Data center control system cyber incidents have shut down or damaged data centers operated by many different entities globally. August 30, 2023, a utility voltage sag tripped cooling units at the Microsoft Australia East Azure Data Center. When the voltage sag occurred, all five chillers in operation faulted and didn’t restart because the pumps did […]
Is the U.S. Government’s Cyber Informed Engineering Implementation Guide the long-awaited breakthrough in CIP?
USCG Icebreaker opening path through the ice* This past year has been disappointing for governments and institutions issuing documents on critical infrastructure protection. The European Union has issued a draft of the Cyber Resilience Act[1] and NIS2 Directive[2]. Across the Atlantic the U.S. has after a series of high-profile cyber incidents on its infrastructure (Colonial […]
Having a framework for a boat does not guarantee that it will float or sail well.
The above is a drawing of the framework of the 17th Century Swedish warship “Vasa”. The design of the bottom was too shallow and caused the ship to tip over when it tried to sail out of port. Lately governments have been issuing cybersecurity policy documents that are shallow in their depth of understanding of […]
Hacking insecure process sensor systems may have affected the Chernobyl nuclear plant site
I am an engineer not a threat analyst. I can tell you what can happen to control systems from cyber vulnerabilities; I cannot tell you why someone would or would not want to exploit these vulnerabilities. My concerns are from a safety perspective as process sensors are used globally to monitor environmental conditions around industrial […]
Improving Control Systems Management
Operational Technology Cybersecurity is a symptom of a much larger problem. It is a problem that extends beyond just securing networks, keeping forensic logs, managing software and embedded systems. It is MUCH deeper than that. It goes to the core of industrial systems and the people that manage and operate it. HOW DID WE GET […]
A Tale of Two Cities water attacks – Oldsmar and Discovery Bay
There have been more than 130 control system cyber incidents in water/wastewater utilities. Like Oldsmar and Discovery Bay, most of these incidents have occurred in small water utilities. Many of these incidents were not publicly disclosed, nor were the utilities required to disclose these incidents. When the Oldsmar water “hack” was publicized, a water system […]
Differences between IT and control system cyber incidents in maritime
Researchers at NHL Stenden University of Applied Sciences in the Netherlands have launched the Maritime Cyber Attack Database (MCAD). MCAD includes information on over 160 cyber incidents in the maritime industry. When compared to my database of control system cyber incidents, the MCAD database was missing the cases where control system cyber-related incidents caused physical […]
Critical infrastructures cannot be secured when process sensors are not secure
If you can’t trust what you measure, there is no cyber security, resiliency, process safety, productivity, or predictive maintenance in any critical infrastructure or cyber-physical system. Process sensors have no cyber security or authentication yet use remote access extensively as documented in the process sensor vendors’ specifications. ISA and NIST have identified there is no cyber […]
Surface transportation is cyber vulnerable and control system issues are not adequately addressed
May 25, 2023, I gave a presentation to the American Public Transportation Association’s (APTA) Enterprise Cybersecurity Working Group (ECSWG) and Control and Communications Security Working Group (CCSWG) teleconference on “Undetected ICS Cyber Incidents”. The general status was the same as for oil/gas, electric, nuclear power, water/wastewater, medical devices, etc. That is, the focus being on […]