The need to identify control system incidents as being cyber-related
Cyber threats to critical infrastructures are rising. A cyber incident is defined as electronic communications between system or systems and people (operator displays) that affect confidentiality (C), integrity (I) and/or availability (A). But for control systems, I and A are process integrity and availability, not data integrity and availability.
It is acknowledged that cyber incident response plans and associated tabletop training are critical and in place for network cyber incidents. Numerous sectors and SEC regulations require expeditious disclosures of cyber incidents. Ransomware and other IT malware are being identified and disclosed. However, there have been few disclosures of control system cyber incidents, whether malicious or unintentional (the Director of National Intelligence disclosures of Russian and Iranian control system cyberattacks against US critical infrastructures are among the few US government disclosures).
Get your subscription to Control's tri-weekly newsletter.
This lack of disclosures has led to numerous operational technology (OT) cybersecurity experts claiming that control system cyber incidents are few and infrequent. Moreover, government and industry cyber incident disclosure requirements don’t address the distinctive aspects of control system field devices, which have no cybersecurity, authentication or cyber forensics, and whose operators usually lack appropriate training.
Control system cyber incidents are different from network cyber incidents because you can’t hide their impact: plane, trains, and ships crash, pipeline rupture, power and water are lost, etc. What is not identified is that many of these incidents have been cyber-related, and this failure to recognize them is because of a lack of appropriate cyber forensics and training. In 2024, there have been almost 150,000 malicious and unintentional control system incidents in water, automotive, ships, aircraft, rail, electric, manufacturing, building controls, etc. that were not identified as being cyber-related, but which caused physical impacts. This does not include the cyberattacks on-going in the Russia-Ukrainian war.
I started amassing my control system incident database (more than 17 million control system cyber incidents with thousands of deaths) in 2000, though the incidents started much earlier. In the 2008 timeframe, I supported NIST and MITRE in extending NIST SP800-53 for control systems. As a result of this effort, Marshall Abrams from MITRE and myself examined three control system incidents that caused physical impacts: the Olympic gasoline pipeline rupture, the Australian wastewater cyberattack, and the Browns Ferry Unit 3 nuclear plant broadcast storm. In 2015, I supported the International Atomic Energy Agency to help nuclear engineers recognize nuclear plant control system cyber incidents using three of the more than fifty nuclear plant cyber incidents in my database that caused impacts (not including the Browns Ferry incident).
This experience in identifying control system cyber incidents led to training I developed that is now available as a service from Applied Control Solutions, LLC. As control system field devices are common to multiple critical infrastructure sectors globally, this information is of relevance to every sector.