Control system cyber incidents are more common and dangerous than most security specialists and industry leaders tend to believe. They are also hidden in plain sight. That requires some explanation.
I have been amassing a database of control system cyber incidents since 2000 when I helped start the control system cyber security program for electric utilities. When I started, the purpose of the database was to:
- Show that control system cyber incidents are real and not insignificant in number.
- Show that most of the incidents are common across multiple sectors.
- Provide input for training engineers and networking personnel as to what to look for as control system cyber incidents are more than just Internet Protocol (IP) network anomalies.
- Identify if cyber security mitigation technologies can address actual incidents.
- Use in the design of new control systems to assure that unintentional or malicious threats are being addressed.
- Help the insurance industry and credit-rating agencies understand this existential risk.
To this extent, I have used the database with security vendors to help validate their security technologies can address specific actual cases.
My criteria for including events are that they be incidents and not merely vulnerabilities, and that the incidents must affect control systems or the physical processes they manage, either directly or indirectly. If the incidents only affect IT systems (which is the case with most ransomware), I didn’t include them. (This distinguishes my database from most others which are dominated by ransomware cases). I have also not made a detailed count and list of organizations affected by generic malware such as Slammer, Blaster, Confiker, Not-Petya, WannaCry, and the various ransomware versions that are proliferating what seems like daily. Even though drones are “cyber tools,” the database does not include any of the cases used for military operations. Consequently, my database is very conservative in terms of the number of cases identified. The database is expansive in the types of incidents included as it includes “traditional” IP network cyber incidents as well as out-of-phase incidents, engineering-based attacks, Electromagnetic Interference (EMI) and Radio Frequency Interference (RFI) cases that have disabled control systems, and other unique cases. I have also compared the cases to existing databases such as RISI and SCIDMARK to ensure the database is complete.
In Dale Peterson’s 11/15/22 blog, he refers to a CISO stating that “like it or not, the days of Operations being responsible for OT cybersecurity and cyber risk are fading away. The Board and CEO are increasingly pointing at the CISO when OT cybersecurity issues arise.” Having the CISOs in charge of OT security with the current cyber security focus on attacks against IP networks, especially currently troubling and common ransomware incidents, makes sense as protecting IP networks are their specialty. However, OT cyber security is more than just protecting IP networks. The CISOs and networking specialists lack of knowledge about the unique issues associated with control system serial networks and field devices has resulted in many instances of control system impacts from inappropriate use of IT network security technologies, testing and policies. Some of these cases physically damaged equipment and in one case almost shut down a significant part of the US grid. Are the CISOs prepared to go to the Board and CEO and admit they were responsible for causing the damage they were supposed to prevent? Additionally, this OT network approach seems to have crowded out interest in unintentional incidents and engineering-based cyberattacks that don’t fit the familiar IT model.
The IT model might be characterized as: “You’re connected to the Internet, running Windows, and someone is attempting to steal or manipulate your data”. That is, the incident must be malicious, and it is about privacy or data protection, but not about safety or reliability. This lack of understanding extends to both IT/OT and engineering practitioners and raises a familiar problem: “Just because part of the system is not vulnerable to the threats you are used to seeing does not mean the system is not vulnerable”. This is also the opening that offensive cyber attackers use - go to where the defenders are not looking.
I use the U.S. Government Accountability Office (GAO) 21-477 definition of a cyber incident as “an event that jeopardizes the cybersecurity of an information system or the information the system processes, stores, or transmits; or an event that violates security policies, procedures, or acceptable use policies, whether resulting from malicious activity or not. Cyber incidents, including cyberattacks, can damage information technology assets, create losses related to business disruption and theft, release sensitive information, and expose entities to liability from customers, suppliers, employees and shareholders.”
The database is not public as the database includes many cases that have been provided in confidence. The database also does not include incidents that are classified. The database includes the following categories:
- Aircraft
- Electric T&D/SCADA (Transmission, distribution, and microgrids)
- Facilities (Buildings, laboratories, data centers, etc.)
- Food/Beverage
- Land Transportation (Railroads, automotive, traffic signals, etc.)
- Manufacturing (All types of manufacturing)
- Marine (Ships, ports, locks, etc.)
- Medical (Medical facilities and medical devices)
- Mining
- Nuclear Plants
- Oil/Gas/Chemicals
- Paper
- Pipelines
- Power Plants (Fossil, hydro, and renewables)
- Space (Rockets, satellites)
- Water/Wastewater
It is also broken into regions:
- Africa
- Asia
- Australia/New Zealand
- Canada
- Europe
- Middle East
- South America
- United States
The database has an unintentional, but natural, bias toward collecting United States and Canadian incidents. However, many facilities and control system vendors are global. Consequently, most of the incidents are directly applicable to every region regardless of where the incident occurred. As maintaining the database is not my full-time activity, it is based on the incidents I have found or been made aware of which means it does not cover every incident that has occurred. What is clear is that control system cyber incidents continue to occur in all categories, even though they are “drowned out” by the number of ransomware incidents. This can be explained by the fact that there are cyber forensics to identify IT/ransomware incidents, but often not for control system cyber incidents. Consequently, I often act as a “manual intrusion detection system”.
The focus of cyber security has been on the critical infrastructures of power, water, chemicals, pipelines, oil/gas, and manufacturing. However, there have been significant cyber incidents in infrastructures that were unexpected to be cyber vulnerable such as cyber-related impacts on road tunnel equipment that have caused physical impacts. There were also cases where the cyber incidents involved analog systems.
For industries such as manufacturing and pipelines, counting incidents is relatively straightforward as it applies to each facility that was impacted without multiplying effects. However, grid cyber-related incidents have multiplying affects. As an example, one cyber-related incident that shutdown the regional grid for several days affected 50 million people. I counted that incident as 1, not 50 million. Under that accounting, there have been 6 cyber-related power outages in the US since the late 1990’s that have affected at least 96,000 customers. There have also been many significant international grid cyber-related outages involving large segments of the population. Consequently, while there have been more than 1,200 electric grid cyber-related incidents, that doesn’t adequately reflect the true impact on customers and the economy from each incident. In some cases, the grid cyber incident caused no impacts to the grid. In other cases, the grid was shut down for hours to days affecting the population and businesses that did not have access to backup power. That same multiplier effect can also apply to facilities such as chemical plants that have had cyber-related toxic releases impacting tens of thousands of people or airplane crashes that have killed hundreds.
Given those caveats, I have identified more than 17 million control system cyber incidents that have killed more than 34,000 since the 1980s. What may be surprising is most of the incidents were malicious, not unintentional. Additionally, the majority were not a result of IT or OT network vulnerabilities but were instead engineering-based attacks. Engineering-based cyberattacks are not new. These cyberattacks started in 1982 with the Farewell Dossier that targeted Gazprom pipeline controls followed by the water SCADA hack in 2000. The Idaho National Laboratory (INL) did a cyber assessment of the Siemens industrial programmable logic controllers (PLCs) and publicly presented their findings at the 2008 Siemens International Users Group in Chicago. The vulnerability results of the INL study identified an approach that was ultimately used to do damage to critical manufacturing equipment as well as in the diesel cheat scandal meant to cover-up the deficiency in the diesel engines that could not meet “new,” more restrictive environmental requirements and still meet advertised fuel efficiency claims. In the diesel cheat scandal case, the decision was made by the automotive executives to cover-up rather than disclose the reduced fuel efficiency. Consequently, the automotive executives had a third-party company, Robert Bosch, develop rogue software for the individual fuel and emission controllers in each vehicle that would sense “test” scenarios by monitoring speed, engine operation, air pressure and the position of the steering wheel. When the vehicles were operating under controlled laboratory conditions - which typically involve putting them on a stationary test rig - the device put the vehicle into a safety mode in which the controllers ran the engine below normal power and performance. Once the test was completed, the controllers were switched out of this test mode. As a result, the engines emitted nitrogen oxide pollutants up to 40 times the limit. These types of attacks do not involve use of the Internet, Windows, or OT networks to carry out the attacks and have no cyber forensics.
The direct and indirect economic impacts of control system cyber incidents can be huge, but I have not conducted detailed economic analyses. As an example, the results do not reflect the economic impact of a regional outage affecting 50 million people. There have been several cases where control system cyber incidents have directly led to bankruptcies. Moreover, the economic impacts of the control system incidents were very conservative as I did not net present value the economic impacts. Rather, I used the impact values when the incident occurred. As an example, the Olympic Pipeline gasoline pipeline rupture occurred in 1999. The impact of that incident was $45Million in 1999 dollars, which would obviously be much more in 2022 dollars.
Summary
Control system cyber incidents are more plentiful and impactful than most observers expect - more than 17 million directly resulting in more than 34,000 deaths. While there have been more than 1,200 electric grid cyber-related incidents, that doesn’t adequately reflect the true impact on customers and the economy. The majority of the 17 million-plus control system cyber incidents were malicious not unintentional. By number of incidents, most of the control system cyber incidents were engineering-based attacks used to camouflage a deficiency in the design of the product or to cause physical damage. These attacks did not involve the Internet, Windows, or OT networks to carry out the attacks. Consequently, these incidents were not identifiable by network cyber forensics and would not fall under the CISO’s domain. This means most of these incidents would not be addressed by existing government and industry cyber security guidance, nor make its way to the Boards as cyber events. In addition, the diesel cheat scandal lays bare the philosophical differences in how offensive cyber attackers and cyber defenders’ approach cyber security. The impacts from the diesel cheat scandal were huge, more than $35 billion in damages and several people went to jail, yet many defenders would not consider these to be malicious cyberattacks because they weren’t the type of attacks they were expecting. Until the OT network-focused regulators and practitioners are willing to address engineering-based incidents and attacks, critical infrastructures cannot be secured. It was also evident that monitoring the process sensor signals at the physics layer would have identified most of the incidents regardless of cause.
Recommendations
- Develop appropriate control system cyber security training to identify incidents that may be cyber-related.
- Develop a process for sharing control system cyber incident information with all affected parts of the organization.
- Develop a process for sharing sanitized control system cyber incident information with industry and the government (the existing process is not working).
- Use the control system cyber incident information in cyber security policy and program development.
- Develop a methodology for having a CVE-type process for addressing control system cyber incidents.
- Use the control system cyber incident information in cyber security mitigation development.
- Use the control system cyber incident information in control system equipment development.
- Use the control system cyber incident information in safety analyses.
- Use the control system cyber incident information in incident response training.
- Use process sensor monitoring at the physics level to identify unintentional and malicious cyber incidents.
Joe Weiss