25 Years, Same Question
Dale Peterson
ICS Security Catalyst, Founder of S4 Events, Consultant, Speaker, Podcaster, Get my newsletter friday.dale-peterson.com/signup
Why don't we see more OT cyber incidents?
My first exposure to OT security was a security assessment of a water SCADA system in 2000. It was a disaster from a security perspective. Old OS and apps that hadn't been touched since install. Poor network segmentation, Admin accounts used by all with default passwords, and unauthenticated, insecure by design control protocols and PLCs and RTUs.
Little changed from 2000 - 2010 except for a few pioneers who started to address these issues. When people learned of the OT security state they asked the question . . . If these ICS are so vulnerable, why don't we see OT cyber attacks and cyber incidents?
OT security awareness went mainstream in the 2010 - 2020 decade. Pioneers gave way to early adopters and even the early majority for some basic OT security controls. Still the majority of OT systems were far from secure. Far from even implementing whatever you would call the basic security controls and consequence reduction to reduce OT cyber risk. Attack and vulnerability content was widely distributed and hyped, but still the number and impact of OT cyber incidents was small. Tiny, a mere blip compared to other causes of OT outages, physical damage, and safety incidents.
The question being asked that decade was why don't we see more OT cyber incidents?
In 2025, 25 years after my first OT security gig, the question is still being asked. I've never had a great answer, anything more than conjecture. I haven't heard a great answer from anyone else.
领英推荐
Is it because criminals have easier ways of making money through cyber attacks?
Is it because criminals, nation states, and non-state actors worry about the potential retribution if they take out critical infrastructure? We saw a bit of this fear in the Colonial Pipeline incident.
Is it because the criminals and organizations who might want to damage OT systems through cyber attacks lack the knowledge? This may have been believable up to 2020, but seems hard to believe now. It does take process and automation knowledge to cause a specific type of damage, but it is not required to take a system down. Some OT that "must never go down" is incredibly fragile.
Is it happening a lot more than is publicly disclosed because a) the affected asset owner doesn't want to disclose or b) the affected asset owner knew there was an incident but didn't know it was caused by a cyber attack?
I don't have an evidence based answer. We can be happy that whatever the reason, we, society, hasn't suffered the expected number and impact, yet.
BTW, that water system from 2000 has never had an outage caused by a cyber incident. And they have an impressive OT security program after 25 years of continued improvement. There are a growing number of asset owners properly addressing OT cyber risk in every sector. Maybe we can get lucky, for whatever reasons, for another 5 or 10 years and the majority will have addressed OT cyber risk.
Industrial cybersecurity Consultant, Performed Cyber Risk Study of the ICS used in the NATO CEPS.
1 个月It is a false question. Same as asking why since 1945 have we not seen nuclear weapons used (besides testing) on civilians. The capability is there and being further developed in a world that seems to be getting more dangerous as we speak. We often think of Colonial Pipeline and not enough about what was demonstrated in Stuxnet. A sophisticated capability whose development was not motivated by financial return with the willingness to use it. Things since then have not been standing still. BTW the great computer in Hitchhiker'sGuideToTheGalaxy gave the answer as "42" but also said you have to understand the question. Today the answer seems to be "OT" which is not clearly defined. As long as we lack a commonly accepted defintion for the technologies used to monitor and control processes governed by the laws of physics and chemistry we will continue to ask the question. It is good we continue to ask, for we ignore it at our peril. It must mean something that the question about incidents has not gone away. Ignore it at your peril.
OT Security Engineer
1 个月Well.... Events have to first be identified, then categorized as incidents, then reported to even count.... Could it be that this is not happening much yet in OT?
Grid Stability Modeling and Simulation, Energy Transformation / Power Grid Modernization Solution Development and Delivery Services, Water Treatment Resiliency and Security Solutions Delivery.
1 个月Design in and deploy mixtures of analog based components and systems along with digital/programmable components. Reduces overall system resiliency.
Cyber-Physical Risk Expert | Founder Cyber-Physical Risk Academy | Consultant, Speaker, Trainer, Publisher | Operational Technology | Masterclasses | Training | 45+ years in process automation. OT security focus.
1 个月Perhaps we should also reconsider the definition of what constitutes an OT cyber incident. If we include malware infections, there have been thousands, but most have had limited impact. These could be seen as the “near misses” of OT security, offering lessons on vulnerabilities without causing major disruptions. A significant number of cyber incidents remain unreported, especially when their impact is confined to financial losses or when no clear evidence of compromise has been identified. This underreporting skews our understanding of the broader threat landscape. There is also a critical distinction between actual attacks and risk evaluation, particularly when contrasting statistical risk with threat-based risk. In threat-based risk analysis, it is essential to account not only for incidents that have occurred but also for non-events, as they provide valuable insights into both the likelihood and potential impact of potential future incidents. Both process safety and OT security require a prosctive approach.
Automation Manager (IT, OT, ICS, Cybersecurity, Automation & Process Control Optimization)
1 个月One compelling reason may lie in the attacker’s cost-benefit analysis. Many attackers find what they perceive as a "pot of gold" in enterprise (stage 1 attack) environments and stop there. Financially motivated cybercriminals often prioritize quicker wins—stealing data, deploying ransomware, or committing fraud—over the more complex and resource-intensive process of pivoting into OT networks. Reaching stage 2 (ICS) requires overcoming segmentation (if implemented), understanding proprietary protocols, and navigating the unique characteristics of OT systems. For many attackers, this effort may not yield additional value proportional to the risk and time, especially if the initial breach of the enterprise network already delivers a lucrative outcome.