Functional security and fatal control system cyber incidents

In the June 22nd issue of InformationWeek, the cover story is cyber security – What’s Your Appetite for Risk?.  The focus was on intentional cyber attacks against the IT infrastructure. I wanted to focus on two charts. The first is What are the Primary Goals of Your Risk Management Initiative?. Just like the NERC CIPs, the top goal was “fulfilling regulatory compliance requirements”. The second chart is What would be the Potential Effects of Attacks?.  Neither safety nor reliability were mentioned.

In the control systems community, the primary focus is on safety and reliability while the most frequent cyber risks are unintentional.  As Walt Boyes phrases it, the control systems community needs to focus on functional security. Functional security addresses the ability of systems to perform their functions in the face of intentional or unintentional cyber threats while assuring fail-safe operation. Functional security requires not just control systems domain expertise, but looking at system design and policies from a different perspective.  The lack of functional security has led to control system cyber incidents in electric, water, oil/gas, chemicals, and transportation including several with fatalities. Air France (aircraft) and the Washington DC Metro (rail rapid transit) apparently involved cyber control system failures; the Olympic Pipeline Company – Bellingham (gasoline pipeline) did suffer from cyber control system failures.

Common issues in Air France, DC Metro, and Olympic were:
- Reliance on remote (automated) system control
- Previously failures with control systems and components
- Logic that did not provide for “fail-safe” conditions
- Violation of the NIST Confidentiality/Integrity/Availability criteria

Modern communications and control system technologies are making systems more productive, but are reducing robustness. Many control system cyber incidents did not violate IT security policies as they were control system design or operation issues. And, yes, they could have been intentionally caused. The Smart Grid will further blur the lines between IT and control systems making functional security even more important. However, control system domain expertise is lacking. It’s time to address functional security of control systems before more people die. 
Joe Weiss

Further reading: 
Metro Control System Fails Test Technology Should Have Averted Crash,

NTSB: Metro signal system didn't detect test train,

Metrorail Crash May Exemplify Automation Paradox

Bellingham Control System Cyber Security Case Study,

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


  • <p> Very much up to the point, Joe. I would like to add one item to your list of "issues", preferably at the top: </p> <p> Lack of system understanding </p> <p> This was, for example, determined as the prime cause for the 2003 East Coast power blackout, see: <a href="">https://<b>report</b></a> </p>


RSS feed for comments on this page | RSS feed for all comments