Control system cyber incidents are real and impactful (more than 500 control system cyber incidents in the electric industry). To date, most of these incidents have not been identified as “cyber” because of lack of identified intent. When reporting and remediating a control system cyber incident, the intent isn’t as important as the impact of the incident – the basis of consequence-based engineering. Using techniques such as FMEAs can be valuable if all control system devices, networks, and scenarios are considered. However, the interconnectedness of utilities can require that FMEAs consider the impacts one utility can have on another. The discussions highlight the need for control system cyber security training that includes addressing field devices and systems interactions. Unfortunately, this type of training is not readily available. Moreover, the security program should include monitoring of control system field devices which are currently outside the scope of the NERC CIPs.
