Control system cyber incidents and network breaches are “apples and oranges”

This blog is a follow-up to my previous blog and comes from my work on the revision of our book, “Cybersecurity Policy Handbook”, Version 2, which contains a section on cyber incidents that included sample data from the 2025 Verizon Data Breach Report.

I was asked how the Verizon data compared to the control system cyber incidents in my database for the same period. It became an “apples to oranges” comparison: Even though theoretically they should be close as the definition of a cyber incident should be the same – a cyber incident is an incident involving electronic communication between systems, or between systems and people, that affects confidentiality, integrity, or availability. Electronic communication includes process sensor signals, control logic, firmware, and field device communications — not just Ethernet or IP networks. This is consistent with Professor Ross Anderson's formulation in Security Engineering, which frames security as building systems to remain dependable in the face of "malice, error, or mischance."

IT and OT network cybersecurity focus on malicious data breaches including ransomware, whereas control system cybersecurity focuses on impacts to physical processes, whether malicious or unintentional. If the incidents don’t look like network cyberattacks, there’s a tendency for network security personnel to not consider them as being cyber incidents. (This not only occurs with control system incidents but also occurred, for example, with the CrowdStrike update incident that was not malicious and was initially excluded it as a cyber incident, despite massive operational impact).

Consequently, IT and OT network cyber incident identification deviates from control system cyber incident identification because many control system cyber incidents aren’t compromises of Ethernet networks, and because many do not appear to be malicious.

Table 1 is a sample of the 2025 data from the Verizon report where "Incidents" include all reported cybersecurity events, while "Data Breaches" represent confirmed loss of data. The Table 1 categories are based on the North American Industry Classification System (NAICS) published by the U.S. Office of Management and Budget (OMB) for classifying business establishments by type of economic activity. 

Get your subscription to Control's tri-weekly newsletter.

Table 2 is a summary of the more than one million control system cyber incidents from my database that occurred in 2025. My categorization is based on types of organizations that use control systems (operational technologies) and only include incidents that impacted control systems and/or facility operation. Control system cyber incidents include field device communication issues, automation malfunctions, loss-of-view, and loss-of-control events, not just confirmed attacks. The results from the two tables are like comparing apples and oranges.

Summary

Network cybersecurity (IT and OT) and control system organizations have fundamentally different objectives and criteria when it comes to identifying cyber incidents. The Verizon Data Breach report is typical of reporting organizations that equate cyber incidents to data breaches and don’t address control system cyber incidents. The NAICS categories don’t reflect the categorization needed for identifying control system cyber incidents across multiple industries.

The only chance to bridge this gap is for both network security and engineering organizations to accept the same cyber incident definition, and for both network security and engineering organizations to receive appropriate control system cyber incident training. Otherwise, comparing numbers and impacts from network versus control system cyber incidents will continue to be an exercise in comparing apples to oranges.