Cyber incident response starts with the assumption that you can recognize a control system cyber-related event as being a cyber event. Globally, there have been more than 17 million control system cyber incidents that have killed more than 34,000 yet most of the incidents were not identified as being cyber-related. There is no training for the engineers to recognize an event as being cyber-related and these events are generally not seen on Internet Protocol (IP) networks. Consequently, I have written a Micro-Learning Module for ISA on identifying control system cyber incidents. In the module, I have distinguished between OT network-based events vs engineering-based cyber events because engineering-based cyber events are not addressed by network security organizations.
