IT network cyberattacks including ransomware are readily recognized as cyberattacks. Unfortunately, ransomware attacks will continue to occur as they are so profitable. Unlike control system cyberattacks, IT network cyberattacks are short-lived as they do not damage long, lead-time equipment such as turbines, transformers, pumps, motors, pumps, valves, etc. which is why IT cyberattacks are not a “Cyber Pearl Harbor”. Yet that is the government’s focus. For control systems, it is the opposite. Usually when a control system is impacted, the effects can’t be hidden - a pipe breaks, a train crashes, the lights go out, sewage is discharged, etc. Instead, the challenges are identifying if cyber electronic communications played a role while distinguishing an attack from an accident. The engineering issues associated with control system cyber security are not being adequately addressed nor are the engineers participating in most control system cyber security activities even though it is their own equipment that is at risk. It is the control systems that will comprise a “Cyber Pearl Harbor” yet there is minimal cyber security, authentication, or cyber logging available for these critical systems and devices. There is also minimal attention being paid to the control systems as the focus is on network monitoring. Network monitoring is necessary, just not sufficient. As an example, cyber-physical attacks such as Aurora and Chinese hardware backdoors have not been addressed by the DOE/Industry response to the 100-day plan – the plan is network monitoring. Contrast that to adversaries such as Russia and China who are exploiting control system issues to our peril.
The May 2021 GAO report titled ““CYBER INSURANCE Insurers and Policyholders Face Challenges in an Evolving Market” (https://www.gao.gov/assets/gao-21-477.pdf) defined the term cyber incident as “an event that jeopardizes the cybersecurity of an information system or the information the system processes, stores, or transmits; or an event that violates security policies, procedures, or acceptable use policies, whether resulting from malicious activity or not” (emphasis added).
A contrast may be in order. The attack phenomenology of a strategic attack is pretty well understood and easily recognized. There are few events as unambiguous or as easily attributable as a missile launch. The phenomenology of a cyberattack is by no means that clear. You may know that a control or safety system has failed or is not working as expected, but it’s unlikely to be obvious that what occurred was a cyber-related incident (unintentional or cyberattack).
Control system cyber incidents have occurred in just about every critical infrastructure that uses control systems including power, water, oil/gas/chemicals, pipelines, manufacturing, transportation, defense, buildings, etc. Consider the following examples where both accidents and cyberattacks were not identified as being cyber-related.
- Stuxnet was originally regarded as a systemic design flaw in the centrifuge design and not a cyberattack. For more than year, the Iranians could hear the centrifuges “screaming” but hadn’t considered that a possible cyberattack played a role.
- The Triton cyberattack targeted the safety systems in a petrochemical plant in Saudi Arabia. The plant tripped (shutdown) in June 2017 due to the malware but was restarted with the malware still in the Engineer’s Safety Systems Workstation because the malware did not initiate any cyber security “alarms”. It wasn’t until the plant tripped again in August 2017 that the malware was discovered.
- The 2003 Northeast Outage affected the Northeast US and Canada. It stemmed from a tree falling on a line and the lack of alarms in a utility’s SCADA system. Many of the recommendations within the Final Report of the 2003 Northeast Outage were cyber, yet some still have not been implemented. The 2003 Northeast Outage was one of a number of US major region-wide cyber-related outages affecting hundreds of thousands to millions of customers, though none were publicly identified as cyber-related incidents by NERC or DOE.
- The March 2007 Aurora vulnerability demonstration at the Idaho National Laboratory damaged a 27-ton generator without using any malware. Aurora is a gap in protection of the electric grid that causes kinetic damage and cannot be detected by any form of monitoring capability, network or otherwise. Unfortunately, the protective relay engineers have generally been excluded and the networking experts have downplayed the significance of these existential threats that can bring the grid down for 9-18 MONTHS. Yet, there have been a number of Aurora incidents within the US as well as internationally that have caused significant damage to utility and customer equipment and facilities.
- The hardware backdoors installed in the Chinese transformer delivered to a US utility substation led to the issuance of Presidential Executive Order (EO) 13920. The backdoors bypassed all network security which can been seen by the scope of the Executive Order. What is out-of-scope is network monitoring.
- The general manager of the agency that handled a city’s environmental assets said that a “glitch” in their automation process was probably the reason significant amounts of sewage leaked into a creek over four-plus years. The general manger stated: “I’m very confident or fairly confident that this was not sabotage.” (note the indecision)
- In June 2021, two NATO warships, the Dutch vessel Evertsen and the Royal Navy's HMS Defender, operating in the Black Sea and visiting the Ukrainian port of Odessa, were falsely reported to have moved to disputed waters in the vicinity of the Russian-claimed port of Sevastopol. The USNI News reports that it seems Automatic Identification System (AIS) signals were falsified to give the impression that the warships had engaged in what effectively would have been a provocation. In fact, both ships remained in Odessa. Whether the AIS reports were deliberately falsified and by whom, or whether the incident involved some malfunction, how the misreporting occurred remains unclear. (https://news.usni.org/2021/07/01/more-nato-ships-enter-black-sea-while-tensions-with-russia-simmer )
In all of these cases, it was initially unclear that cyber was involved and whether the incidents were attacks or accidents. In many cases, it is still unclear, even years later, whether the incidents were unintentional or malicious. This is especially true where incidents occur because of trusted insiders that take unexpected actions.
The converse is also true that an accident can be misconstrued as an attack. In 1898, the USS Maine was shattered by two separate explosions and rapidly sank leaving 254 seamen dead, and 59 sailors wounded. After the disaster, U.S. newspapers were quick to place responsibility for the loss on Spain. A U.S. Navy court of inquiry concluded that the ship was sunk by a mine. However, later studies indicated that the Maine sank as a result of a coal bunker fire adjacent to one of its ammunition magazines. However, the loss of the Maine turned American popular opinion strongly in favor of war with Spain resulting in the Spanish-American War. There have been other cases that are actually cyber-related. In 2009, Russia initially blamed the US for the Russian Sayano-Shushenskaya hydro power station accident that destroyed a 6,400 MW hydro station that killed 75. Similarly, China initially blamed a high-speed bullet train accident in China on the UK and the US that resulted in numerous fatalities.
The vast majority of the more than 11 million control system cyber incidents in my control system cyber incident database (not publicly available) were not identified as being cyber-related. The lack of control system cyber forensics at the field device level, the lack of adequate control system network inventory, and the lack of control system cyber security training for the engineers makes identifying equipment malfunctions as potentially being cyber-related problematic at best. This is why monitoring process sensors before they become Ethernet packets is so important. Without appropriate control system cyber security training for the engineers based on real incidents, neither private industry nor the government can assure they can identify a cyberattack (e.g., SolarWinds). That leads to the following questions that cross sector and geographic boundaries:
- How can an electric utility meet the NERC CIP guidelines to identify a cyberattack when there have been more than 350 control system cyber incidents in the North American electric system and few identified as cyber events in the DOE OE417 Electric Emergency Incident and Disturbance Reports?
- How can a pipeline operator meet the new TSA cyber security guidelines for identifying a cyberattack when cyber-related lethal pipeline ruptures were not considered cyber incidents by NTSB? (It is unclear what role the Chemical Safety Board plays).
- How can a water/wastewater utility respond to post-Oldsmar scrutiny when there have been more than 125 control system cyber incidents in water/wastewater ranging from complete loss of water to significant dangerous chemical releases to water hammers (water hammers occur when valves suddenly close or a pumps suddenly shut down resulting in pressure increases that can cause significant damage to piping systems) to pumping contaminated water into drinking water systems, etc., none of which were identified as being cyber-related?
- How can the public be confident about the quality of the food supply when there are still no control system cyber security requirements for detecting food adulteration when control systems have been responsible for cyber incidents affecting food and beverage production?
- How can the public be confident about medical device manufacturing when medical device control system cyber incidents have already killed and maimed people?
- How does the military know when a “redline” has actually been crossed when critical decision-making information has been compromised?
- What does the lack of being able to identify if kinetic damage was cyber-related mean to insurance policies including property and liability?
I have provided control system cyber security training and control system cyber security policy development based on real incidents for NIST in extending NIST SP800-53 for control systems, for the International Atomic Energy Agency (IAEA) for training control system engineers based on actual nuclear plant cyber incidents, and for electric and water utilities developing control system cyber security policies. This same approach can also be used for control system vendors in developing products that address real incidents and to identify if kinetic damage was cyber-related for property and liability insurance. It can also be used to meet the intent of the Cyber Security Safety Board identified in the EO 14028 and provide confidence that cyber incidents, whether unintentional or malicious, can be identified as being cyber-related.
Summary
Ransomware attacks will continue to occur as they are so profitable. Unlike control system cyberattacks, network cyberattacks are short-lived as they do not damage critical hardware which is why network cyberattacks are not a “Cyber Pearl Harbor”. Yet that is the government and industry’s focus. For control systems, it is the opposite. When a control system is impacted, the effects can’t be hidden. It is the control systems that will cause an existential “Cyber Pearl Harbor” yet there is minimal attention being paid. Contrast that to adversaries such as Russia and China who are exploiting control system issues. One wonders what it will take for the government and industry to wake up before it is too late.
Joe Weiss
