On June 8, 2022 an explosion occurred at the Freeport, TX LNG facility. Apparently, one of the facility's LNG transfer lines was over pressurized and ruptured. The Freeport LNG explosion could have simply been the result of unintentional system or personnel problems as that facility did not have a stellar safety record. But this wasn’t the only LNG facility to have a control system-related event. The explosion could have also been the result of malicious cyber-related issues as sophisticated attackers can make a cyberattack look like equipment malfunctions There are several cyber-related issue ..read more

DOE’s Form OE-417 collects information from US utilities on electric incidents and emergencies. The OE-417 data covers the time span from 2000 through the end of February 2022 and so does not include any incidents since the start of the 2022 Russia-Ukraine War. There have been 37 cyberattacks identified, four of those cyberattacks lasted at least one and a half days with one lasting more than 4 months. There have been 150 “complete loss of view or control for more than 30 minutes” incidents reported since June 2018. several of these incidents lasted from 4 to 25 hours. Moreover, at least 11 of ..read more

The term “cybernetics” is defined as the science of communications and automatic control systems in both machines and living things. Today, the term cybernetics has been transformed to the term “cyber” which generally doesn’t always address the physical nature of devices that control physics. There have been thousands of deaths from malicious and unintentional control system cyber incidents. These deadly control system cyber incidents continue to recur and process sensors often play a role in those incidents. However, these fatal incidents often are not Internet Network (IP)-related. The conti ..read more

DNV published The Cyber Priority report, “The State of Cyber Security in the Energy Sector”. I believe the oil, gas, and chemical (not electric) industries are leading most industries addressing control system cyber security. The report states the research draws on a survey of 948 energy professionals and a series of in-depth interviews with industry leaders and security experts. The report states that 64% of the respondents develop, operate or support operational technology (OT). However, only 35% of the cyber security experts working with OT agreed that a cyber-attack on their organization c ..read more

While no one would argue that network security isn’t important, it’s also important that the basic process sensor data that cross the OT network not be overlooked. Process sensors are necessary input for reliability, availability, safety, predictive maintenance, product quality, and cyber security. Yet process sensors have no cyber security and are connected to the Internet during maintenance potentially introducing malware or sensor manipulation. Important information about the health of the physical processes and the process sensors are found in the milli-second to second “squiggles” in the ..read more

Control system cyber incidents are real and impactful (more than 500 control system cyber incidents in the electric industry). To date, most of these incidents have not been  identified as “cyber” because of lack of identified intent. When reporting and remediating a control system cyber incident, the intent isn’t as important as the impact of the incident - the basis of consequence-based engineering. Using techniques such as FMEAs can be valuable if all control system devices, networks, and scenarios are considered. However, the interconnectedness of utilities can require that FMEAs cons ..read more

The electric and nuclear industries have required “incident” disclosure for more than 20 years. The other infrastructure sectors either have no incident disclosure requirements or only recently started such as TSA for pipelines and EPA for water. There is a significant gap between the electric industry’s reported control system cyber incidents and actual control system cyber incidents (more than 500). The low number of reported grid cyber-related incidents can be attributed to how the electric industry defines a cyber incident. The utility industry needs to address all control system cyber inc ..read more

Locking the door doesn’t work where there is no door. Unintentional cyber accidents or malicious cyberattacks can cause kinetic damage and there are no cyber forensics, training, or cyber security requirements for addressing these incidents. The TSA Pipeline cyber security requirements (and corresponding requirements for other infrastructure sectors) need to be more control system-focused. That is, pipelines and pipeline critical control equipment such as compressors, process sensors, motors, actuators, and analyzers need to be explicitly included. Because many of the control system cyber ..read more

The DHS CISA Cybersecurity Advisory Committee held a conference call Thursday, March 31, 2022 that discussed current CISA Cybersecurity Advisory Committee activities and the Government's ongoing cybersecurity initiatives. The meeting was for the Committee members to hear updates and discuss progress as it relates to the CISA Cybersecurity Advisory Committee's six subcommittees: (1) Transforming the Cyber Workforce Subcommittee; (2) Turning the Corner on Cyber Hygiene Subcommittee; (3) Igniting the Hacker Community Subcommittee; (4) Protecting Critical Infrastructure from Misinformation and Dis ..read more

After years of prodding and multiple UPS cyber incidents (https://www.controlglobal.com/blogs/unfettered/cyber-vulnerable-uninterruptible-power-supplies-upss-have-caused-physical-damage-to-data-centers), March 29, 2022, CISA has finally stepped up and issued guidance on some aspects of UPS cyber vulnerabilities - https://www.cisa.gov/sites/default/files/publications/CISA-DOE_Insights-Mitigating_Vulnerabilities_Affecting_Uninterruptible_Power_Supply_Devices_Mar_29.pdf. This is certainly welcome progress.  However, more work is still needed to address other aspects of insecure building and ..read more