A large part of OT Security marketing is based around anecdotes.

Some anecdotes are real. This small water utility was hacked and a tank overflowed. This manufacturer had ransomware and had to shut down certain factory operations for three days. This rail system was hacked and trains were out of service for almost a day.

Some anecdotes are half real. An electric utility’s IT network was compromised and this could have led to an outage if the attacker successfully pivoted and took control of key OT systems.

Some anecdotes are possibilities that haven’t occurred. A major power outage, factory, water, … outage occurs. Immediate speculation that it might be a cyber attack. Once the cause is found out the anecdotes shift to this could be caused by a cyber attack.

None of these anecdotes are data that you should use to drive decisions. At best, the real ones are a data point in a very large data lake. For example, the electric industry’s System Average Interruption Duration Index (SAIDI), which measures the average time a customer is without power in a year, is data. We can measure the percentage of average outage time that was due to a cyber incident. Thankfully this is near zero for every year to date.

Another example, the tragic number of employees killed in safety incidents in the workplace. In the US in 2023 there were 1,075 deaths in manufacturing and 1,454 in utilities. Again, thankfully there were no fatalities due to cyber attacks.

Not all the cyber impact data is sunny. Cyber caused outages in hospitals and other healthcare institutions has caused death. The data is indirect, but it is data. There are studies and analysis that show the increase in death by minute delay for certain causes. We can take the outages caused by cyber time and population served and use the data from these studies to estimate cyber incident caused death rates.

The data isn’t as clear or available, but we should be able to do something similar in manufacturing with ransomware. Identify the average loss of product or service output due to a ransomware incident and multiply it by the number and duration of ransomware incidents to create ransomware impact incident data.

Anecdotes can be useful to show something is possible. An attack is possible or defense is possible. It shouldn’t be used for driving risk management decisions.

Hat Tip: Seth Godin’s Stories and Hope

Subscribe to my ICS Security: Friday News and Notes email