Not solving the right problem: Water and wastewater safety and availability depend on more than networks

Organizations must understand how to limit the physical consequences when electronic information cannot be trusted and how to prevent compromise

Water and wastewater systems, like other industrial and manufacturing facilities, rely on electronically communicating control systems consisting of pumps, valves, motors, drives, relays, analyzers, process sensors, engineering workstations, operator displays and communication networks. Because these systems depend on electronic communications to monitor and control physical processes, control system cyber incidents occur whenever electronically communicated process information becomes corrupted, delayed, unavailable or untrustworthy, regardless of whether the cause is malicious, accidental or equipment-related, since each can compromise the safe operation of the physical process.

As Professor Ross Anderson stated in his seminal book, Security Engineering: A Guide to Building Dependable Distributed Systems, security engineering is about building systems that remain dependable in the face of malice, error or mischance. Consequently, organizations must understand not only how to prevent compromise but also how to limit the physical consequences when electronic information cannot be trusted.

A plethora of network cyberattacks and identified cyber vulnerabilities has prompted congressional hearings on various critical infrastructures, town hall meetings on critical infrastructure incident reporting and critical infrastructure cybersecurity conferences. The common thread across these discussions has been that these activities were network-focused, and they did not address process sensors or other control system cyber incidents that produce physical consequences.

The OT cybersecurity community’s predominant emphasis on network security has caused a two-fold problem: First, a focus on network-related attacks or perceived attacks, and second, ignoring control system and unintentional incidents. The 2021 Oldsmar incident was widely characterized as a cyberattack even though subsequent reviews suggested that human error played a significant role in the event. The result was a renewed emphasis on network security rather than an understanding of the engineering and human factors causes of unsafe process behavior.

Federal cybersecurity guidance from agencies such as EPA, CISA and TSA, together with industry guidance from organizations such as AWWA and NERC, generally assumes that process sensors and actuators can be secured using approaches developed for networked IT assets, whenever those field devices are even explicitly discussed. This was illustrated by an EPA email recommending common IT security actions for process sensors and actuators, even though these devices lack the capabilities needed to implement such approaches. At the same time, the OT cybersecurity community continues to give comparatively little attention to control system incidents that have caused significant impacts because those incidents were not the result of network attacks. This narrow focus leaves a significant blind spot: incidents originating within the process environment.

The distinction between network cybersecurity incidents and control system cyber incidents is not merely semantic. It determines which incidents are investigated, reported, shared and ultimately mitigated. If only network intrusions are considered cyber incidents, a large class of events involving compromised electronically communicated process information, including failures involving process sensors, engineering defects and control-system interaction, remains outside the cybersecurity community's field of view despite producing the most significant physical consequences.

Identification of actual incidents and impacts

For more than three decades, Applied Control Solutions (ACS) has maintained a proprietary repository of control system cyber incidents spanning multiple critical infrastructure sectors. Unlike public cyber incident databases that primarily catalog network intrusions and malware events, this repository includes incidents resulting from automation failures, process measurement issues, engineering defects, control logic errors, human-machine interaction issues and malicious cyberattacks.

These incidents originate within the control process itself and therefore exist regardless of the degree of IT-OT convergence. Across critical infrastructures globally, these incidents have contributed to more than 30,000 fatalities and more than $100 billion in damages, demonstrating that major operational risk often originates within the control environment. Within the ACS repository, non-network incidents account for the overwhelming majority of fatalities and physical damage.

Because the ACS repository contains proprietary incident information, it has historically been difficult to systematically interrogate the data without exposing confidential information. A recently developed secure analytical tool now enables queries across the repository while protecting the underlying data, making it possible to identify previously unknown correlations and trends.

Given the current interest in water and wastewater cybersecurity, the water/wastewater portion of the repository was selected as the initial test case for this analytical capability. For water/wastewater, the repository spans 1994-2026 and contains more than 250 documented domestic and international control system cyber incidents involving loss of view, loss of control, equipment damage, environmental releases, boil water notices and injuries.

Get your subscription to Control's tri-weekly newsletter.

More than 35% involved process sensor problems, approximately 25% involved malicious cyber activity, more than 20 of the incidents resulted in boil water notices, and more than 150 public injuries were associated with those incidents. In many cases, the PLCs operated exactly as designed. The physical damage occurred because the controllers received incorrect process measurements from field instrumentation rather than because the PLC software malfunctioned.

Incorrect sensor measurements disrupted normal closed-loop sensor-controller-actuator relationships, causing equipment to operate in potentially unsafe conditions. Consequently, even perfect PLC cybersecurity would not have prevented many of these incidents because the controllers acted on incorrect process information rather than compromised controller logic. Incorrect sensor data can result from manufacturing defects, installation errors, calibration problems, sensor drift, environmental influences, counterfeit components or malicious manipulation.

A preliminary review of other critical infrastructure sectors revealed similar patterns. Engineering personnel are generally not trained to recognize when failures of electronically communicated process information constitute cyber incidents, while cybersecurity personnel are generally not trained to investigate the engineering mechanisms through which those incidents produce physical consequences.

No trusted cross-sector mechanism currently exists for sharing control system cyber incidents involving process sensors, control logic interactions or electronically communicated process measurements. Although the Cyber Incident Reporting for Critical Infrastructure Act of 2022 was enacted to improve cyber incident reporting for critical infrastructure, it does not specifically address the distinctive characteristics of control system incidents involving process instrumentation and electronically communicated process measurements.

Proposed program

Consider a seven-point program that would help address these shortfalls:

  1. Develop a taxonomy and common definitions for control system cyber incidents that distinguish them from traditional network cyber incidents while recognizing both malicious and non-malicious causes.
  2. Integrate engineering, instrumentation and cybersecurity expertise into incident investigations involving physical process anomalies.
  3. Educate executives, engineers, operators and cybersecurity personnel on control system cybersecurity and the role of field devices, particularly process sensors. 
  4. Train engineering and cybersecurity personnel to recognize, investigate and classify control system incidents that involve electronic communications, regardless of whether they are malicious or unintentional. 
  5. Develop mechanisms to collect and analyze control system incident data, including process sensor failures and sensor-actuator interactions, to identify recurring engineering and cybersecurity patterns.
  6. Incorporate control system cybersecurity and process sensor integrity requirements into procurement specifications for field devices and automation systems.
  7. Establish a trusted, cross-sector information-sharing program focused specifically on control system cyber incidents, including process sensor failures and sensor-actuator interactions.

Summary

The incident data demonstrate that corrupted, delayed, unavailable or otherwise untrustworthy electronically communicated process information can produce physical damage, environmental releases, service interruptions and injuries.

Yet these incidents are generally investigated as equipment failures, instrumentation problems or operational errors rather than as control system cyber incidents. Until engineering and cybersecurity disciplines are jointly trained to recognize, investigate, classify and share information about these events, significant operational and public safety risks will remain outside the scope of current water-sector cybersecurity programs and regulations.

About the Author

Joe Weiss

Cybersecurity Contributor

Joe Weiss P.E., CISM, is managing partner of Applied Control Solutions, LLC, in Cupertino, CA. Formerly of KEMA and EPRI, Joe is an international authority on cybersecurity. You can contact him at [email protected]

Sign up for our eNewsletters
Get the latest news and updates