Hidden In Plain Sight

Control system cyber incidents are more plentiful and impactful than most observers expect - more than 17 million directly resulting in more than 34,000 deaths. Most of the incidents were engineering-based cyber attacks used to camouflage a deficiency in the design of the product or to cause physical damage.

The engineering-based cyber attacks did not involve the Internet, Windows, or Operating Technology (OT) networks to carry out the attacks. Consequently, these incidents were not identifiable by network cyber forensics and would not fall under the Chief Information Security Officer's domain.

This means most of these incidents would not be addressed by existing government and industry cyber security guidance, nor make their way to company  boards and regulatory authorities as cyber events.

While there have been more than 1,200 electric grid cyber-related incidents, that doesn’t adequately reflect the true impact on customers and the economy as some of the cyber-related outages have affected tens of millions of people. In addition, the diesel emissions scandal lays bare the philosophical differences in how offensive cyber attackers and cyber defenders’ approach cyber security.

The impacts from the 'dieselgate' were huge, more than $35 Billion in damages and several people went to jail, yet many defenders would not consider these to be malicious cyber attacks because they weren’t the type of attacks they were expecting.

Until the OT network-focused regulators and practitioners are willing to address engineering-based incidents and attacks, critical infrastructures cannot be secured.

Recommendations are provided to address the gaps in control system cyber security monitoring and control system cyber incident disclosure as existing disclosure requirements are geared toward vulnerabilities not incidents. It is also evident that monitoring the process sensor signals at the physics layer would have identified most of the incidents regardless of cause.

Joe Weiss is Managing Partner at Applied Control Solutions

This article is shortened version of the original Control Global Blog

You Might Also Read:

Many Cyber Security Experts Don’t Understand The Systems They Are Trying To Secure:

 

« Five Ways Executives Can Optimize Cyber Security Spending
It’s Well Past 230 For The US Communications Decency Act »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Assured Data Protection

Assured Data Protection

Assured Data Protection specialises in data protection and disaster recovery services for large SME and enterprise organisations.

AirCUVE

AirCUVE

AirCUVE provide authentication and access control solutions for networks and mobile security.

National Association of Software and Services Companies (NASSCOM) - India

National Association of Software and Services Companies (NASSCOM) - India

NASSCOM is a trade association of Indian Information Technology and Business Process Outsourcing industry. Areas of activity include cyber security.

Red Canary

Red Canary

Red Canary continuously monitors and analyzes your endpoints, users, and network activity in search of threatening behaviors, patterns, and signatures.

Secure Decisions

Secure Decisions

Secure Decisions focus on research and product development related to national security including information assurance, computer network defense, cyber security education, and application security.

Sopher Networks

Sopher Networks

Sopher is a secure communication and collaboration platform for business and personal use.

Enigmatos

Enigmatos

Enigmatos is an Israeli based Automotive Cyber Security company. We provide solutions to the ever growing threat of vehicle hacking.

Crayonic

Crayonic

Crayonic digital identity technologies protect and guarantee the identity of people and things.

ISA Security Compliance Institute (ISCI)

ISA Security Compliance Institute (ISCI)

ISCI, a not-for-profit automation controls industry consortium, manages the ISASecure™ conformance certification program for industrial automation and control systems.

Cylera

Cylera

Cylera is a Healthcare IoT cybersecurity and intelligence company built in close partnership with healthcare providers.

RealCISO

RealCISO

RealCISO is a CISO grade cloud platform to help companies understand, manage, and mitigate their cyber risk.

Shield Capital

Shield Capital

Shield Capital helps founders build frontier solutions in cybersecurity, artificial intelligence, space & autonomy for commercial and government enterprises.

Traceable

Traceable

Traceable was founded to protect applications from next-generation attacks.

Otto

Otto

Stop Client-Side Attacks. Plug otto into your application security suite and protect your supply chain.

Zyber 365 Group

Zyber 365 Group

Zyber 365 are providing a robust, decentralized, and cyber-secured operating system which adheres to the fundamental principles of environmental sustainability.

Spec

Spec

Spec is the only no-code orchestration platform that protects enterprise fraud defenses from being blocked, bypassed, and manipulated by modern attack tactics.