Identifying control system incidents as being cyber-related is difficult. It is complicated when government and industry organizations rush to judgment by stating that incidents weren’t cyberattacks without knowing the actual cause or setting reporting thresholds that exclude many actual control system cyber incidents. Consequently, it is difficult to identify trends when so many real cases are excluded. Control system cyber incidents have occurred in multiple sectors with similar causes and similar equipment, but there has been no “connecting the dots”. An interesting example is there have been at least two cyber-related Colonial Pipeline pipe ruptures though neither was identified as being cyber-related. Ironically, neither would be covered by the TSA cyber security requirements stemming from the Colonial Pipeline shutdown. The same can be said of control system cyber incidents in other sectors including water, power, and manufacturing. The training to recognize control system incidents as being cyber-related is missing.
