Control system cyber incidents are more plentiful and impactful than most observers expect - more than 17 million directly resulting in more than 34,000 deaths. Most of the incidents were engineering-based cyberattacks used to camouflage a deficiency in the design of the product or to cause physical damage.  The engineering-based cyberattacks did not involve the Internet, Windows, or OT networks to carry out the attacks. Consequently, these incidents were not identifiable by network cyber forensics and would not fall under the Chief Information Security Officer's (CISO) domain. This means most of these incidents would not be addressed by existing government and industry cyber security guidance, nor make its way to the Boards as cyber events. While there have been more than 1,200 electric grid cyber-related incidents, that doesn’t adequately reflect the true impact on customers and the economy as some of the cyber-related outages have affected tens of millions of people. In addition, the diesel cheat scandal lays bare the philosophical differences in how offensive cyber attackers and cyber defenders’ approach cyber security. The impacts from the diesel cheat scandal were huge, more than $35 Billion in damages and several people went to jail, yet many defenders would not consider these to be malicious cyberattacks because they weren’t the type of attacks they were expecting. Until the OT network-focused regulators and practitioners are willing to address engineering-based incidents and attacks, critical infrastructures cannot be secured. Recommendations are provided to address the gaps in control system cyber security monitoring and control system cyber incident disclosure as existing disclosure requirements are geared toward vulnerabilities not incidents. It is also evident that monitoring the process sensor signals at the physics layer would have identified most of the incidents regardless of cause.
More than 17 million control system cyber incidents are hidden in plain sight
2 replies