Was busy at a resilience workshop in Germany last week when the buzz started to peak about the release of the latest version of the U.S. National Cybersecurity Strategy[1]. As someone who headed task forces to prepare the first Military Defence Strategy (2000) and first National Defense System Cybersecurity Strategy (2009) of Lithuania and served on national task forces to draft the first National Security Strategy and Law on Cybersecurity I have some experience in writing strategy documents. These documents if prepared properly can be quite useful in the implementation. If they are poorly written, then, sadly, one can expect a new version of the strategy to appear next year. In reading this new US strategy I paid attention to how the authors answered 3 security policy questions: what to protect, from what threats and how to protect identified assets from identified threats? Reading the strategy after I returned home from the meeting I was quite surprised at the answers I got to those 3 questions[2].
I am aware that several industry opinion leaders and security companies have come out with their responses and will not attempt to repeat them or go into great depth of analysis[3]. Instead I will do what I usually do when I start reading a strategy document on security. In this case one that purports to address the cybersecurity of critical infrastructure.
My “skeleton key” to unlock these documents is to search for key words that give indications about what environment this document is anchored in and what kinds of specialists were involved in drafting it. It was most important to get a feel for whether any engineers were on the drafting team. In other words I wanted to find out quick whether this is going to be another office IT, data centric computer science biased document about protecting critical infrastructure based on what is found in our offices, on our desks and in our pockets or will it cover what is needed – something that will address protecting the technologies used to monitor and control processes governed by the laws of physics and chemistry[4].
As a test I searched for the words “Critical” and “Infrastructure” which appeared 70 and 88 times respectively. So far that is what one should expect.
I then did some word searches for the presence of an office IT bias, and this is what I came up with:
- Information: 38
- Internet: 29
- Data: 37
- Privacy: 12
- Networks: 15
Ok, references to IT do belong, and one should not make a judgement yet. What caught my eye were the many hits on the word “Internet” which appeared not only in the first sentence of the Introduction but went on to appear 28 more times. The word “networks” appeared 15 times but the IT context prevails in referring to wireless, public networks, critical infrastructure, standards based and social. Then I focused the next search using some terms related to the technologies that monitor and control processes found in critical infrastructure that are governed not by the laws of data protection and personal privacy but by the laws of physics and chemistry. Below are what search terms returned, and I must admit I started saying, “here we go again”.
- Process 12: (counting paired words such as “collaborative process” or “implementation process”, or “electoral process)
- Industrial: 8 (also counting paired words that were vague such as “industrial strategy”)
- Control: 7
- Integrity: 0
- Automated: 2 (including one in context of “exchange of data”)
- Reliability: 1
- Reliable: 10 (mostly in context of the Internet and supply chains)
- Resilience: 37;
Physical processes are key to understanding the services society depends on from critical infrastructures such as electric power and water. The word “process” appears 12 times but mostly in non-industrial contexts as in “collaborative process”, “implementation process” or “electoral process”. Sorry to say that while some other process control words are used IT bias was becoming obvious. The word “integrity” for example, which is a key feature in estimating the physical process[5], does not appear at all. Reliability is mentioned enough but it is found associated with again, the Internet, and with just “supply chains”, not associated with the reliable supply of electricity, water or other services vital to economic activity and well-being of society. As an aside, the mention of supply chain security is welcome as it is important especially in the electric power sector. It was then quite curious to note the absence of a reference to the executive order of the previous administration regulating the procurement of bulk power equipment. Implementation of Executive order EO 13920[6] issued on May 1, 2020 was later suspended pending review by the new administration. The fate of this EO is apparently in the hands of the Department of Energy which is preparing some kind of report on “supply chains in the energy sector”. Will wait and see.
The one word that appeared favorably for the strategy was the word “resilience” which was found 37 times. This was the main theme of the meeting I attended last week in Germany and directly relates to what many in a nation would like to be resilient, namely the economy, national security and well-being of society**. Sadly, the office IT mind set present in this document will not even address half of what is needed to make those sectors resilient to the advanced and skilled threat actors targeting those supporting technologies today.
Next I looked for a clear identification of critical infrastructure sectors to be protected that support the well-being of society, economy and national security. A word search came out with not much evidence of attention to the ones having to do with well-being of society:
- Water: 2 (water treatment, water systems)
- Electric: 3 (electric distribution, vehicles, electric grid)
- Grid: 5 (one used in context of “cloud-based grid management”)
- Pipeline(s): 3 (energy pipelines, pipeline operations)
- Then I did a search for specific equipment/devices or software important to critical infrastructure:
- PLC (programmable logic controller): 0
- SCADA: 0
- DCS: 0
- Substation: 0
- Transformer: 0
- SIS (safety instrumented system): 0
- ICS: 0
- IACS: 0
The lack of hits for the above words is worrisome. One may say from the lack of words belonging to industrial control system devices that including words like “PLC” for example, in the text is perhaps a level of detail that is not appropriate for a national strategy. Well I can agree but then how can one defend the inclusion of “baby monitors” and “fitness devices”? Some valuable best practices, such as the Top 20 PLC Secure Programming Practices[7], have been developed for the PLC’s which are worth referring to in the strategy as PLC’s are ubiquitous in the operations found in critical infrastructure. One starts to wonder about what the authors had in mind when drafting a national strategy.
The relevance of “safety” (mentioned 8 times) as related to physical processes found in critical infrastructure protection was poorly represented. Although safety was associated in one case with the power grid, it focused mostly on other non-industrial aspects of safety such as “public safety” and, oh dear, the IT bias again: “protection of personal data”. “Protection” or “protections” were associated with protecting “sensitive data” (for example from ransomware) and Internet of Things (IoT) devices which focused on protecting “baby monitors” and “fitness devices” but not an Industrial IoT or intelligent electronic device (IED) such as a networked or stand-alone protection relay at a substation.
“OT” did appear 5 times as opposed to “IT”s 6 appearances. However the terms were used mostly together as in “IT and OT” (4 times). There were few significant references or associations among IT, OT and Industrial control systems (ICS is used 2 times). OT and ICS are used together once but without any explanation of the differences. I suspect the IT biased authors of this document did not know the difference either and did not understand the importance of engineering outside of the IT/OT in the office and control room.
In concluding that the IT in the home, office and ministry was the working environment of the strategy I next looked at what the documents considers to be threats. In terms of threats the main ones come from “cybercrime” (5 times) or cyber criminals (2 times) in the form of ransomware attacks (mentioned 25 times and 16 on just one page that later introduces the document’s strategic objectives!). Cybercrime and ransomware are of course important threats that should be listed but depending on law enforcement alone will not fully protect critical infrastructure. There are other threat actors that need to be attended to that are not in the jurisdiction of law enforcement and The Convention on Cybercrime[8]. The jurisdiction issue is most important for when law enforcement discover evidence of state involvement they are likely to drop the case[9]. All the media attention to ransomware incidents have really penetrated the consciousness of the drafters of the strategy with many references, 16 mentions on one page alone. However, too much emphasis on cybercrime and ransomware unbalances the document, leaving the state actor and the threat to view and control of industrial processes inadequately addressed.
Figure 1 There can be no doubt that “ransomware” has entered the consciousness of the drafters of this strategy in a big way. One page alone has the word “ransomware” listed 16 times.
The malicious activities of states in cyberspace and the threats they constitute are recognized in the strategy. Several countries are pointed out in the strategy: China, Russia, Iran and North Korea which have been linked to state sponsored cyber-attacks on critical infrastructure[10]. In providing examples of state caused cyber incidents the one incident that gets highlighted is the “NotPetya” ransomware attack on Ukraine’s financial system which spread to operations in other countries in 2017. No time is spent on the significance of other notable state developed and implemented cyber-attacks on critical infrastructure which resulted in some physical effect or damage since the appearance of STUXNET at a nuclear enrichment facility in 2010[11]. It must be noted that the nation largely considered responsible for this attack which took away the view and control of a nuclear enrichment facility from the operators is not on the list of countries responsible for executing cyber-attacks listed in the strategy.
Missing also are attacks that better represent threats to the view and control of processes found in critical infrastructure. No mention for example of the two attacks on Ukraine’s power grid in 2015 and 2016. The former opened breakers at 30 substations and within seconds put a ¼ of million Ukrainian customers in blackout. The latter attack in addition to causing a blackout also attempted to compromise protective relays. This attempt to attack safety systems was repeated in 2017, also not mentioned, with the attempt to compromise the safety systems of one of the largest petrochemical plants in the world[12] causing two emergency plant shutdowns[13]. Other than a brief mention of the Colonial Pipeline ransomware incident in 2021 one looks in vain for other concrete examples where cyber means were used to attack critical infrastructure.
In the summer of 2022 a steel mill in Iran was reported to have been cyber attacked which supposedly resulted in damage to the plant. Since this document was published by the U.S. Government it is disappointing to see no mention of CISA’s alert, also during last summer, of the discovery of cyber attack tools designed to seek out, locate and compromise programmable logic controllers, popularly known as “Pipedream”. In my opinion these omissions indicate a lack of awareness about the dynamic threats present in cyberspace. Most importantly, about the threat actors that are not criminally motivated in planting ransomware, but in taking away the view and control of a physical process away from the operator. To my mind this lack of awareness exposes a serious flaw in the threat assessment behind the strategy.
In terms of what needs to be protected from the wide variety of cyber threats I was quite surprised to see in the context of IoT the highlight of devices used for “baby monitors” and “fitness trackers”. This produced a suspicion that some of the drafters of this document were young professionals in their late 20’s to 30’s who are raising infants and are very self-conscious of their health. Their understanding of the technologies that monitor and control physical processes seems limited to the experience of travelling as a passenger on a train, metro station or airport.[14] One can serious doubt whether the writers have tried to enlightened themselves by a visit to a control room of a power station or pipeline operations control room, let alone spent any time having donuts and coffee with senior plant engineers. Another flaw identified which explains why this document suffers from an office IT bias. I will not go into the “how” measures described in this brief review but a failure to understand “what needs to be protected” and “from what kinds of threats” one should not be surprised that the mitigation measures will be even more flawed.
CISA seems to have been tasked with being the “coordinator” and will “take the lead” in implementing the strategy. CISA one must remember is a hybrid agency being created after merging the US-CERT with the US-ICS CERT (remember that agency?). Unfortunately the ICS part seems to have been pushed out of the limelight like the step daughter in the story of Cinderella. Seems a similar allocation of the limelight (or lack of) appears when reading the critical infrastructure parts of the strategy This is getting to be a long article and I will not go deeply into the “how” measures described in this brief review but a failure to understand “what needs to be protected” and “from what kinds of threats” one should not be surprised that the mitigation measures in the execution phase will be even more flawed.
If they would have asked me to participate in the drafting I would have raised my hand at one point and suggested that instead of mentioning the baby monitor device I would substitute the word PLC. I am sure I would get annoyed or glazed looks I have seen before when working in a workgroup on a strategy document. The most positive result of such a suggestion would be a reply like this: “oh, it is not necessary to mention that term, it is implicit in the text when we talk about critical infrastructure”.
When I headed the task force that prepared the first approved (in October 2000) Military Defence Strategy of Lithuania for the Ministry of National Defence our group used as a guide a method of answering the 3 security policy questions. It was hard work writing a document that was the first of its kind and sorely needed as Lithuania sought to become members of NATO which she did in 2004, but the method was useful. However the method is not foolproof and requires a wide perspective to be effective. In the children’s story of the “3 Little Pigs” only one of the pigs did it right in including the threat from the wolf (in addition to the wind and rain) in his choice of building his shelter from bricks and not straw and sticks.
Back in 2000 cybersecurity did not appear in our workgroup’s search for an answer to the second question (from what threats?). Even if cyber was a consideration I am sure the object of those threats would certainly have been considered the IT assets in the home, office and government ministries, not in places where the electricity was being generated and distributed. However in 2023, 13 years after STUXNET and the similar attacks that followed targeting the technologies used to monitor and control processes in critical infrastructure there is no excuse or justification for treating such threats so superficially (threats to IoT in the form of “baby monitors” and “fitness devices”) and with so little understanding of what is being targeted by advanced persistent threat actors (view and control of a physical process).
My last word of advice from someone who has worked on strategy documents for a small country to those working for a high-tech superpower: when seeking to protect the technologies that support modern economic activity, national security and well-being of your society from threats emanating from cyberspace – invite the engineers.
[1] https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf
[2] http://scadamag.infracritical.com/index.php/2018/02/21/towards-cyber-safe-critical-infrastructure-answering-3-questions/
[3] Read for example this short article by Joe Weiss http://scadamag.infracritical.com/index.php/2023/03/12/the-national-cybersecurity-strategy-fails-to-address-fundamental-control-system-and-critical-infrastructure-issues/
[4] BTW the words “physics” and “chemistry” do not appear in the document ☹
[5] https://www.dragos.com/resource/stuxnet-to-crashoverride-to-trisis-evaluating-the-history-and-future-of-integrity-based-attacks-on-industrial-environments/
[6] https://www.federalregister.gov/documents/2020/05/04/2020-09695/securing-the-united-states-bulk-power-system
[7] https://www.plc-security.com/
[8] https://www.coe.int/en/web/cybercrime/the-budapest-convention
[9] Sadauskas, A., Inside Interpols digital crime centre, Oct 21, 2015, https://www.itnews.com.au/news/inside-interpols-digital-crime-centre-410768
[10] I often refer to these 4 nations as belonging to the “list of usual suspects” from which blame is assigned whenever a serious cyber-attack occurs on critical infrastructure. This is inspired by a line said by police Captain Reinaud played by Claude Raines at the end of the WW II era film „Casablanca“.
[11] https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf
[12] https://www.scor.com/en/expert-views/triton-cyber-attack-hackers-target-safety-systems-industrial-plants
[13] https://www.enseccoe.org/data/public/uploads/2018/10/v.butrimas-new-escalation-of-cyber-threats-to-critical-energy-infrastructure.pdf
[14] Other than one mention of the word “Transportation” in relation to “security administration” there are no matches for transportation infrastructure words “aviation, port, airport, railroad (rail is mentioned once), shipping”
** For some comments about the resilience workshop see: https://www.linkedin.com/posts/activity-7040266388862590976-Yrfj?utm_source=share&utm_medium=member_desktop