Data center control system cyber incidents have shut down or damaged data centers operated by many different entities globally. August 30, 2023, a utility voltage sag tripped cooling units at the Microsoft Australia East Azure Data Center. When the voltage sag occurred, all five chillers in operation faulted and didn’t restart because the pumps did not get the run signal from the chillers. This was a control system cyber incident that defeated redundancy and diversity considerations. Microsoft addressed this incident as an unintentional mechanical failure and did not initiate a cyber incident response program even though the probability of this event being unintentional was extremely low. Cyberattacks can cause voltage sag and loss of signals but were not addressed. Moreover, Microsoft’s lessons learned did not address control system cyber issues. Just because a company is an IT cyber security expert does not mean it has sufficient expertise in control system cyber security. In this case, a physical failure from a control system cyber incident affected a large IT operation and it is critical to understand the lack of cyber resilience of the control system involved, particularly the process sensors that are 100% trusted. As control system field devices are not designed with cyber security protection, compensating controls are necessary. This includes developing control system cyber security policies and cyber security training for the engineers and using process sensor monitoring at the physics level, appropriate network cloaking technologies, use of low-voltage UPS systems, and appropriate machine learning. Regardless of the best attempts to secure control systems, unintentional or malicious control system cyber incidents can occur. Consequently, I have written a Micro Learning Module for ISA on identifying control system cyber incidents and will be providing a course on control system cyber security at Stevens Institute’s Maritime Security Center as there is a need to identify control system cyber incidents so a control system cyber incident response program can be in place and ready to use.
