ISA’s MLM 38A document focuses on control system cyber incidents, spotlights ongoing challenges and solutions

The International Society of Automation (ISA) ISA99 committee has given its stamp of approval to the Micro Learning Module (MLM) 38A titled ‘Identifying Control System Cyber Incidents,’ following a rigorous peer-review process. The ISA99 work product can help organizations meet their cyber incident reporting requirements. By identifying control system cyber incidents, OT (operational technology), IT, and engineers could become more aware of risk and be better enabled to take appropriate prevention measures leading to a more holistic approach to cyber security.

“It is not possible to have an effective OT/ICS cybersecurity program if you can’t identify control system incidents as being cyber-related,” Joe Weiss wrote in a Wednesday post on the Unfettered Blog. “Yet, OT cybersecurity is under the purview of the CISOs whose focus is the malicious compromise of IP networks and whose staff are not trained to identify control system incidents as being cyber-related. Those people that can identify control system cyber incidents are not under the purview of the CISO.” 

Weiss is an ISA Life Fellow, ‘IEEE’ senior member, and a managing director of ISA 99. He is a managing partner of Applied Control Solutions, with deep experience in instrumentation and control system cyber security in multiple industries.

The MLM 38A document identifies that IT cyber incidents involve data breaches and denial of services, with extensive cyber forensics available for these systems. Comparatively, control system cyber incidents involve risks to physical equipment and human beings, but few cyber forensics exist for ICS (industrial control systems) and OT systems. It also points out that field changes to instrumentation and control systems, including program and data edits, should be signed off by the responsible engineer; control system cyber incidents can be disguised as equipment failures. This is particularly likely with sophisticated attacks.

Additionally, the document urges the performance of root cause analyses on control system cyber-related events. This will make it possible to implement appropriate responses. Control system cyber events that become incidents should be reported according to clear criteria and reporting mechanisms.

The MLM 38A document highlights that OT control system cyber incidents can directly impact physical equipment and cause injuries. “They may also provide false information to plant operators, resulting in mis-operation and increased risks. OT cyber incidents may impact safe operations and cause common-mode failures with even wider impact.”

In addition to direct impacts, they can indirectly impact operations by changing targets and goals. 

The document also said that OT cyber incidents are often not identified as being cyber-related.

“Attackers will hide compromises in order to avoid consequences or countermeasures. Sophisticated cyber-attackers may emulate equipment failures to avoid detection. On the owner’s side, ‘indicators of compromise’ may not exist with current ICS forensics.”

The MLM 38A document pointed to two types of limitations – technical and personnel – in ICS and OT cyber forensics as currently implemented. Technical limitations that may be found in legacy systems include workstation logging may not include forensic information; circular buffers may overwrite data; actions such as setpoint changes may not be logged, and there may be limited ICS device and network configuration security. The identified personnel limitations may include inadequate training for personnel to recognize cyber-related events, and OT and ICS network personnel may not be trained to detect equipment compromise or unauthorized reprogramming and configuration.

The document also outlines that OT cyber Incidents may also be categorized by the networks that were attacked. It looks at four OT cyber incident examples – two based on OT networks, and two based on engineering issues. In each case, both malicious and unintentional cyber incidents are shown. Note that without cyber forensic software and operator training, it will be more difficult to detect the incident or to determine whether an incident is malicious or unintentional.

In the case of the SolarWinds and Stuxnet attacks, malicious code was present for many months before it was detected. In each case, damage increased the longer the malicious code was present. In the case of Stuxnet, this damage involved plant equipment, while in the case of SolarWinds, it involved loss of data from SolarWinds’ customer networks.

The MLM 38A document added that, in the case of the Notam hack, cyber forensic software and cyber training of their personnel were both in place. “As a result, the cause of the failure and its unintentional nature were quickly determined, and FAA flight operations were quickly restored. However, with both Stuxnet and DC Metro Train Crash, neither forensic software nor operator cyber training had been implemented.”

It also noted that due to a lack of control system cyber forensics and associated training, it is unclear how many unidentified engineering-based cyber incidents have occurred or are still active.

The MLM 38A document also provided some examples of ‘actual’ IT and OT cyber incidents. The commonly-known IT examples include SolarWinds security software was compromised, causing loss of information from their clients’ networks; ransomware has resulted in major losses in IT networks and industrial operations technology systems were also impacted; and Microsoft Exchange Server vulnerability provided a ‘back door’ into large numbers of mail networks.

The familiar control systems and OT examples include Stuxnet, which destroyed high-tech centrifuges and delayed the nuclear program of Iran. Triton was discovered at a Saudi Arabian petrochemical plant where it disabled emergency shutdown systems; and Industroyer shut down electrical power to much of the city of Kyiv, Ukraine, for several hours.

In addition to the possibility of equipment damage and human injury, the economic impact of cyber attacks can be substantial. Loss of electrical power during the 2003 Northeast power outage was estimated at 5 to 7 billion dollars. The PG&E San Bruno natural gas pipeline incident was estimated to cost $1.5 billion and resulted in a loss in PG&E stock value, and the Taum Sauk dam failure cost more than $1 billion in losses.

Providing examples of cyber incidents that were not identified as being cyber-related and where cyber incident response was therefore not initiated promptly, the MLM 38A document said that in the Stuxnet attack, centrifuges were damaged from overpressure conditions by changing the pressure readings in the controllers, while maintaining alternate pressure sensor readings in the control room and pressure relief systems.

“The Viasat modems were ‘bricked’ by remote BIOS reprogramming. As a result, a German wind farm operator lost 5,800 Viasat terminals. Strangely, this was not considered to be a cyberattack because it was ‘only a loss-of-view’ event, and power continued to be produced by the affected wind farms,” the document added. “An Australian wastewater cyber attack involved a disgruntled insider who was imprisoned for two years for hacking into the computerized waste management system more than 46 times and spilling a total of millions of liters of sewage.”

The ISA99 document also detailed how sometimes events are misidentified as cyber-attacks because operations do not know how to assess and evaluate an incident.

The 2021 Oldsmar water treatment system event is such an example. It was initially identified as a control system cyber incident. However, on careful examination, this explanation was not credible, and it was later established to be a human error. There was no actual impact from the event, so it should not even have been treated as a ‘reportable’ incident.

Nonetheless, because it was initially reported as a malicious cyber attack, government and industry guidance was issued based on this misconception. Clearly, better information, practices, and training are needed to help the industry correctly identify cyber incidents.

The MLM 38A document also sheds light on the prevalent issue of under-reporting in control system cyber incidents.

In August, the ISA released a position paper that offers recommendations on how policymakers and private-sector leaders can effectively address the pressing issue of enhancing critical infrastructure cybersecurity. The paper uses globally relevant standards and conformance programs and delivers support for the community of engineers and automation professionals working on keeping facilities, processes, and communities safe.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.