A Tale of Two Cities water attacks – Oldsmar and Discovery Bay

There have been more than 130 control system cyber incidents in water/wastewater utilities. Like Oldsmar and Discovery Bay, most of these incidents have occurred in small water utilities. Many of these incidents were not publicly disclosed, nor were the utilities required to disclose these incidents. When the Oldsmar water “hack” was publicized, a water system […]

Differences between IT and control system cyber incidents in maritime

Researchers at NHL Stenden University of Applied Sciences in the Netherlands have launched the Maritime Cyber Attack Database (MCAD). MCAD includes information on over 160 cyber incidents in the maritime industry. When compared to my database of control system cyber incidents, the MCAD database was missing the cases where control system cyber-related incidents caused physical […]

Critical infrastructures cannot be secured when process sensors are not secure

If you can’t trust what you measure, there is no cyber security, resiliency, process safety, productivity, or predictive maintenance in any critical infrastructure or cyber-physical system. Process sensors have no cyber security or authentication yet use remote access extensively as documented in the process sensor vendors’ specifications. ISA and NIST have identified there is no cyber […]

Surface transportation is cyber vulnerable and control system issues are not adequately addressed

May 25, 2023, I gave a presentation to the American Public Transportation Association’s (APTA) Enterprise Cybersecurity Working Group (ECSWG) and Control and Communications Security Working Group (CCSWG) teleconference on “Undetected ICS Cyber Incidents”. The general status was the same as for oil/gas, electric, nuclear power, water/wastewater, medical devices, etc. That is, the focus being on […]

“Chattinn Cyber” with Marsh’s Marc Schein on critical infrastructure cyber security

Marc Schein is the Northeast Cyber Champion for Marsh & McLennan (insurance). Marc has spoken before members of Congress and leaders in the Aviation Industry on Capitol Hill regarding the issues and costs of cyber breaches, and how to properly transfer risk to ensure that an organization or business is properly protected from what might […]

Florida city water cyber incident allegedly caused by employee error

The Oldsmar, Florida, water treatment plant was the target of a cyberattack in 2021, which raised concerns about the cyber vulnerability of crucial infrastructure. Reports at the time claimed that a worker at the company witnessed his computer being accessed and managed remotely. The amount of sodium hydroxide, also known as lye, in the water […]

The National Cybersecurity Strategy fails to address fundamental control system and critical infrastructure issues

In May 1998, Presidential Decision Directive (PDD) 63 mandated the cyber security of critical infrastructures be implemented by May 2003. Twenty years and multiple PDDs and Presidential Executive Orders later, the government agencies responsible for securing the critical infrastructures are still failing to adequately address the issues that can cripple our country and its critical […]