There is still minimal identification of, much less, “connecting the dots” on ICS cyber incidents. Yet, ICS cyber incidents continue to occur as my database is now at almost 400 actual ICS cyber incidents and growing. I believe the lack of “connecting the dots” has been at the root of why there is so little guidance to end-users about common causes from actual ICS cyber incidents. This lack of guidance is even more acute when it crosses industries and international borders. As there are only a limited number of major ICS and industrial network device suppliers, what happens in one industry or one country also can affect other industries and other countries. This blog focuses on one of a number of common causes of ICS cyber incidents. It also demonstrates several very important aspects about ICS cyber security:
- It does not have to malicious to cause a major impact – loss of availability to power about 1 million homes is pretty significant.
- If the ICS can be impacted unintentionally, it often can be intentionally attacked using the same vector.
- Even unintentional ICS incidents can lead to loss of control and loss of view.
- Information sharing isn’t adequately working.
Several years ago, an international utility experienced a significant cyber incident due to a network device failure. The failure caused a broadcast storm resulting in the loss of all plant Distributed Control Systems (DCS) control system logic and associated loss of control and view with two units at power. The failure affected 1000MW of load (the DCS is also used in the US). A domestic fossil plant with a different DCS vendor and a different vendor’s network device experienced a similar event resulting in the simultaneous shutdown of the units and a loss of over 1100MW. There were no alarms or warnings prior to the unit trips. The first indication of a problem was when all operator screens experienced a loss of communication with the rest of the control system resulting in loss of visibility into the controls of both units. The domestic plant incident was not identified as a cyber incident by the utility or NERC. Another case was a multiple unit trip of an international combined cycle gas power plant (>1500 MW) due to network device issues. A similar situation occurred with a domestic nuclear plant that precipitated a manual shutdown of an 1100MW nuclear plant (NRC did not classify this as a cyber incident either). To put in perspective the scope of these power plant impacts, a general rule is one megawatt can power 1000 homes. Consequently, a 1000 MW plant can serve 1 million homes. However, these issues are not just affecting power plants. An international chemical plant with a large installation of Foundation Fieldbus devices had overloaded a poorly segmented network device affecting the operation of the chemical plant. There has also been at least one case where mass transit control and view was affected by network device issues resulting in the immediate shutdown of all trains. These types of failures can also affect the ability of substation protective relays to accomplish their protective safety functions.
While these incidents were probably not malicious, there continues to be disclosures of device vulnerabilities from different network device vendors. Among the vulnerabilities are remotely exploitable vulnerabilities that could allow attackers to take actions on the devices without authentication. These vulnerabilities can be remotely exploited to maliciously cause loss of control and loss of view incidents (Stuxnet was loss of control and loss of view). Add that to malware such as BlackEnergy which compromises ICS HMIs and it makes for a very ugly situation.
These real incidents have affected very large facilities in multiple industries in multiple countries from multiple ICS and network device vendors. Where is the information sharing and end-user guidance?