Have been following the discussions on industrial cybersecurity, convergence, network vs device security, and IT vs OT vs ICS[2]. Some of the points of view differ greatly on what needs to be done. This lack of consensus indicates that something may be wrong with our assumptions and our approach. A disturbing lack progress being made on how to insure the safety, reliability and performance of the technologies that support modern economic activity, national security and well-being of society. I have heard the views of the industry’s current opinion leaders and decided to take a new approach and consult with some respected figures from the past. They see the “big picture” now and perhaps they can provide some insights which can be used to make more constructive progress in industrial cybersecurity. In my search I made a lucky query and found the Waybk machine[3] which offers free access to famous figures of the past for a limited period.
Here is a selection from the transcript of my conversation[4] with military strategist Sun Tzu[5] and biologist Louis Pasteur:
Butrimas: Hello Mr. Tzu, is that really you?
Tzu: Yes I am real how about you?
Butrimas: ha ha ha, Seriously now could I ask you to share your perspective and answer some questions about today?
Tzu: Sure, but I can’t take too long. I have a meeting with the descendants of the rulers that I used to advise. They are quite excited that their country is moving forward and want to make sure they get it right and want to hear from me.
Butrimas: Ok will be brief. I am interested in your views on today’s efforts in industrial cybersecurity. Your book “Art of War” is quite popular in my time. In fact it is frequently quoted by our businessmen and cybersecurity practitioners. What is your view of our efforts to protect the technologies that are the foundation of critical infrastructure as found in the energy, water, transportation and other sectors of critical infrastructure?
Tzu: Good question grasshopper. If I am being read today than you should be well aware of one of my most famous quotes:
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”https://www.goodreads.com/author/quotes/1771.Sun_Tzu
Butrimas: oh yes the quote is used at the beginning of one of the premier books available today: “Handbook of Scada/Control Systems Security, 2nd Edition.
Tzu: Of course I know about the Brodsky and Radvanovsky book. There are some other good ones out there as well. For example Mr. Weiss and Mr. Langner have written some excellent books on the topic.
Butrimas: then why Master is there so much disagreement among industrial cybersercurity practitioners today. They all can read and am sure they are aware of these books?
Tzu: what is lacking is a common understanding of what is being discussed. Some fail to know the “enemy” as I say in my book and there are only partial wins and many loses. You have conferences today on critical infrastructure protection where the enemy seems to be just cyber criminals but what the far more resource capable states are doing is being ignored. In fact such a lack of awareness only seems to help the states continue playing a rigged game of GO[6] with your critical infrastructure and are not held to account for this behavior. And why should the limit themselves when this activity is effective, cheap and most importantly deniable. Very much to my liking.
Butrimas: Yes, but I think many will say that there is nothing that can be done and states will always behave this way according to their national interest.
Tzu: that is foolish thinking for it will only make the state bolder in its actions. Can’t you see things are getting worse? I see that among the targets are safety systems of petrochemical plants. The potential danger introduced into your lives far exceeds what a cyber-criminal can accomplish. My advice to you is to consider that until the states decide amongst themselves that this behavior threatens both the victim and the perpetrator equally then things will get much worse. After all there is nothing now out there to stop them. Not even a convention like they have for cybercrime. I hear that today’s law enforcement will stop investigating a cyber case if they run into evidence of state activity. That is like the Emperor making it known that if you steal a horse you will not be punished. Not a very good way to run an empire.
Pasteur: excuse me, I could not help overhearing. You know cybersecurity practitioners make use of terms from my field of medicine. Forgive me if I remind you of the term “virus” now. Many medical terms like this apply to cybersecurity as well. In terms of my esteemed military colleague’s point about knowing the enemy I see another error being made today in applying this rule. I will use the example from my field. You know I am known for my work with bacteria. Bacteria are microorganisms that have cell walls. If you want to deal with a bacterial infection one of the ways that Alexander Fleming[7] discovered is to attack the cell wall. This is why penicillin and the later anti-biotic preparations are so effective. However they do no work with viral infection[8]. Viruses do not have a cell wall and that is why penicillin is not effective. You have to have an understanding of viruses and howe they differ from bacteria in order to come up with an effective remedy.
Butrimas: I get what you are saying doctor but what does this have to do with protecting critical infrastructure?
Pasteur: Take a look at the discussion over IT, OT and ICS. They are all part of an industrial enterprise. The IT is where the billing and accounting take place. The OT is where the control room is found. The operators there are remotely monitoring and controlling a physical process such as turbine generating electricity or a pumping stations sending fuel down a pipeline. The turbine and the pumping station are where a physical process is taking place and they are directly monitored and managed by industrial control system devices, PLC’s, actuators or IED’s. The IT and OT are heavily dependent on good network communications. Without the network the IT and especially the OT will not be aware of what is going on with the physical process where the ICS is. The ICS even if the network is lost will still be there and the physical process with still do something.
Butrimas: Yes, but what does this have to do with your point about the difference between bacteria and viruses?
Pasteur: Those that are promoting a security approach based on network security and threat intelligence are mostly going to be effective in protecting the IT and OT. It will not be very effective against threats to the ICS or where the physical process is. To go back to my bacterial and virus analogy. The network security and threat intel approach will work for the threat from “bacteria” in protecting the IT and OT parts of the enterprise but will not be very effective in protecting the ICS or physical process part. There you need to understand what the physical process is. It is not IT it is about the laws of physics. This understanding is needed before coming up with measures that will be specific to what a a physical process is.
Sun Tzu: Yes that is it. The practitioners of the network security approach do not know the “enemy” or what the target is. Their efforts do not fully apply to the ICS and will likely be only partially successful. In fact it is likely that their solution will not protect against a major failure in the ICS resulting in possible loss of life, damage to equipment and to the environment.
Pasteur: It is like giving someone antibiotics to someone suffering from a viral infection (Covid). It just will not work for the virus. Remember a virus has no cell wall and penicillin will not be effective. Something designed to interfere with the unique aspects of a virus will be the most effective.
Butrimas: Ok I think I got it. One of the big challenges for industrial cybersecurity practitioners is to know the environment first before coming up with a solution.
Sun Tzu: Yes, just make sure you check your assumptions. Again do not assume that OT and ICS are the same. I think you know they are not and that is the starting point for developing an effective remedy.
Pasteur: Could not have said it better myself.
Sun Tzu: Of course.
Butrimas: thank you for your time and sharing your deep perspective. I hope we can meet and continue our dialogue in the future.
[end of transcript]
**********************************
We should not leave defining what IT, OT and ICS are to the scholars or venders. A poor definition may lead to a poor solution for protecting our critical infrastructure from threats emanating from cyberspace. The community of interest must come to a consensus on what these terms are about or we risk coming up with a solution that is ill-fitted to the chosen IT, OT or ICS environments.
To add a commentary on Sun Tzu: If you don’t know what it is you are trying to protect and the enemy does know, you will always fail, much to your surprise each time.
[1] https://www.goodreads.com/author/quotes/1771.Sun_Tzu
[2] http://scadamag.infracritical.com/index.php/2020/08/17/is-there-a-problem-with-our-understanding-of-the-terms-it-ot-and-ics-when-seeking-to-protect-critical-infrastructure/
[3] http://pdqicu.web.archive.gro
[4] Alas the technology to record such conversations does not exist. Not even Zoom or Teams has this capability.
[5] Sun Tzu also has a “presence” on social media. Here is a link to his Twitter feed: https://twitter.com/SunTzu03871658
[6] https://en.wikipedia.org/wiki/Go_(game)
[7] https://en.wikipedia.org/wiki/Alexander_Fleming
[8] https://www.drugs.com/article/antibiotics-and-viruses.html#
