I have seen few attempts to provide guidance to end-users about common issues with control system cyber incidents that transcend industries and even national boundaries. The following was a result of a discussion with a relevant entity about a domestic fossil plant cyber incident and its commonality to several other plant cyber incidents. For those that may not be aware, these are quite large power plants.
An international utility experienced a significant cyber incident due to a failure of a network switch. The failure caused a broadcast storm resulting in the loss of control system logic in every DCS processor with the two units at power. The broadcast storm caused a complete loss of view and control of the units causing a trip of 1000 MegaWatts (MW). A domestic fossil plant with a different DCS vendor and a different vendor’s network switch experienced a similar event resulting in the simultaneous shutdown of the units and a loss of over 1100MW. There were no alarms or warnings prior to the unit trips. The first indication of a problem was all operator screens experienced a loss of communication with the rest of the control system which resulted in loss of visibility into the controls of both units. The domestic plant incident was not identified as a cyber incident by the utility or NERC. A similar situation occurred with a domestic nuclear plant that precipitated a manual shutdown of an 1100MW nuclear plant. Neither NRC or INPO identified this as a cyber incident either.
These are very significant issues – loss of view and loss of control. Yet there is no identification of the incidents being cyber or guidance on the common issues. Why?