The electric and nuclear industries have required “incident” disclosure for more than 20 years. The other infrastructure sectors either have no incident disclosure requirements or only recently started such as TSA for pipelines and EPA for water. There is a significant gap between the electric industry’s reported control system cyber incidents and actual control system cyber incidents (more than 500). The low number of reported grid cyber-related incidents can be attributed to how the electric industry defines a cyber incident. The utility industry needs to address all control system cyber incidents that could affect the reliability of the grid whether from malicious activity or not. From the NERC Lessons Learned, DOE OE-417 Forms, and my unclassified data, hundreds of power grid control system cyber incidents are not being identified or disclosed. This includes cases where power has been impacted and customers have lost power for hours to days. It is not just the electric industry. The food industry has experienced a strange trend of food processing plant fires. At least 16 such disasters have taken place at food processing facilities nationwide over the past 2 years. There is a need to understand whether cyber-related issues have played a possible role especially as the FBI and CISA have issued warnings about possible ransomware attacks. There is a need to provide selected unclassified information on control system cyber incidents to allow all sectors to better understand the threat. This can be done without divulging information that our adversaries could use to compromise the infrastructures. Restricting information flow and restricting the assets that are in scope for disclosure is not helping secure the grid or other sectors as our adversaries could be practicing for more impactful attacks at a time of their choosing.
