Sometimes giving a speech is better than issuing a memorandum

“I believe that this nation should commit itself to achieving the goal, before this decade is out, of landing a man on the moon and returning him safely to the earth. No single space project in this period will be more impressive to mankind, or more important for the long-range exploration of space; and none will be so difficult or expensive to accomplish.” – President Kennedy’s special message to Congress on urgent national needs, May 25, 1961 [1]

When I first read the July 28th National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems[2] my thoughts for some reason returned to the then U.S. President Kennedy’s speeches that set a national goal for putting a man on the moon within a decade.  One was made before Congress in 1961 and another one was made at Rice University in September 1962[3].

The July 28th memorandum issued by the current administration compares poorly with Kennedy’s speeches.  They are both examples of the top-down approach, which declare the goals to be achieved.  Governments are good at this but they do not often do well in understanding the realities that will influence whether the goal will be achieved or not.  Even though an executive declaration cannot be too technical in nature, it still must have enough technical and organizational basis to be understood by those at the lower levels tasked with achieving the set goal.

In the Biden memorandum, the first question that needs to be asked is, what is to be protected?  From the text, we find that the object is “United States’ critical infrastructure”.  This to many will sound quite vague and one may further ask “what is included in critical infrastructure?”.  However, this is easily remedied with a footnote to a document that has the list and some of the objects are even mentioned further into the text. We will return to the what to protect question later but now let us look at the next question that needs to be answered in order for the lower levels to start working toward the goal.

The next question is “What are the threats” to critical infrastructure?  In the memo, we can just find a vague reference to “malicious activity”.  How should someone tasked with implementation look at that?  One can guess that since the memorandum has the word “cybersecurity” in its title then malicious activity such as breaking and entering to a remote substation or pumping station is not included since these are not cyber activities.  Since we know this is about cyber threats we must ask ourselves which among the wide spectrum of threats we should focus on.  Perhaps the recent Colonial Pipeline incident will pop up first.  It is an energy sector issue that seems to be a priority.   However, there are issues to work out in developing a program there as well.  For example should the focus be on protective measures to protect the data and information contained in the IT found in the enterprise/office from ransomware?  However, should there not be also an equal and perhaps larger effort to review and mitigate any vulnerabilities in the operational side of the pipeline’s operations.  Yes, this side was not affected by the ransomware but if the controls systems used to monitor and control the physical processes involved in pumping and distributing fuel down a pipeline were damaged, recovery operations would have taken far longer than a week to bring a 5000 mile pipeline back to service.

Ok, one can say that these questions can also be worked out with the help of the designated responsible institutions such as U.S. DHS tasked with issuing “sector specific c.i. cybersecurity performance goals” (also vague but assume they will be announced in due course) and coordinating the work.

The next question an implementer may ask is “how should I do this”?  This is the place where the memorandum comes closest to the details and also opens the possibility for missing part of the desired goal.  Three main efforts are listed:

“encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks.”

“share threat information for priority control system critical infrastructure”

“implement the principles and policy outlined in this memorandum.”

Let us look at each one.  The first indicates that the main thrust behind the efforts will be networked based.  Seems like a quick win since everything is connected to the network right?  Yes, much can be learned by analyzing the data and looking for anomalous behavior on the network.  But what about the things not connected to the “network” or are on other “must be segmented” networks that belong to safety instrumented systems? What about the devices that may experience a degradation in performance during a network scan or run of an anomaly detection system?  Then we must consider that many physical operations will continue to do something even if the network and the IT in the enterprise is lost.  Think of the darkness in the control room of the Fukushima Power Station after the earthquake and tsunami.

The next “how” is the sharing threat information.  This is almost a buzzword in cybersecurity today. We must share this information but there are many who are reluctant to share for various reasons.  That is to miss the point.  An industrial operation, even if given notice of a coming attack or being informed about a vulnerability may not be able to react and mitigate in time.  It can take months to address an issue since application of a mitigation to a real-time industrial system may require a plant shutdown or extensive laboratory testing before the mitigation can be implemented. Lastly, we should not assume that the industrial operation has the cybersecurity capacity in terms of an industrial SOC or trained personnel monitoring the industrial side for “malicious activity”.  Think of the cyber-attack on the SIS of a Saudi petrochemical plant in 2017 where after the 2nd plant shutdown and after the affected SIS was given a clean bill of health by the manufacturer, outside experts (Austrialia) were called in to investigate what was discovered to be an on-going cyber-attack of several months duration.

The last “how” on the list sounds too opaque for me to comment but for the word “policy” that appears in the sentence.

The policy part is the key to understanding the shortfalls of the memorandum when compared to President Kennedy’s speech quoted above.  Unlike the memorandum the President’s speech issued a clear goal: to put a man on the moon and return him safely to earth before the end of the decade.  This was the top-down approach but in this case the how was much clearer.  There was a space program and an institution of expertise (NASA) tasked with implementing it.  The President did not explicitly state how the goal was to be achieved.  He did not say use a canon to fire the capsule into space like Jules Verne or as the memo indicates focus on protecting the networks. He instead gave this task to the engineers to figure out.  It was the expertise of the engineers and all of the other specialties in a public-private partnership under NASA which thought out the problems involved with space flight and developed the means to achieve the goal.

It is my opinion that something similar in scope is required to protect the critical infrastructure vital to modern economic activity, national security and well-being of society.  Instead of the “feel good” but piecemeal activities delineated in the memorandum (“baseline security goals”), we should be reviewing system architectures (especially in the light of the Colonial Pipeline incident) in the framework of a Corporate Cybersecurity Program that fully integrates and manages the mischief behind all the IT that is seeping into every aspect of operations with the safety, integrity and reliability requirements of an industrial operation governed by the laws of physics of chemistry. There is a lot of hard work ahead of us as President Kennedy clearly described in setting a moon challenge for the nation in 1961.  Protecting C.I. is possible to achieve. It is after all a problem of computer science and process engineering. But it will not be solved with a memo.




NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in information technology and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) and is Co-chairman of ISA 99 Workgroup 13 that is developing Micro Learning Modules on the ISA 62443 Industrial Automation and Control System Security Standard.