The genesis of this blog was reading an article in CNN Top 5 on June 9, 2024, whose title was simply “224”. This was the number of people injured in control system cyber incidents, though the article didn’t identify the incidents as being cyber incidents. All too often, cyber security is being addressed in a vacuum. As real cases demonstrate, cyber security may have been addressed, but there was inadequate safety engineering to account for unexpected system interactions. These cases could not be detected by cyber security testing, cyber security forensics, and were not identified as being cyber-related. Because of this, MITRE’s cyber security playbook developed for the FDA would not have been initiated for the incidents mentioned in the blog as they were not identified as being cyber-related. These types of incidents have affected multiple sectors. It would be interesting to understand how the SEC cyber reporting requirements would apply to these dangerous control system cyber incidents that weren’t identified as being cyber-related as these incidents are “operational”. Given the demonstrated danger with these actual control system cyber incidents that escape regulatory regimes, I am pleading with government and industry to address these dangerous incidents as to what they are - dangerous control system cyber incidents.