The genesis of this blog was reading an article in CNN Top 5 on May 9, 2024, after returning from two days at the RSA Cybersecurity Conference. The article’s title was simply “224”. Upon further reading, it stated this was the number of people injured in control system cyber incidents, though the article didn’t identify the incidents as being cyber incidents.
Background
For critical infrastructures and their associated control systems, cybersecurity is one of many risks that need to be addressed including seismic, environmental, supply chain and physical threats to ensure safe and reliable operation. However, all too often, cybersecurity is being addressed in a vacuum. Specifically, control systems are engineering systems-of-systems consisting of hardware, software and networks. Operational technology (OT) networks include more than just internet protocol (IP) networks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has made security-by-design a major element to secure IT and OT networks without an apparent understanding of hardware physical-cyber system interactions. That is, all elements of a control system may be cyber-secure, but that doesn’t mean the overall system is either safe or even cyber-secure. As a nuclear engineer, I have always been concerned with unintended system interactions. In fact, NSM22 states, “Critical infrastructure is diverse and complex, and includes distributed networks, varied organizational structures, operating models, interdependent systems, and governance constructs.” Unintended interaction between systems has often caused unanticipated incidents with physical impact.
Ransomware and IT malware have cost organizations vast sums of money, but they have not directly harmed individuals. In contrast, control system cyber incidents have directly harmed and killed thousands of people.
A control system cyber incident can be unintentional or malicious. It involves electronic communications between systems, or systems and people (e.g., operator displays), that can not only affect the traditional IT triad of confidentiality, integrity and availability, but also safety, reliability and productivity which is a more suitable 'triad' for control systems. As result, CISA may not be looking through the correct lens.
When you read these case histories, note that these are control system cyber incidents. It is also evident that the cybersecurity and safety organizations are not adequately talking to each other as these cases demonstrate the difference between secure-by-design and safe-by-design. In each case, these incidents can be either unintentional or malicious.
Incidents
An app was used to measure chemistry, etc. and send the data via Bluetooth to control a pump. This is a common feature in power plants, oil/gas and chemical plants, water plants, manufacturing, etc.
Depending on the application, controlling a pump can have safety implications. When talking about pump safety, thoughts turn to catastrophic incidents such as the Texas City refinery explosion, the Three Mile Island core melt, etc. In this case, there was an issue with the app that led to the shutdown of the pump. The app and the pump system were cyber-secure, and the vendor had performed cybersecurity testing - secure-by-design.
In this case, the pump systems weren’t in industrial or manufacturing facilities, but iPhone apps connected via Bluetooth to insulin pumps. The app crashed and was automatically restarted by the iOS operating system, draining the pump's battery. This restart cycle repeated itself leading to excessive Bluetooth communication resulting in pump battery drain and the pumps shutting down suspending insulin delivery – unsafe-by-design. As of Apr. 15, 2024, there have been 224 reported injuries. (This was the “224” identified above.)
In another case, a left ventricle assist device was connected to the left side of the heart to move oxygenated blood from the left ventricle to the rest of the body. There was risk of unexpected pump stop or start. When the device was reconnected to the same or a new controller, depending on the status of the pump at connection, the pump either stopped or started. If the pump was stopped at reconnection, the pump would restart. If the pump was running at reconnection, a pump stop would occur. There were no alarms or indications to warn the user that the “pump stop” command was still in the command queue. Two injuries have been reported.
In another case, a multifunctional robotic navigation platform was designed for precise alignment in spine surgery. This device was recalled because a calibration process error could cause a loss of navigation integrity, which could result in device misplacement and patient harm. The root cause was associated with a calibration algorithm error that may affect the accuracy of implant placement. This calibration error was not detected prior to device distribution. There have been eight reported injuries.
FDA cybersecurity requirements
As medical care increasingly takes advantage of integrated automated systems, the benefits come with risks more often associated with industrial processes. The US Food and Drug Administration (FDA) has established medical device cybersecurity requirements in “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions Guidance for Industry and Food and Drug Administration Staff” issued on September 27, 2023. Section 524B(c) of the FD&C Act defines "cyber device" as a device that:
- includes software validated, installed, or authorized by the sponsor as a device or in a device,
- has the ability to connect to the internet, and
- contains any such technological characteristics validated, installed, or authorized by the sponsor that could be vulnerable to the cybersecurity threats.
The requirements include Interoperability Considerations stating that: “Cybersecurity Controls should be used as a means to allow for the safe and effective exchange and use of information.” The unsafe conditions identified in the above cases do not fall into this category nor were they identified as cyber incidents. Yet, these cases are recent FDA emergency recalls.
EV-charging gaps
Medical devices afford dramatic cases, but incidents of this kind appear in sectors other than healthcare. Kenneth Crowther from Xylem gave a presentation at the S4 2014 conference dealing with electric vehicle (EV) charging stations. Charging stations use temperature sensors to detect temperature anomalies in the charging network including the charging cords. If you “pop the cap” on the charging cord, you can get access to the sensors to spoof the sensor readings leading to conductor or insulation failure or worse even though the system is ostensibly cyber-secure but obviously not safe. Given this scenario, why are there no alerts or alarms if the cap is removed?
Other sectors
There have been many similar cases in power, water, oil/gas/chemicals, manufacturing, transportation and space which were not identified as being cyber-related and not addressed by regulations by the U.S. Department of Energy, U.S. Transportation Security Administration, the U.S. Environmental Protection Agency, CISA and others. This includes cyberattacks against circuit breakers (protective relays) in electric substations and other facilities including ships. Even though there are still unknown circuit breaker issues that shut down power to the Dali before it hit the Key Bridge, there was no cybersecurity participation in the preparation of the May 14, 2024, preliminary report as NTSB already reported within hours of the accident it wasn’t a cyberattack.
This is similar to some of the North American Electric Reliability Corporation (NERC) Lesson Learned cases where NERC immediately stated the incident was not a cyber incident but went on state it would takes days to determine what actually happened – so much for credibility of the review.
Conclusions
Cybersecurity is just one of the many families of risk that need to be addressed. Seismic, environmental, supply chain and physical threats must all be addressed to ensure safe and reliable operation.
However, all too often, cybersecurity is being addressed in a vacuum. As these cases demonstrate, cybersecurity was addressed, but there was inadequate safety engineering to account for unexpected system interactions. None of these cases could be detected by cybersecurity testing, cybersecurity forensics or were identified as being cyber-related.
These types of incidents have affected multiple sectors. It would be interesting to understand how the U.S. Securities and Exchange Commission cyber reporting requirements would apply to these dangerous control system cyber incidents that weren’t identified as being cyber-related as these incidents are “operational”.
Given the demonstrated danger with these actual control system cyber incidents from unintended consequences that escape regulatory regimes, I am pleading with government and industry to address these dangerous incidents as to what they are – dangerous control system cyber incidents.
