Viable cyber security programs require organizations to recognize incidents as being cyber-related. That is generally straightforward for IT and OT network-based cyber incidents. However, the same can’t be said for control system cyber incidents in any sector. People in cybersecurity are comfortable with saying that insider threats (to data and IT systems) can be either unintentional or malicious. Yet they’re not doing so when it comes to unintentional control system cyber incidents. By identifying and sharing “sanitized” control system cyber incidents, organizations’ OT, IT and engineers could become more aware of risk and be better enabled to take appropriate prevention measures. However, that is not yet happening in governments or the private sector.
