School of Industrial Cybersecurity: time to review the curriculum

School of Athens

It is hard sometimes for me to watch the discussions on critical infrastructure protection taking place these days.  Especially when it comes to cybersecurity practices and policies.  The conferences, announcements of new national cybersecurity strategies, pronouncements of industry opinion leaders on the media, government publications on best practices, guides, books and last of all vendor solutions for addressing cyber threats all leave me a bit disappointed.  Especially when it comes to evaluating how much they address protecting the critical infrastructure vital to supporting modern economic activity, national security, and well-being of society.  Sometimes I like what I read but when I understand what it is they propose to protect and from what threats, am frequently disappointed.

In trying to weed out all the hype and noise on the topic of critical infrastructure protection by government institutions, organizations, and other interested parties, will crudely summarize what IMO is wrong with the discussion.  It is in essence a disagreement on what constitutes reality in the realm of where vital products and services to the well-being of society originate. I am thinking about where the electricity, water, transport, heat and fuel comes from.  The disagreement or perhaps clash of different understandings of reality can be illustrated in a painting by Raphael called the School of Athens.  In that painting all the scholars and philosophers of the ancient world (mostly Greek world) are separated into two groups by the two central figures Plato and Aristotle.  There is a disagreement about the reality of the world being depicted here.  Plato on the left raises his hand upward to indicate that the reality of ideas is up there unseen in the heavens while Aristotle extends his hand parallel to the earth and trusts in the senses to determine what is truth.  This image in a way can be applied to the problem of critical infrastructure protection today.  The image of Plato I would associate with the belief in the importance of protecting data and information as represented by an also invisible ethereal form of bits and bytes.  I would assign the image of Aristotle to represent the physical processes found in the generation and distribution of electricity, chemical reactions in petrochemical plants and water supply systems, and manufacturing of products we buy.  To crudely summarize  it comes down to the IT security data centric point of view that applies well to the technologies found in our office and home environments as opposed to the control environment which applies to the technologies used to monitor and control a physical process.

The problem I see is that unlike Raphael who harmonized in his painting the differing views of reality belonging to the theoretical and practical in a school where both views are discussed and accommodated (or synthesized), there is very little harmony being demonstrated in today’s efforts to protect critical infrastructure.  The data centric view of the IT department and of policy makers who seem to think the security practices used to secure their office and home computers can be applied to industrial environments continues to dominate.  The input the operators of critical infrastructure who know how the process works is not present in the strategies and it seems it is not even asked for by the writers of these documents.  On the other hand the operators or engineers who know how the process runs do not seem to fully appreciate the threats to their operations posed by what is being experienced in the home and office IT environments. We see the results of this lack of appreciation and collaboration between the two schools of thought several times each year now.  In 2021 we saw ransomware occurring in an office environment of a pipeline operator leading to an emergency shutdown of the physical operations on the actual pipeline even though process control technologies were not infected with the ransomware[1].  In 2022 so far we have witnessed a cyber attack that damaged satellite terminals appearing in one country which spread to other neighboring countries,[2] the discovery of cyber attack tools designed to locate and compromise PLCs[3] and another attack on a steel mill which resulted in physical damage[4].

The signs of a change in this lack of harmonization are few.  In the summer of 2021 almost 20 years after Bill Gate’s famous E-mail about getting serious about trustworthy computing for IT platforms there appeared the Top 20 Secure PLC Coding Practices[5].  The engineers are trying and coming up with good solutions to the problem but are still not being consulted by policy makers as can be seen in the recent NIS2 Directive issued by the European Union[6].

Until we have a harmonization of these two schools and a recognition of a partnership between equals we can expect further incidents and surprises in our critical infrastructure.


[1] https://zetter.substack.com/p/ransomware-infection-on-colonial

[2] https://thestack.technology/viasat-ka-sat-outage-cyber/

[3] https://www.cisa.gov/uscert/ncas/alerts/aa22-103a

[4] https://iranwire.com/en/technology/105278-hacking-group-predatory-sparrow-takes-down-steel-plants-in-iran/

[5] https://www.plc-security.com/

[6] Can read my take and view the document here: https://www.linkedin.com/feed/update/urn:li:activity:7003987809585790976/

http://scadamag.infracritical.com/index.php/author/vytautas/

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in cybersecurity and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) on the ISA 62443 Industrial Automation and Control System Security Standard and is Co-chair of ISA 99 Workgroup 16 on Incident Management and member of ISA 99 Workgroup 14 on security profiles for substations.

Related posts