December 2022, the US Government Accountability Office (GAO) issued Critical Infrastructure Actions Needed to Better Secure Internet-Connected Devices (GAO-23-105327). According to GAO, the scope of the report was governed by a legislative mandate in The Internet of Things Cybersecurity Improvement Act of 2020, which (along with conversations with GAO’s Congressional clients), which dictated the terms […]
Category: Electric
More than 17 million dangerous control system cyber incidents are hidden in plain sight
Control system cyber incidents are plentiful (more than 17 million), dangerous, and mostly unidentified as being cyber-related Control system cyber incidents are more common and dangerous than most security specialists and industry leaders tend to believe. That requires some explanation. I have been amassing a database of control system cyber incidents since 2000 when I […]
Critical infrastructures cannot be secure when critical equipment isn’t
August 25, 2022, I received a call from an insurance specialty insurer who had received an Operational Technology (OT) Supplemental Application from a global control system supplier to the aerospace industry, industrial operations, and the US Department of Defense. I am personally aware of at least some of the company’s products because of their use […]
Utility/DOE data indicates sophisticated hackers have compromised US electric control centers
This is the utilities’ data and DOE analyzed it… and it was still missed DOE’s Form OE-417 collects information from the US utilities on electric incidents and emergencies. The OE-417 data covers the time span from 2000 through the end of February 2022 and so does not include any incidents since the start of the […]
The survey results of the 2022 DNV energy cyber security report are grossly misleading
DNV published The Cyber Priority report, “The State of Cyber Security in the Energy Sector”. I believe the oil, gas, and chemical (not electric) industries are leading most industries addressing control system cyber security. The report states the research draws on a survey of 948 energy professionals and a series of in-depth interviews with industry […]
Critical infrastructure cyber security is broken – process sensors continue to be ignored
While no one would argue that network security isn’t important, it’s also important that the basic process sensor data that cross the OT network not be overlooked. Process sensors are necessary input for reliability, availability, safety, predictive maintenance, product quality, and cyber security. Yet process sensors have no cyber security and are connected to the […]
Utility industry continues to deny that control system cyber incidents are occurring
Control system cyber incidents are real and impactful (more than 500 control system cyber incidents in the electric industry). To date, most of these incidents have not been identified as “cyber” because of lack of identified intent. When reporting and remediating a control system cyber incident, the intent isn’t as important as the impact of […]
Control system cyber incidents in electric and other sectors are frequent, often impactful, but not reported
The electric and nuclear industries have required “incident” disclosure for more than 20 years. The other infrastructure sectors either have no incident disclosure requirements or only recently started such as TSA for pipelines and EPA for water. There is a significant gap between the electric industry’s reported control system cyber incidents and actual control system […]
CISA finally issues guidance on cyber issues with Uninterruptible Power Supplies (UPSs)
After years of prodding and multiple UPS cyber incidents (https://www.controlglobal.com/blogs/unfettered/cyber-vulnerable-uninterruptible-power-supplies-upss-have-caused-physical-damage-to-data-centers), March 29, 2022, CISA has finally stepped up and issued guidance on some aspects of UPS cyber vulnerabilities – https://www.cisa.gov/sites/default/files/publications/CISA-DOE_Insights-Mitigating_Vulnerabilities_Affecting_Uninterruptible_Power_Supply_Devices_Mar_29.pdf. This is certainly welcome progress. However, more work is still needed to address other aspects of insecure building and data center control systems: insecure process […]
It is not possible to meet Senate cyber disclosure requirements or CISA OT recommendations
I am preparing a presentation on the lack of cyber security in process sensors titled: “Shields Up and Good Cyber Hygiene Does Not Apply to Insecure Process Sensors” for a March 10, 2022 seminar. Process sensors have no inherent cyber security and yet have hardware backdoors directly to the Internet. The cyber security gap includes no […]