People continue to ask for an ROI on control system cyber security. The San Bruno natural gas pipeline failure was a control system cyber incident. What has it cost PG&E? According to the San Jose Mercury News, to date it has cost the CEO and several senior executives their jobs (retirement has come at an “opportune” time), a major drop in profit, and numerous lawsuits. If that isn’t enough, ask the Olympic Pipeline Company because they declared bankruptcy after the 1999 Bellingham, WA gasoline pipeline rupture which is eerily similar to the San Bruno incident.
Specifically, in the May 5, 2011 issue of the San Jose Mercury News, “Citing increased costs due largely to the Sept. 9 San Bruno natural gas explosion, PG&E reported a big drop in profit for the first quarter, slashed its earnings forecast for the rest of the year and declined to increase its annual stock dividend for the first time since 2005.” The PG&E direct impact dollar number that is often used is more than $400 Million - and it may not all be able to be recovered from ratepayers.
NERC and the utilities – are you listening? What utility will be able to argue that the NERC CIPs were technically adequate to protect them against expected control system cyber attacks when the NERC CIPs can’t even protect them from the unintentional cyber incidents that have already occurred? What will happen to other CEOs and senior executives if Wall Street feels you are not adequately protecting your assets?