July 17, 2024, I gave a presentation to the Military Operations Research Society (MORS) on “Issues with Identifying Control System Cyber Incidents.” Government and industry organizations tend to under-report, and under-share control system cyber incidents. Identifying control system cyber incidents is much less mature than IT and OT network anomaly detection with minimal applicable cyber forensics or training. Globally there have been more than 17 million control system cyber incidents that have killed thousands of people from chemical releases, plane crashes, train crashes, pipeline ruptures, and other catastrophic incidents. Very few of these incidents were identified as being cyber-related, which typically meant that cyber incident response programs were not initiated. In 2023-2024, malicious and unintentional control system cyber incidents occurred in water/wastewater treatment, electric power transmission and distribution, power generation, nuclear plant operation, data centers, aircraft, rail, medical devices, ships, food, space, and other sectors. Unintentional cyber incidents in IT, OT, and control systems are not uncommon. The global Microsoft outage that occurred July 18, 2024, was from a CrowdStrike security update – unintentional but devastating. This wasn’t the first time a well-meaning security update has caused significant impact. In the discussion session after the presentation, Dr. Doug Samuelson from the Dupuy Institute brought up the 1990 AT&T Long Distance Network collapse where a one-line bug inadvertently led to its collapse. It’s a question of awareness—it’s difficult to deal with a risk if you’re not equipped and willing to recognize it. If you are interested in receiving a link to the presentation, please contact me at joe.weiss@realtimeacs.com.
