For SCADASec Fifteen years ago, I wrote the blog – “Malicious vs unintentional cyber incidents – why it is necessary to include unintentional incidents” This blog was written weeks before Stuxnet and its impact on control systems and centrifuge damage were made public. Stuxnet demonstrated that cyberattacks could be made to look like equipment malfunctions […]
Category: Policy
NERC Sensors
The fallacy that the electric grid is cybersecure by meeting the NERC CIPs is finally being exposed. Situational awareness is based on process sensor input that is incorrectly assumed to be uncompromised, authenticated, and correct. Because process sensors use non-routable protocols, they have not been considered to be NERC Cyber Assets. Depending on the situation, […]
Network tabletop exercises don’t include engineering and plant operations
If engineering and operations are left out of cybersecurity training and exercises, it’s no surprise that they’d also tend to be overlooked during the pressure of an actual incident. The complexity in manufacturing and industrial control systems is not understood by network security. Simply restarting IT and OT networks from a “golden backup” is not […]
What are the unlearned lessons from Stuxnet
July 22, 2025 the US House Committee on Homeland Security held a hearing, “Fully Operational Stuxnet 15 Years Later & the Evolution of Cyber Threats to Critical Infrastructure”. Stuxnet was not an attack on the networks. Rather, Stuxnet was a stealth attack that damaged physical infrastructures by manipulating physics. Stuxnet used networks as a conduit […]
There have been many publicly documented control system cyberattacks that caused physical damage
Sinclair Koelemij stated in his July 20, 2025 article the only documented control system cyberattack that directly caused physical damage was Stuxnet. He is not the only one who feels this way. However, there have been numerous cases in every sector where there have been publicly documented control system cyberattacks that caused physical damage. There […]
Misguided response to the Norwegian Dam and Oldsmar “cyberattacks”
Not all control system cyber incidents are malicious cyberattacks. They can be accidents or errors, too. In their haste to find OT cyberattacks, the OT cybersecurity community, including regulators, continue to jump to conclusions about what are OT cyberattacks while at the same time ignoring incidents that don’t look like cyber incidents they are used […]
Government officials need to recognize the importance of control system cybersecurity
My colleague, Vytautas Butrimas, is retiring after a long and distinguished career. I am writing this blog both in admiration for Vytautas’s work but also to demonstrate that government leaders like Vytautas and former US Congressman James Langevin, neither of whom is an engineer, can become leaders in supporting the need for control system, not […]
Control System Cyber Incidents: The Hidden Threat to Grid Stability
Control system cyber incidents, particularly those originating from even a single compromised or malfunctioning sensor system, can impact vast portions of the electric grid (or other critical infrastructures). Despite decades of lessons and warning signs, meaningful progress in securing power grid (and other critical infrastructure) control systems remains elusive. This failure stems from foundational misunderstandings […]
Could the Spanish outage occur here
Mike Swearingen and I did a webinar for the IEEE Consultants Network on the Spanish Outage and associated grid issues. The webinar can be found at https://www.youtube.com/watch?v=4wnk8hZEzuw. As the final results of the Spanish outage are not finalized, our discussions were based on our experience. The initial discussions were on two questions: could the Spanish […]
2025 IEEE Power & Energy Society Summit: “Achieving a more reliable and resilient energy future”
attended the IEEE Reliability and Resilience Summit May 19-21, 2025, in San Jose, CA. There were more than 300 attendees from more than 150 organizations. The program can be found at 2025 IEEE Power & Energy Society Summit – IEEE Power & Energy Society.The key takeaways were: This was an engineering conference with the attendees […]