If control systems move back to analogue can we still keep our smart phones?

I have been following the discussion about the return to analogue. Both this and the Industry 4.0 movement are new to me and have put them on my “study this more” list. Recently a colleague sent me a paper, “The Case for Simplicity in Energy Infrastructure” (1) , which has captured my imagination. It very eloquently states the case that the digitalization and increasing complexity of industrial control systems has reached a crossroads. Things can only get worse and it is time to make a radical course change. In short the solution proposed is to select the assets that are considered to be absolutely critical to the national economy and re-engineer them to accommodate a return of some analog devices which can block unauthorized access and control from cyberspace. On one hand it seems like a breakthrough in terms of answering one of the key security questions, “What needs to be protected?” and shows a way out of the precarious digitalization-complexity-vulnerability cycle. However before accepting the author’s invitation to join them in “changing the game” I would like to make a proposal and pose some questions:

1.
If the engineering community (here I consider myself a friendly outsider) can see the merits of simplicity and going back to analogue, what is the best way to sell this idea to management and policy makers? One way would be to demonstrate how it would work with a known example of a successful cyber-attack. For example much analysis has been done on STUXNET since many of us first heard about it in 2010. It would be useful in terms of understanding the concept if it could be shown how analogue devices could have stopped or at least significantly interfered with the execution of this state resourced cyber-attack on a control system. Other examples of more recent events could also be used such as the cyber-attack on Ukraine’s power distribution system last December.

2.
It would be useful to get some feedback from the point of view of offense. Would the introduction of analogue devices as proposed in the article above discourage state resourced attackers from targeting, planning, and executing a cyber-attack on a control system that has these analogue blockers? After all, applying an analogue device is still a technical solution. Will this not be seen as just another technical challenge for the attacker to solve? If the attacker belongs to an APT group the required time, know-how and resources may be easily found to get around an analogue block. Would be great to hear a comment about the analogue proposal from someone who works/worked in offense. If they were confronted with the analogue blocker would this make them stop the cyber- attack planning or would they just add it to their list of tasks. Or perhaps they would pass and hand over the project to another unit that uses more traditional means to disrupt an industrial operation?

Lastly, is this ”back to the future”(2) like proposal to reintroduce analogue devices feasible considering today’s realities? Perhaps it is too late to put the digital aspects back in the bottle? To use a crude analogy there are probably very few smart phone users today (other than criminals fearing surveillance by the authorities) who would prefer to return to using mobile phones with the functionality of the mobile phones of 10-15 years ago. The new digital capabilities and efficiencies that have been introduced to modern control systems may not be easy to give up.

Would imagine that a business case must be developed that would provide assurance to management and stockholders that the plan to re-engineer and reduce the digitalization of control systems would not only increase safety and reliability but also be cost-effective. For a chosen infrastructure that is considered vital to the health of a nation’s economy and national security the unknown development and implementation costs may be considered acceptable. One can say that every digital solution has vulnerability(3) but that does not necessarily mean that the analogue solution is a better guarantee against vulnerability. They have been vulnerable even in the old analogue dominant days have they not? Can still remember living through the Northeast Blackout of 1965 which was caused by a poorly set relay (4) . This initial cause of the blackout was for a time a “mystery” and was not determined until after days of investigation (5). The need to determine and react to such faults promptly contributed to the development of today’s control systems.

wisjournal-relay-dev-black

(Took about a week for the cause to be found for Northeast Blackout of November 9, 1965)

To summarize I welcome consideraton of the proposal for returning in part at least to the old analogue way of doing things as discussed in the article “The Case for Simplicity in Energy Infrastructure” and wish to accept the invitation to work with others in helping to change the game. It offers some hope in dealing with the digitally caused fragilities in today’s critical systems. However speaking not as an engineer but as someone with experience in policy making I know how important it is to present the ideas and concepts the engineers come up with in an understandable way. This issue merits wider discussion and attention by decision makers. To my mind going over the analyzed/publicized cases of previous cyber-attacks on control systems and covering how the analogue inject would have helped mitigate or block the attack would be most helpful in generating interest and momentum for this initiative.

1. Assante M., Roxey T., Bochman A., „The Case for Simplicity in Energy Infrastrcuture“ , CSIS. October 2015. https://www.csis.org/analysis/case-simplicity-energy-infrastructure .

2. Langner, R., „Back to the future putting analogue hard stops to cyber-attacks“, http://www.langner.com/en/2014/03/15/back-to-the-future-putting-analog-hard-stops-to-cyber-attacks/ ,The Langner Group, March 15, 2014.

3. Ibid.,

4. REPORT TO THE PRESIDENT BY THE FEDERAL POWER COMMISSION ON THE POWER FAILURE IN THE NORTHEASTERN UNITED STATES AND THE PROVINCE OF ONTARIO ON NOVEMBER 9-10, 1965 http://blackout.gmu.edu/archive/pdf/fpc_65.pdf

5. From the power commission report „It was most uncommon in that the origin of the disturbance was not betrayed by equipment failure or other external evidence“ Ibid. p. 17.

http://scadamag.infracritical.com/index.php/author/vytautas/

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in cybersecurity and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) on the ISA 62443 Industrial Automation and Control System Security Standard and is Co-chair of ISA 99 Workgroup 16 on Incident Management and member of ISA 99 Workgroup 14 on security profiles for substations.