In their haste to find operational technology (OT) cyberattacks, the OT cybersecurity community, including regulators, continue to jump to conclusions about what OT cyberattacks are while at the same time ignoring incidents that don’t look like cyber incidents they are used to seeing.
Not everything that looks like a cyberattack is necessarily a cyberattack. Accidents and mistakes can easily be taken for cyberattacks. Two incidents, one from a few years ago, and one that’s currently unfolding, show the difficulty of distinguishing among these alternatives.
Specifically, the OT cybersecurity community reacted similarly to both the April 2025 Norwegian Dam and the February 2021 Oldsmar, Florida “cyber” incidents. Cyber-vulnerable OT systems were involved in both cases. However, legacy control system devices often have no cyber forensic capabilities.
Consequently, it may be difficult to determine whether the control system devices may have been maliciously or unintentionally compromised. In both Norway and Florida, there were unproven connections between the cyber vulnerable OT systems and subsequent “system glitches.” In both cases the OT security community went viral about these two cases being cyberattacks. Yet the OT cybersecurity community is silent about a control system cyber-related cyber incident that caused a dam failure that dumped more than a billion gallons of water.
According to reports on the Norwegian Dam,
“Officials believe the hack took place because of a weak password for the valve's web-accessible control panels. It's unclear if putting the valve at full capacity was intentional or not.”
The Oldsmar, Florida, water-treatment incident turned out to be a user error that increased the lye concentration value, and not a cyberattack that intentionally changed the value. Yet the Oldsmar case is still prominently featured in many OT cybersecurity vendor websites.
Get your subscription to Control's tri-weekly newsletter.
Even as OT network cyberattacks continue to occur, so do control system cyber incidents. These real control system incidents cause physical impacts but are often not identified as being cyber-related. For example, a city had its water system compromised when the SCADA system erroneously manipulated a valve resulting in flooding parts of the city (this resembles the Norwegian dam case). There were no alarms initiated during this control system cyber incident, but it is not clear if the incident was an “unintentional glitch” or a hack like the Russian cyberattack against the Muleshoe, Texas, water system, as the impacts were quite similar.
There are hundreds of similar cases in multiple industries that were not identified as being cyber incidents but as being glitches. Consequently, the cybersecurity community is not aware of these cases because a Google search on the word “cyber” will not identify these cases.
Summary
Not all control system cyber incidents are malicious cyberattacks. They can be accidents or errors, too. The misguided identification of OT glitches as cyberattacks while at the same time the inability to identify control system incidents as being cyber-related is becoming more dangerous. There is a need for training in how to identify a control system cyber incident as being cyber-related as millions have already occurred. Some discernment—and the forensics to support that discernment—is clearly in order.
