Control systems are systems of systems. Consequently, when one device or system is compromised, it can impact many others, potentially numbered in the tens to thousands.
Background: why we need to include both accidents and attacks
According to the US National Institute of Standards and Technology (NIST), a cyber incident is an occurrence that actually or potentially jeopardizes the Confidentiality, Integrity, or Availability (CIA) of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. Incidents may be intentional or unintentional. (FIPS PUB 200, Minimum Security Requirements for Federal Information and Information System, March 2006.) The cases in my control system cyber incident database are from incidents, not vulnerabilities, and include both unintentional and malicious cases as the impacts can be the same whether unintentional or malicious. Often, the only difference between an unintentional incident and malicious attack is the motivation of the person(s) involved. Moreover, a sophisticated attacker can make a cyberattack look like an equipment malfunction. My cases come from myriad sources, some of which have not even informed their management which is why the database is not public. What should be of interest is what has happened to the facility, not who operates the facility. Because of how I arranged the database, I was not able to easily address multiple cases and consequently only counted the first case if there were multiple cases involved. If I were to have counted all of the individual cases, my database would have almost 12 million control system cyber incidents.
Why the under-reporting
There are several reasons why control system cyber incidents tend to be under-reported:
- There are minimal to no control system cyber forensics below the Internet Protocol (IP) level and almost no training for the engineers/facility managers/clinicians to identify if an upset condition or sensor malfunction could possibly be cyber-related. As an example, the chemical plant in Saudi Arabia that was the victim of the Triton attack on the safety systems was restarted with malware still in the system as no one recognized the plant was shutdown from a malware attack. The culture gap between engineering and networking can exacerbate this inability to detect a control system cyberattack.
- Reporting requirements tend to apply for data breaches not for equipment damage or injuries/deaths. Internet of Things (IOT) legislation focusing on data breach will likely make this lack of control system cyber incident reporting even more of a challenge.
Sample cases with multiple control system impacts
Enclosed are a sample of the cases where there have been multiple control system cyber impacts:
- A 20-story building had multiple Variable Frequency Drives (VFDs), process sensors, and pumping systems hacked with attendant physical damage and no alarms (counted as one case).
- IT penetration testing software in a very large building led to a denial-of-service (DOS) affecting 6,000 control system devices (counted as one case).
- An unexpected situation due to centralization of control led to a complete loss of communications to 100 buildings. There was no mention of the tens of thousands of control system devices that lost communication (counted as one case).
- IT penetration testing software caused loss of relay communications to more than 400 high voltage (230KV and 500 KV) relays in several electric substations (counted as one case).
- While working on nuclear plant safety, we discovered a manufacturing flaw in a very popular pressure sensor. Because I was exclusively focused on nuclear plant safety, I was not trying to identify the overall extent of the problem. However, even in the limited nuclear safety scope, we found more than 200 nuclear safety sensors with this common cause, non-detectable failure in pressure, level, and flow sensors (counted as one case). In one case, the failure mode led to a safety relief valve not lifting during a nuclear plant transient event and another sensor failure contributed directly to the Three Mile Island core melt.
- The Chinese installed hardware backdoors in large Chinese-made electric transformers. One case has been confirmed, a second transformer is at the Sandia National Laboratory with results unknown, and there more than 200 other large Chinese-made electric transformers in the US electric grid today with an unknown number of hardware backdoors (counted as one case).
- Around 60,000 vehicles of the Mercedes-Benz GLK 220 CDI models produced between 2012 and 2015 were affected by the diesel cheat scandal. The KBA had previously ordered Daimler to recall 700,000 vehicles worldwide, including 280,000 in Germany, over the illegal software (counted as one case). Diesel investigations have been running in Germany and elsewhere since 2015, when automobile giant Volkswagen admitted to building cheat devices into 11 million cars worldwide (counted as one case). In January 2017, the EPA accused Fiat Chrysler of illegally installing software on about 104,000 pickups and sport-utility vehicles that spewed harmful pollutants while failing to disclose the technology. The allegations involve the 2014, 2015, and 2016 Jeep Grand Cherokees (counted as one case). These cases have cost the automakers billions of dollars and led to significant decrease in the value of the vehicles and an increase in vehicle pollution.
- And so on…
- Control system cyber incidents are much more prevalent than is often thought. The insurance industry and credit rating agencies need to be aware.
- Malicious incidents are a significant percentage of control system cyber incidents in terms of numbers and impacts.
- Control system cyber incidents affect all industries, manufacturing, buildings, transportation, etc.
- Government and industry efforts to address the identification of control system cyber incidents are inadequate. Based on what has been done to date, this seems unlikely to change soon.
What needs to be done:
- Control system cyber security training based on actual cases for the engineering and networking organizations (process anomaly detection) is needed. Addressing hypothetical cases misses those real cases that simply haven’t been considered.
- Technology needs to be developed to provide identity, authentication, and integrity of process sensors at the physics layer (can’t be hacked).
With these two basic steps, it is possible to identify unintentional or malicious control system cyber incidents. This also becomes the “ground truth” input to network anomaly detection.
Control systems are systems of systems. Consequently, when one device or system is compromised, it can impact many others. If I were to have counted all of the individual cases, my database would have almost 12 million control system cyber incidents. The insurance industry and credit rating agencies should be aware of the large number of control system cyber incidents. The cases show that malicious incidents are a significant percentage of control system cyber incidents in terms of numbers and impacts. Control system cyber incidents affect all industries, manufacturing, buildings, transportation, etc. What is needed is control system cyber security training based on actual cases. Addressing hypothetical cases misses those real cases that simply haven’t been considered. Yet, government and industry efforts to address the identification of control system cyber incidents have been inadequate and seems unlikely to change soon.