Utility industry continues to deny that control system cyber incidents are occurring

Control system cyber incidents are real and impactful (more than 500 control system cyber incidents in the electric industry). To date, most of these incidents have not been identified as “cyber” because of lack of identified intent. When reporting and remediating a control system cyber incident, the intent isn’t as important as the impact of […]

Control system cyber incidents in electric and other sectors are frequent, often impactful, but not reported

The electric and nuclear industries have required “incident” disclosure for more than 20 years. The other infrastructure sectors either have no incident disclosure requirements or only recently started such as TSA for pipelines and EPA for water. There is a significant gap between the electric industry’s reported control system cyber incidents and actual control system […]

CISA finally issues guidance on cyber issues with Uninterruptible Power Supplies (UPSs)

After years of prodding and multiple UPS cyber incidents (https://www.controlglobal.com/blogs/unfettered/cyber-vulnerable-uninterruptible-power-supplies-upss-have-caused-physical-damage-to-data-centers), March 29, 2022, CISA has finally stepped up and issued guidance on some aspects of UPS cyber vulnerabilities – https://www.cisa.gov/sites/default/files/publications/CISA-DOE_Insights-Mitigating_Vulnerabilities_Affecting_Uninterruptible_Power_Supply_Devices_Mar_29.pdf. This is certainly welcome progress.  However, more work is still needed to address other aspects of insecure building and data center control systems: insecure process […]

It is not possible to meet Senate cyber disclosure requirements or CISA OT recommendations

I am preparing a presentation on the lack of cyber security in process sensors titled: “Shields Up and Good Cyber Hygiene Does Not Apply to Insecure Process Sensors” for a March 10, 2022 seminar. Process sensors have no inherent cyber security and yet have hardware backdoors directly to the Internet. The cyber security gap includes no […]

Cross industry meeting to address the gap in process sensor cyber security and process safety

A virtual cross-industry meeting was held on January 5th, 2022 under the purview of IEEE, with universities and standards development and industry organizations representing a cross-section of critical infrastructures. Essentially, “a coalition of the willing”. As process sensors are used in all sectors, the intent of the meeting was to create outcomes and a way […]

There’s more to control system cybersecurity than IT and OT networks – TSA is missing that distinction

Control system cyber incidents affecting pipelines, rail, and aviation have caused catastrophic damage resulting in multi-billion-dollar impacts and hundreds of deaths. Detecting cyberattacks against IT and OT networks can be done today. However, the same cannot be said for detecting control system cyber incidents (attacks and unintentional incidents) that occur with the cyber insecure control […]

Power grid cyber security recommendations still don’t address key grid cyber vulnerabilities

In August 2021, DNV published DNV-RP-0575, “Recommended Practice, Cyber security for power grid protection devices”. The Recommended Practice is important as it was developed based on the results of a joint research and development project with Fingrid (Finland), Stattnet SF (Norway), and Svenska Kraftnet (Sweden) and used by T&D India following the Chinese cyberattacks. The […]

The utilities are not addressing the cyber security that will keep lights on

On November 16-17, 2021 the utility industry conducted its biennial grid security exercise – GridEx VI. The exercise addressed the hybridized attacks of IT and OT networks which included ransomware as well as physical security. The lack of cybersecurity in the grid’s process sensors is a common mode vulnerability that affects both situational awareness and incident […]

Addressing Chinese-made equipment in the electric industry – a success story

Monday, November 15, 2021 a public utility commission in a hearing on a major new transmission project referenced my blog on the DNI report on Chinese-made transformers, https://www.controlglobal.com/blogs/unfettered/dni-identifies-chinese-transformers-as-cyber-vulnerable-risks-yet-doe-and-industry-ignore-the-threat/ in a question to the utility. In response, the utility stated they would not be using Chinese-made transformers in this project. I consider that to be a […]

The gaps preventing cyber securing physical infrastructures

Physical infrastructures are monitored and controlled using instrumentation and control systems. Instrumentation monitors the processes and control systems control the physics. I have not used the term “critical infrastructure” as these issues apply to any physical infrastructure. Yet, instrumentation and the physics of the processes are often ignored as the focus of security experts is […]