics, the time before a cyber intrusion is identified can be on the order of hundreds of days. Generally, there are minimal, if any, cyber forensics and cyber training for the engineers at the control system layer. Consequently, an incident may not be identified as a cyber attack despite potential physical damage and injuries. As mentioned in https://www.controlglobal.com/blogs/unfettered/russia-has-compromised-the-us-grid-this-year, cyber intruders were in a US electric utility for more than 7 months before they were detected. This is important because most cyber security requirements and regulations such as NERC CIP for electric utilities and NEI-0809 for nuclear plants ASSUME that cyber attacks will be expeditiously identified which may not be possible.

- These discussions also lay bare the culture gap between the network organizations (IT/OT) and the engineering/safety organizations.

It is important to do a root cause analysis of the “malfunction”. The root cause team should include representatives from engineering as well as network security. It doesn’t matter if the incident was malicious (physical or cyber) or unintentional as long as the malfunction can be identified to prevent the event from recurring.

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...