Policy makers these days give peculiar names to what they are protecting.

“Abbott: Strange as it may seem, they give ball players nowadays very peculiar names”
Costello: Funny Names?
Abbott: On the St. Louis team we have “Who’s on first, What’s on second, I Don’t Know’s on third
Costello: That’s what I want to find out. I want you to tell me the names of the fellows on the St. Louis team.
Abbott: I’m telling you. Who’s on first, What’s on second, I Don’t Know’s on third….
Costello: You know the fellow’s names?
Abbott: Yes
Costello: I mean the fellow’s name on first base.
Abbott: Who.
Costello: The guy on first base
Abbott: Who is on first
Costello: Well, what are you asking me for?
Abbott: I’m not asking you — I’m telling you. Who is on first
Costello: I’m asking you – who’s on first?
Abbott: That’s the man’s name
Costello: That’s who’s name?
Abbott: Yes.”

(Dialogue from Abbott and Costellos “Who is on first sketch” https://en.wikipedia.org/wiki/Who%27s_on_First%3F )

The quoted transcript above comes from a famous comedy skit by Abbot and Costello where a misunderstanding of the meaning of the words “Who, What,  I Don’t Know” used to describe the sport of baseball are cleverly exploited by the comedians for comic effect.  The straight man played by Abbot is trying to list the names and positions played by players on the team.  The hapless Costello is unable to understand that Abbot is honestly answering his question but does not comprehend the true meaning of the word “Who” and other words used in the context of the dialogue.  Abbot uses it to tell the peculiar but real last name (Who, as in Mr. Who) of the player assigned to first base and Costello thinks of the word as a question (“Who is playing on that base?). 

It has been my observation in the past years of working in critical infrastructure protection (CIP) that the terms IT, OT and ICS are being similarly misunderstood, and most dangerously, at the policy making level.  I see the engineers to be like “Abbot” who know what they are talking about when speaking about physical processes behind industrial operations and the Government as the Costello who just cannot seem to get it.  Abbott is plainly perplexed at Costello’s inability to understand his answers.

On May 7th the Colonial pipeline system which daily pumps and distributes 2.5 million barrels of oil along the US East Coast was forced to shut down its operations due the effects of a cyber-attack on the IT systems of the company[1]. At this time and referring to the little operational information that is available the ransomware attack was limited to the IT in the office or administrative part of the company and did not immediately effect physical process going on in the pipeline itself.  Many commentators in government and industry have called this incident a “wake up call”[2] for action, which apparently added pressure on the US Government and new administration for a decisive response. Most notably in the US President’s Executive Order of May 12, 2021 “On Improving the Nation’s Cybersecurity”.  In considering that the EO came just days after the Colonial shutdown, some unhelpful ambiguity seems to have entered into what is looking like a too hasty response.  For one thing we have had a long string of “wake-up calls” since the appearance of STUXNET in 2010 indicating that the engineering systems used to support modern economic activity, national security and well-being of society were now subject to attack from highly skilled adversaries.  The US Government even issued a warning to pipeline operators in the US that something like the incident at Colonial might happen soon in February of 2020[3].

Ok so one might say better late than ever and now we have the EO of May 12 and we have a clear way ahead for responding and making sure this does not happen again, or at least not so easily as happened in this case. Reading the EO leaves me wondering.  In calling for “the Federal Government to partner with the private sector” it appears things are moving along on the right track but as I read, I am wondering if there is enough care being taken to avoid Abbott and Costello type misunderstandings.  For one thing the text seems very IT centric in its terminology and mindset. One wonders if any process control engineers were invited to draft the text of the EO. The terminology being used appears strange.  The word “information” is used 56 times and often together with the words “systems” as in “information systems”.   No words having to do with monitoring and control of a pipeline such as SCADA, PLC, Pumping (station), Depot (storage), pressure, sensor appear at all. A peculiar terminology is used to describe operational technology (OT) which raises some doubts about what the authors of the EO had in mind and what the reader (asset owner or plant engineer) may understand from it.  For example, what is the meaning of the sentence:

 “The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)”?

Is OT just about protecting our “safety” or isn’t it also about protecting the ability of the asset operator to view and control a physical process, as in this case pumping and delivering fuel in a reliable, safe and efficient way down a pipeline to customers?

Next, we encounter another peculiar sentence: “The Federal Government contracts with IT and OT service providers to conduct an array of day-to-day functions on Federal Information Systems.  These service providers, including cloud service providers,…”.  This is the first time that I have heard of OT being associated with a “service”.  Have mostly thought that OT has to do with the remote management and control of a physical process whose end result is electricity, gasoline, drinking water and a train arriving on time.  Here “service sounds like the kind of service we get from our mobile data provider for our smart phones or picking up cleaned and pressed clothes from the dry cleaners (cleaning service).  There is the “service economy” but have never heard of an “OT economy”.

Then there is the language about “Zero Trust”. Suppose it makes good sense in the Office/Home IT environment for the billing and accounting departments of the enterprise but has there been much thought in imposing “Zero Trust” on an industrial control system? Add security measures that will take up processing power on devices and pressure sensors that you have to trust?

Over the weekend, I had a running dialogue with some engineering colleagues about the use of the word “service” and OT in the same sentence.  I pointed out that this document has a strong IT bias.  My engineering colleague agreed but said the meaning was clear to everyone.  We should not make that assumption.  The Abbott and Costello dialogue ended in a completely confused Costello and a dismayed Abbot.  The “Abbotts” or the engineering community who do know what they are talking about need to be understood and this may require some extra patience on their part to explain the nuances of applying and working with the laws of physics and chemistry.   The Costello’s or Government policy makers need to make a better effort to think outside of the IT biased box.  They need to understand what it is exactly that need protection measures. To avoid well-intentioned but ineffective policy to protect the critical infrastructure we all depend the writers of these peculiar documents need to invite the engineering community to the drafting and review process instead of bending to the pressure of “we need to come out with something now” which may not produce the intended result.  Something that will become (hopefully not painfully) evident when we get the next “wake up call” event.


[1] https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html

[2] https://www.wthitv.com/content/news/US-pipeline-cyberattack-is-a-wake-up-call-for-America-574390141.html

[3]  US CISA Alert (AA20-049A) Ransomware Impacting Pipeline Operations   https://us-cert.cisa.gov/ncas/alerts/aa20-049a February 18, 2020

http://scadamag.infracritical.com/index.php/author/vytautas/

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in cybersecurity and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) on the ISA 62443 Industrial Automation and Control System Security Standard and is Co-chair of ISA 99 Workgroup 16 on Incident Management and member of ISA 99 Workgroup 14 on security profiles for substations.

Related posts