May 25, 2023, I gave a presentation to the American Public Transportation Association’s (APTA) Enterprise Cybersecurity Working Group (ECSWG) and Control and Communications Security Working Group (CCSWG) teleconference on “Undetected ICS Cyber Incidents”. The general status was the same as for oil/gas, electric, nuclear power, water/wastewater, medical devices, etc. That is, the focus being on the IP networks with the primary attendance from network security personnel with very few, if any, engineers participating. The result was that control system cyber incidents that have caused pipe ruptures, train crashes, mass transit center inhalation issues, shut down bridges and tunnels, and affected traffic lights are not being addressed by TSA cyber security requirements. Surface transportation control system cyber incidents are not just a US issue. Similar control system cyber incidents have occurred in Europe, Australia, China, Singapore, and South America with tunnel systems, autonomous vehicles, rail and mass transit incidents, pipeline ruptures, etc. The June 2, 2023 derailment in eastern India that killed at least 288 people and injured more than 800 (information dated 6-4-23) was caused by an “error” in the electronic signaling and switching system that led a train to wrongly change tracks and crash into a freight train and then be hit another passing passenger train. To address these gaps, engineering needs to be involved; training needs to be developed that addresses control system devices and incidents that have already occurred; procurement guidelines and certification need to be developed for control system field devices; and Executives and Boards of Directors need to understand that cyber threats are more than ransomware and IT malware and that not addressing control system cyber incidents can result in catastrophic failures that can, and have, killed people.
