Cybersecurity programs assume organizations can recognize control system incidents as being cyber-related. Yet the lack of control system cyber expertise by government organizations including NTSB, FDA, FBI, TSA, EPA, CISA, and DOE have not identified control system incidents as being cyber-related. The five cases discussed were fatal catastrophes. In all cases, NTSB identified control systems as the proximate cause of the incidents. Yet, none of the cases used the term “cyber”. Marshall Abrams and I were told by NTSB that the Olympic Pipeline case was the most complex case they had worked on because of the control system issues. Apparently, almost twenty years later, that hasn’t changed. These cases were unintentional. Consider the impact of not identifying a malicious control system cyberattack that kills people and damages equipment as being cyber-related. It’s a question of awareness—it’s difficult to deal with a risk if you’re not equipped to recognize it.
Joe Weiss
Control Systems Cybersecurity Expert, Joseph M. Weiss, is an international authority on cybersecurity, control systems and system security. Weiss weighs in on cybersecurity, science and technology, security emerging threats and more.