My previous blog had identified more than 600 actual control system cyber incidents. I have found a new source of actual control system cyber incidents that included very significant physical consequences. There is a reason – it comes from the “safety world”. Just as there continues to be a gulf in understanding between the IT and control system communities, there is also a gulf between the control system cyber security and safety communities.
My database now has more than 725 actual control system cyber incidents. VERY few were identified as cyber.
- There were more than 50 cases that resulted in more than 1,000 deaths combined
- There were more than 10 major cyber-related electric outages
- There were more than 60 nuclear plant cyber incidents with more than 15 resulting in reactor scrams
- There were more than 50 cases involving environmental releases
- There were more than 100 cases involving equipment damage
- The impacts have been more than $20Billion
- There were companies that went bankrupt because of control system cyber incidents.
The majority of control system cyber incidents that affected the process (shutdown plants, electric outages, pipe breaks, satellite operations, etc) were not network-related but control system-related. Consequently, current cyber forensics and training are often inadequate to detect, much less prevent, many control system cyber incidents. What does that say about meeting the requirements in the NERC CIPs and NEI-0809 for identifying and/or preventing cyber attacks? My project with the International Atomic Energy Agency was entitled “Scenario-Based Training” to help identify the shortcoming in control system cyber security training.
Following 9/11, there was supposed to be a focus on “connecting the dots”. It certainly has not happened with control system cyber security. Incidents keep occurring, many with common threads, across multiple industries with little guidance or training. Consequently, I have been working with Applied Risk in the Netherlands developing control system cyber security awareness training based on field control system cyber security experience and real cases.
As Paul Feldman stated in response to a blog on DigitalBond about IT and OT, “From a Board perspective, it’s a distinction without a difference. The real question should be about risk and consequences. Whether a system is IT or OT or mixed – a Board needs to know what the company is exposed to in terms of risk and what the consequences are of that exposure. Given a specific security deployment protecting an asset – what possibilities exist for a breach? There should be an explicit list that the Board sees so they know the company is not 100% protected, nor will it be. For each items on the breach list – what is the maximum damage that might be done if the breach occurs? The Board needs to understand these questions if it is to fulfill its fiduciary responsibility and understand how management has determined to allocate resources. The possibility of a breach is another interesting question, and enters into the equation, but should not be qualitatively weighed at lower than the C-suite.”
These incidents are real cases with significant consequences. Many continue to recur. It is obvious the requisite training and forensics are missing. Given the risk, the insurance industry is very concerned. Where is the C-Suite?
Joe Weiss