Significant ICS cyber security incidents continue to occur – some without known causes

Jan. 2, 2013
In the IT community, a worst case scenario is denial-of-service. In the ICS community, a worst case scenario is loss of control/loss of view. Enclosed are some recent cases of loss of control/loss of view with four different major ICS suppliers each without a known cause.

In the IT community, a worst case scenario is denial-of-service. In the ICS community, a worst case scenario is loss of control/loss of view. Enclosed are some recent cases of loss of control/loss of view with four different major ICS suppliers each without a known cause.


Almost a year ago, an international utility sent a Linked-in note asking for help on a VERY significant ICS cyber incident- total loss of view and control of 2 large power plants during operation. The request was because the utility could not get an acceptable response from their plant distributed control system (DCS) supplier (Vendor A) and wanted to know if anyone else experienced a similar situation. At the October 2012 ICS Cyber Security Conference, another utility gave a presentation of an ICS cyber security incident during the commissioning of their new plant DCS. In this case, they also experienced loss of view and loss of control. Even with DCS vendor personnel on-site, they were not able to rectify the problem or get an explanation as to what caused the incident from their DCS vendor (Vendor B). Another end-user sent a note asking for help because they experienced loss of view and loss of control of their ICS with the facility operating (Vendor C). Still another had a problem with their PC-based ICS (Vendor D) occasionally unable to see other PCs on the network and losing communications with important field I/O.

There are a number of issues and observations:
- These are loss of view/loss of control incidents not traditional denial-of-service
- Incidents were independent of any specific ICS vendor
- Lack of understanding of what caused the problems
- Lack of guidance on how to respond to these problems
- Lack of adequate response from the ICS suppliers
- Need to share information on very significant ICS cyber incidents


If any readers have had similar incidents, please contact me at [email protected]. I will keep all information confidential and would be willing to share the information I have collected on a "give to get" basis. We will discuss these issues at the next 2013 ICS Cyber Security Conference.
Joe Weiss