Fifteen years ago on August 10, 2010, I wrote the blog, “Malicious vs unintentional cyber incidents – why it is necessary to include unintentional incidents”. This blog was written weeks before Stuxnet and its impact on control systems and centrifuge damage were made public.
As I mentioned in my July 24 blog on the July 22, 2025 House Homeland Security hearing, “Fully Operational Stuxnet 15 Years Later & the Evolution of Cyber Threats to Critical Infrastructure”, one of the most important takeaways from Stuxnet should have been that cyberattacks could be made to look like equipment malfunctions and therefore go unidentified as cyber-related.
The issue, which was not discussed in the hearing, was this: At the control system field device level (Level 0 process sensors, actuators and drives), there are neither cyber forensics nor cybersecurity training sufficient to identify control system incidents as being cyber-related. Monitoring OT networks does not provide this information.
Get your subscription to Control’s tri-weekly newsletter.
Consequently, not only are we missing identifying unintentional control system incidents as being cyber-related, but we are also missing identifying control system cyberattacks as being cyber-related. I go back to what the July 22 Stuxnet hearing was about – what have we learned since Stuxnet? When it comes to control system cybersecurity, not much.
