Control system cyber incidents are more common and dangerous than most security specialists and industry leaders tend to believe. They are also hidden in plain sight. That requires some explanation.
I have been amassing a database of control system cyber incidents since 2000 when I helped start the control system cybersecurity program for the electric utilities. When I started, the purpose of the database was to:
- Show that control system cyber incidents are real and not insignificant in number.
- Show that most of the incidents are common across multiple sectors.
- Provide input for training engineers and networking personnel as to what to look for as control system cyber incidents are more than just Internet Protocol (IP) network anomalies.
- Identify if cybersecurity mitigation technologies can address actual incidents.
- Use in the design of new control systems to assure that unintentional or malicious threats are being addressed.
- Help the insurance industry and credit-rating agencies understand this existential risk.
To this extent, I have used the database with security vendors to help validate how their security technologies can address specific cases.
My criteria for including events are that they be incidents and not merely vulnerabilities, and that the incidents must affect control systems or the physical processes they manage, either directly or indirectly. If the incidents only affect information technology (IT) systems (which is the case with most ransomware), I didn’t include them (this distinguishes my database from most others which are dominated by ransomware cases). I have also not made a detailed count and list of organizations affected by generic malware such as Slammer, Blaster, Conficker, NotPetya, WannaCry, and the various ransomware versions that are proliferating what seems like daily.
Even though drones are “cyber tools,” the database does not include any of the cases used for military operations. Consequently, my database is very conservative in terms of the number of cases identified. The database is expansive in the types of incidents included, as it includes “traditional” IP network cyber incidents as well as out-of-phase incidents, engineering-based attacks, electromagnetic interference (EMI), and radio frequency interference (RFI) cases that have disabled control systems and other unique cases. I have also compared the cases to existing databases such as the Repository of Industrial Security Incidents (RISI) and SCIDMARK to ensure the database is complete.
Boards and chief executive officers (CEOs) are increasingly pointing at the chief information security officer (CISO) when operational technology (OT) cybersecurity issues arise. Having the CISOs in charge of OT security with the current cybersecurity focus on attacks against IP networks, especially currently troubling and common ransomware incidents, makes sense as protecting IP networks are their specialty. However, OT cybersecurity is more than just protecting IP networks. The CISOs and networking specialists lack of knowledge about the unique issues associated with control system serial networks and field devices has resulted in many instances of control system impacts from inappropriate use of IT network security technologies, testing, and policies. Some of these cases physically damaged equipment and in one case almost shut down a significant part of the U.S. grid.
Are CISOs prepared to go to the Board and CEO and admit that they were responsible for causing the damage they were supposed to prevent? Additionally, this OT network approach seems to have crowded out interest in unintentional incidents and engineering-based cyberattacks that don’t fit the familiar IT model.
The IT model might be characterized as, “You’re connected to the Internet, running Windows, and someone is attempting to steal or manipulate your data.” That is, that the incident must be malicious and about privacy or data protection, but not about safety or reliability. This lack of understanding extends to both IT/OT and engineering practitioners, which raises a familiar problem: Just because part of the system is not vulnerable to the threats you are used to seeing does not mean the system is not vulnerable. This is also the opening that offensive cyber attackers use: Go to where the defenders are not looking.
I use the U.S. Government Accountability Office (GAO) 21-477 definition of a cyber incident as:
“An event that jeopardizes the cybersecurity of an information system or the information the system processes, stores, or transmits; or an event that violates security policies, procedures, or acceptable use policies, whether resulting from malicious activity or not. Cyber incidents, including cyberattacks, can damage information technology assets, create losses related to business disruption and theft, release sensitive information, and expose entities to liability from customers, suppliers, employees, and shareholders.”
The database is not public as it includes many cases that have been provided in confidence, nor does it include incidents that are classified. The database includes the following categories:
- Aircraft
- Electric transmission and distribution (T&D)/supervisory control and data acquisition (SCADA) (microgrids)
- Facilities (buildings, laboratories, data centers, etc.)
- Food/beverage
- Land transportation (railroads, automotive, traffic signals, etc.)
- Manufacturing (all types)
- Marine (ships, ports, locks, etc.)
- Medical (medical facilities and medical devices)
- Mining
- Nuclear plants
- Oil/gas/chemicals
- Paper
- Pipelines
- Power plants (fossil, hydro, and renewables)
- Space (rockets, satellites)
- Water/Wastewater
It is also broken into regions:
- Africa
- Asia
- Australia/New Zealand
- Canada
- Europe
- Middle East
- South America
- United States
The database has an unintentional, but natural bias toward collecting United States and Canadian incidents. However, many facilities and control system vendors are global. Consequently, most of the incidents are directly applicable to every region regardless of where the incident occurred. As maintaining the database is not my full-time activity, it is based on the incidents that I have found or been made aware of, which means it does not cover every incident that has occurred. What is clear is that control system cyber incidents continue to occur in all categories, even though they are “drowned out” by the number of ransomware incidents. This can be explained by the fact that there are cyber forensics to identify IT/ransomware incidents, but often not for control system cyber incidents. Consequently, I often act as a “manual intrusion detection system.”
The focus of cybersecurity has been on the critical infrastructures of power, water, chemicals, pipelines, oil/gas, and manufacturing. However, there have been significant cyber incidents in infrastructures that were unexpected to be cyber vulnerable, such as cyber-related impacts on road tunnel equipment that have caused physical impacts. There were also cases where the cyber incidents involved analog systems.
For industries such as manufacturing and pipelines, counting incidents is relatively straightforward as it applies to each facility that was impacted without multiplying effects. However, grid cyber-related incidents have multiplying affects. As an example, one cyber-related incident that shutdown the regional grid for several days affected 50 million people. I counted that incident as 1, not 50 million. Under that accounting, there have been 6 cyber-related power outages in the U.S. since the late 1990s that have affected at least 96,000 customers. There have also been many significant international grid cyber-related outages involving large segments of the population.
Consequently, while there have been more than 1,200 electric grid cyber-related incidents, that doesn’t adequately reflect the true impact on customers and the economy from each incident. In some cases, the cyber incident caused no impacts to the grid. In other cases, the grid was shut down for hours to days affecting the population and businesses that did not have access to backup power. That same multiplier effect can also apply to facilities such as chemical plants that have had cyber-related toxic releases impacting tens of thousands of people or airplane crashes that have killed hundreds.
Given those caveats, I have identified more than 17 million control system cyber incidents that have killed more than 34,000 people since the 1980s. What may be surprising is that most of the incidents were malicious, not unintentional. Additionally, the majority were not a result of IT or OT network vulnerabilities but were instead engineering-based attacks.
Engineering-based cyberattacks are not new. These cyberattacks started in 1982 with the Farewell Dossier that targeted Gazprom pipeline controls followed by the water SCADA hack in 2000. The Idaho National Laboratory (INL) did a cyber assessment of the Siemens industrial programmable logic controllers (PLCs) and publicly presented their findings at the 2008 Siemens International Users Group in Chicago. The vulnerability results of the INL study identified an approach that was ultimately used to damage critical manufacturing equipment, as well as in the diesel cheat scandal meant to cover-up the deficiency in the diesel engines that could not meet “new,” more restrictive environmental requirements and still meet advertised fuel efficiency claims.
In the diesel cheat scandal case, the decision was made by the automotive executives to cover-up rather than disclose the reduced fuel efficiency. Consequently, the automotive executives had a third-party company, Robert Bosch, develop rogue software for the individual fuel and emission controllers in each vehicle that would sense “test” scenarios by monitoring speed, engine operation, air pressure, and the position of the steering wheel. When the vehicles were operating under controlled laboratory conditions—which typically involve putting them on a stationary test rig—the device put the vehicle into a safety mode in which the controllers ran the engine below normal power and performance. Once the test was completed, the controllers were switched out of this test mode. As a result, the engines emitted nitrogen oxide pollutants up to 40 times the limit. These types of attacks do not involve use of the Internet, Windows, or OT networks to carry out the attacks and have no cyber forensics.
The direct and indirect economic impacts of control system cyber incidents can be huge, but I have not conducted detailed economic analyses. As an example, the results do not reflect the economic impact of a regional outage affecting 50 million people. There have been several cases where control system cyber incidents have directly led to bankruptcies. Moreover, the economic impacts of the control system incidents were very conservative as I did not net the present value of economic impacts. Rather, I used the impact values when the incident occurred.
As an example, the Olympic Pipeline gasoline pipeline rupture occurred in 1999. The impact of that incident was $45 million in 1999 (which would obviously be much more when adjusted for inflation in 2023), directly leading to the bankruptcy of the Olympic Pipeline company and three people landing in jail. Control system cyber issues with process sensors and actuators led to an approximate 3% hit on net productivity in a billion-dollar facility. Ransomware attacks, even though they haven’t impacted the control systems or processes, have resulted in shutdowns due to “an abundance of caution.” The shutdowns have caused millions of dollars of impacts that may not be covered by business interruption insurance payouts.
Summary
Control system cyber incidents are more plentiful and impactful than most observers expect—more than 17 million directly resulting in more than 34,000 deaths. While there have been more than 1,200 electric grid cyber-related incidents, that doesn’t adequately reflect the true impact on customers and the economy. The majority of the 17 million plus control system cyber incidents were malicious, not unintentional. By the number of incidents, most control system cyber incidents were engineering-based attacks used to camouflage a deficiency in the design of the product or to cause physical damage. These attacks did not involve the Internet, Windows, or OT networks to carry out the attacks. Consequently, these incidents were not identifiable by network cyber forensics and would not fall under the CISOs domain.
This means that most of these incidents would not be addressed by existing government and industry cybersecurity guidance, nor make its way to the Boards as cyber events. In addition, the diesel cheat scandal lays bare the philosophical differences in how offensive cyber attackers and cyber defender’s approach cybersecurity. The impacts from the diesel cheat scandal were huge, with more than $35 billion in damages and several people in jail, yet many defenders would not consider these to be malicious cyberattacks because they weren’t the type of attacks they were expecting.
Until the OT network-focused regulators, practitioners, insurance providers, and credit rating agencies are willing to address engineering-based incidents and attacks, critical infrastructures won’t be secured. However, this may be changing as insurance companies may not be willing to provide business interruption insurance payouts when the control systems haven’t been impacted. It is evident that monitoring process sensor signals at the physics layer would have identified most of the incidents regardless of cause.
Recommendations
- Develop an appropriate control system cybersecurity training to identify incidents that may be cyber-related.
- Develop a process for sharing control system cyber incident information with all affected parts of the organization.
- Develop a process for sharing sanitized control system cyber incident information with industry and the government (the existing process is not working).
- Use control system cyber incident information in cybersecurity policy and program development.
- Develop a methodology for having a common vulnerabilities and exposures (CVE)-type process for addressing control system cyber incidents.
- Use the control system cyber incident information in cybersecurity mitigation development.
- Use the control system cyber incident information in control system equipment development.
- Use the control system cyber incident information in safety analyses.
- Use the control system cyber incident information in incident response training.
- Use process sensor monitoring at the physics level to identify unintentional and malicious cyber incidents.
- Develop university control system cybersecurity courses for Computer Science; cybersecurity (introduction to basic engineering) and domain engineering disciplines (introduction to basic cybersecurity).
- Develop the appropriate control system cybersecurity metrics for credit rating and insurance companies.
A version of this blog originally appeared in Control Global.