1. Home

Viruses or worms haven't killed anyone or destroyed equipment - control system cyber incidents have

July 30, 2015

I have been able to identify more than 600 ACTUAL control system cyber incidents (I keep finding more) though most of the incidents were never identified with the word “cyber”.  A very conservative estimate of the direct costs of control system cyber incidents to date is more than $15 Billion. While the recent Lloyd's of London cyber insurance study on a cyber attack of the power grid provided estimated losses from a hypothetical attack, these are actual costs from real control system cyber incidents.

The prevailing feeling about why there has been so little focus on securing control systems is that it isn’t real. What I constantly hear is “once there is a real control system cyber incident I will spend the time and money to address the problem”. Unfortunately, there have been already been many very significant control system cyber incidents. However, for various reasons, almost none have been identified as cyber.

I did some detailed analytics on my list of control system cyber incidents based on the NIST definition of a cyber incident – “electronic communication between systems that affect C, I, or A.”  I have been able to identify more than 600 ACTUAL control system cyber incidents (I keep finding more) though most of the incidents were never identified with the word “cyber”. The incidents are both malicious (more than 1/3 were malicious) and unintentional. The incidents have occurred globally in electric grid, power plants, nuclear, water/wastewater, pipelines, oil/gas, chemicals, food, manufacturing, and transportation.

My primary focus was on those incidents that have impacted reliability or safety (almost 2/3 of the incidents) though I have found many cases where viruses and worms were found on control system networks. Most of the viruses and worms consumed internal resources but did not affect system reliability or safety. More than 25 incidents caused injury and/or deaths. More than 50 incidents resulted in equipment and /or environmental damage. A very conservative estimate of the direct costs of control system cyber incidents to date is more than $15Billion. While the recent Lloyd’s of London cyber insurance study on a cyber attack of the power grid provided estimated losses from a hypothetical attack, these are actual costs from real control system cyber incidents.

Control system cyber security is more than security researchers finding another “zero day” vulnerability. What does it take for senior management and decision makers to take control system cyber security as seriously as IT data breaches?

Joe Weiss

Continue Reading

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.

Latest from Home

shutterstock_1612677316
shutterstock_1358213252
shutterstock_2474268459

Most Read

Sponsored