The cost of a non-malicious control system cyber incident – more than $1Billion

There is a tendency by many in the cyber security community to only care about malicious cyber attacks as opposed to unintentional cyber incidents. April 9^th, 2015, the California Public Utilities Commission fined Pacific Gas & Electric (PG&E) $1.6 BILLION for the September 2010 San Bruno natural gas pipeline rupture that killed 8 and destroyed a neighborhood (there are also 28 federal criminal charges and numerous other fines and penalties). This was not a malicious cyber attack but an unintentional control system cyber incident. The incident occurred following scheduled PG&E maintenance on the local SCADA system that resulted in the over-pressurization of a pipeline with a previously unknown weakness. As PG&E did not immediately have the locations of the required manual shut-off valves following the pipe rupture, PG&E has now installed more than 200 gas valves that can be controlled remotely. Remote shut-off valves increase the threat attack surface. Considering San Bruno was not the first pipeline rupture that was cyber-related, there is a need to consider cyber and physical security protections of all pipelines using remote-automated shut-off valves. This should include known cyber vulnerabilities that affect pipeline operations such as Aurora and appropriate control system cyber security policies and procedures.

Joe Weiss