The real cost of control system cyber security– and it isn’t cheap
There is still a prevailing view that control system cyber security is not real and the cost of addressing it is not commensurate with the “benefits”. There have already been more than 350 actual control system cyber incidents including those that have led to pipe ruptures, train crashes, plane crashes, dam failures, major regional electric outages, equipment damage, significant environmental discharges, etc. These incidents include loss of view, loss of control of the control systems or physical processes, and even loss of life. I thought a few examples could demonstrate the REAL cost of control system cyber incidents. I would expect this information will be of interest to insurance companies attempting to determine their level of risk.
The Olympic Pipeline Company gasoline pipeline rupture occurred in the 1999 time frame (a description is in my book “Protecting Industrial Control Systems from Electronic Threats”). According to the NTSB report and validated by the MITRE assessment (I was the co-author), the SCADA system was the proximate cause of the failure. The SCADA system had previously known issues. The incident killed three, led to the bankruptcy of the Olympic Pipeline Company, and three people went to jail.
PG&E’s San Bruno natural gas pipeline rupture occurred in the 2010 time frame. The pipe break was a control system cyber incident resulting from a poorly implemented SCADA modification project by PG&E at the regional SCADA center. During the modification, the SCADA system overpressurized the three pipelines it was controlling with a weak pipe section rupturing causing the destruction of a neighborhood and 8 deaths. The SCADA system also had previously known issues. The incident has led to the resignation of PG&E’s CEO and other executives, has cost PG&E more than $500 Million to date, and has resulted in multiple CRIMINAL charges against PG&E including obstruction of justice. This case should be of great interest to the utility industry as this was not a malicious event yet criminal charges have been filed. Moreover, the courts have allowed lawsuits against specific individuals at PG&E that were in a position of responsibility.
The July 2014 800+ page public disclosure on Aurora by DHS has several implications. Utilities can no longer claim they do not understand the Aurora vulnerability as it is now public. They cannot argue that simply doing a paper assessment is adequate as NERC itself gave recommendations for implementing the Aurora hardware mitigation in a stand-alone manner. The disclosure demonstrates existing substation devices not specifically designed to isolate from Aurora conditions may not prevent an Aurora event from occurring. Finally, the disclosure demonstrates to the utilities’ customers that the utilities’ substations can be a threat the utilities have not adequately addressed. The risk to a utility could be very high if an Aurora event were to occur and the utility had not adequately protected itself and its customers.