• Industrial metal power tower with high voltage current flowing through wires over sky horizon, AR data. Infrastructure enabling distribution of electricity, 3d render animation timelapse

    Control system cyber incidents: the hidden threat to grid stability

    June 10, 2025
    Explore the challenges and solutions in securing power grid control systems, emphasizing the critical role of sensor-centric cybersecurity and the need for threat-informed engineering

    Control system cyber incidents—particularly those originating from even a single compromised or malfunctioning sensor system—can impact vast portions of the electric grid. Despite decades of lessons and warning signs, meaningful progress in securing power grid control systems remains elusive. This failure stems not from a lack of technology, but from foundational misunderstandings in how we conceptualize control system cybersecurity.

    The misalignment between network security and engineering

    At the 2025 ICS/SCADA Cybersecurity Symposium in Chicago, two sessions underscored this disconnect. The first session, on June 3, examined the fundamental differences in how cybersecurity is approached from network versus engineering perspectives. Sai Molige (Forescout) presented findings from the Ice Flaw project, which exposed 56 vulnerabilities across ten OT vendors. The vulnerabilities did not address impacts on field devices or the actual systems. In contrast, Nadine Miller—speaking from an engineering and board governance lens—presented a case study on process sensor monitoring featured in the IEEE article, Using Machine Learning to Work Around the Operational and Cybersecurity Limitations of Legacy Process Sensors.

    This study, conducted at a raw metals refinery with similar process sensors and pumps used throughout critical infrastructures, applied physics-level monitoring and machine learning to diagnose chronic reliability issues in feed pumps and process sensors. Although operator displays showed normal performance, raw sensor data tapped directly from signal wires told another story: misconfigured valves, failed sensors, and improperly operating pumps—all invisible to standard displays. This method inadvertently created an authenticated layer of monitoring for otherwise unauthenticated components, identifying both performance failures and potential man-in-the-middle compromises.

    Cyber-informed vs. threat-informed engineering

    A cyber incident is defined as electronic communications between systems or systems and people (displays) that affects Confidentiality (C), Integrity (I), or Availability (A). Cyber incidents can be unintentional or malicious. Stuxnet demonstrated that a sophisticated cyberattack can compromise sensor readings, making a cyberattack look like an equipment malfunction.

    Cyber Informed Engineering (CIE) was widely discussed. While valuable in principle, CIE focuses narrowly on malicious cyber threats and neglects the broader risk landscape. CIE fails to meet the international standard for process industry safety- IEC 61511, which demands quantitative, consequence-and-likelihood-based safety evaluations—whether the cause is cyber or otherwise. A more effective approach, Threat-Informed Engineering (TIE), considers all initiating causes whether malicious or unintentional, including those that may not be cyber in origin but have cyber-physical consequences. The manufacturing plant study, focused on productivity rather than security, was in fact an application of TIE.

    A misapplication of CIE was also noted in the case of the 2023 Oldsmar, Florida, water system incident. Presented as a cyberattack case study, it was in fact a user error. Yet the Oldsmar example continues to be misused in policy and training for water system cybersecurity—highlighting the critical need for accurate threat modeling. Moreover, actual water control system cyber incidents such as the recent case of a water utility having a “SCADA glitch” that opened a valve and overfilled a tank with no associated alarms continue to occur. This case was simply classified as a glitch, not a cyber incident and therefore not made public even though this was the same scenario when Russia cyberattacked the Muleshoe, Texas water system in January 2024.

    Weaponizing the grid: Aurora and beyond

    The second session addressed how the grid itself can be weaponized through physics-based incidents like Aurora. Demonstrated in 2007 at the Idaho National Laboratory, Aurora involves opening and reclosing breakers out-of-phase with the grid, causing destructive torque and current surges. Such events aren’t limited to substations; any AC machinery protected by relays—generators, induction motors—can be targets.

    This threat is compounded by reliance on potentially compromised foreign equipment. Use of compromised Chinese grid equipment such as large power transformers with hardware backdoors that can be addressed by spoofed sensor signals and components such as inverters and protective relays communicating with China represent severe and under-addressed risks. This includes inverters in battery energy storage systems that could cause Aurora events or thermal runaway fires in lithium-ion batteries. As noted in Presidential Executive Order 13920, hardware-level vulnerabilities tied to foreign supply chains are real and actionable.

    Case study: Florida sensor failure triggers eastern grid oscillation

    A real-world example of grid vulnerability occurred when a single sensor in a Florida combined-cycle power plant fed incorrect data to the turbine control system which caused valve and associated turbine oscillations that triggered a resonance wave across the entire Eastern Interconnection. This incident starting with 200 MW fluctuations in the Florida plant that resulted in 50 MW power swings as far away as New England! Although the root cause was not identified as a cyber incident, this unintentional cyber incident mirrors the type of system design weakness that cyber attackers could exploit. This is especially important as the other two grid regions, the Texas Interconnection and the Western Interconnection, have similar design weaknesses.

    Get your subscription to Control's tri-weekly newsletter.

    Crucially, the incident fell outside North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity regulations:

    • The plant was below the asset-size threshold.
    • The analog sensor communicated via non-routable protocols.
    • Mechanical devices like valves and sensors were excluded from cybersecurity analysis.
    • Closing in equipment—known to potentially cause resonance issues—was not treated as a cybersecurity issue.

    Gaps in policy and training: the sensor blind spot

    Both the Federal Energy Regulatory Commission (FERC) and NERC acknowledged in March 2025 that process sensors are excluded from CIP protections due to their non-routable nature. However, as NERC recently noted: “If spoofed sensor data influences a dispatcher’s decision within 15 minutes, the sensor qualifies as a cyber asset.” FERC concurred: “Every sensor would matter.”

    This "15-minute" window is itself flawed. Control systems operate in sub-second timeframes; waiting minutes to respond can result in massive grid disruptions. The Iberian Peninsula blackout caused by subsynchronous oscillations is a stark reminder. Delayed action turned instability into collapse—a chain of events driven by sensor-level issues and lack of damping from renewables.

    Despite mounting evidence, neither the May 2025 House Homeland Cybersecurity Hearing nor the IEEE Power & Energy Summit addressed sensor-level control system cyber issues. This oversight reveals a persistent blind spot in our national energy security posture.

    Conclusion: a call for sensor-centric cybersecurity

    Control system cyber incidents differ fundamentally from data-centric IT cyber threats. Yet, they remain neglected by both policymakers and practitioners. Without monitoring and validating sensor-level data at the physics layer, we will continue to miss—or misattribute—critical early warnings of catastrophic grid events.

    Network security cannot detect or mitigate physics-based control system failures.

    Urgent steps include:

    • Incorporating Threat-Informed Engineering in standards and training.
    • Monitoring unauthenticated process sensors with tamper-evident and physics-level analytics.
    • Prioritizing operator training in process sensor and control system field device cybersecurity.
    • Updating the NERC CIP standards to include sensor-based threats regardless of protocol or asset size.
    • Prioritizing operator training in grid oscillation management particularly after the Iberian outage.

    We cannot afford to wait years for “trusted hardware” when adversaries already know the vulnerabilities. The physics of the grid is unforgiving—and so are our opponents.

    About the Author

    Joe Weiss | Cybersecurity Contributor

    Joe Weiss P.E., CISM, is managing partner of Applied Control Solutions, LLC, in Cupertino, CA. Formerly of KEMA and EPRI, Joe is an international authority on cybersecurity. You can contact him at [email protected]

    Email

    Continue Reading