Cybergs sighted: course correction required for critical infrastructure protection

Engineer Scott, please report to the bridge immediately”

Frequently heard in some 1960’s era TV shows

Are we being encouraged to implement the right measures for protecting the technologies used to monitor and control physical processes found in critical infrastructure or have we hit a cyberg[1]? This is the question I asked myself when first reading an announcement from CISA.

The New Year is well underway along with increasing concerns for identifying and responding to cyber threats that can affect our economic activity, national security and well-being of our societies.  Several governments and institutions are coming out with initiatives and calls to action. One example, on January 18th the Cybersecurity and Infrastructure Security Agency (CISA) issued an activity report[2] “CISA INSIGHTS” with a call to “Implement Cybersecurity Measures Now to Protect against Potential Critical Threats.”[3] Critical threats that can “disrupt essential services” are not described in detail but the harm that can be caused by “web defacement” and “potentially destructive malware” are named.  The inspiration for focusing on web defacement and malware seem to have risen mostly from the then current events in Ukraine stemming from the RF annexation of a Ukrainian province in a hybrid war that has not stopped since 2014. The other possible motive is perhaps linked to the Colonial Pipeline malware/ransomware/disruptionware* caused shutdown of May 2021.  

In terms of malware, ransomware, is the class of malware or malicious cyber activity which is linked to causing “significant widespread damage to critical infrastructure”.  I ask myself “really”?  Associating WannaCry ransomware and the semi-ransomware called NotPetya (the ransom payment module did not work) with causing “significant, widespread damage to critical infrastructure” seems to be an exaggeration.  Some clarity could result from including examples of other incidents that did cause physical damage which could inform the reader about the context.  STUXNET, a cyber-attack weapon used against a nuclear enrichment facility in the M.E, and the cyber intrusion at a steel mill in Europe both resulted in physical damage.  The ransomware examples listed were damaging but the damage was mostly financial and business activity related.  No property was damaged in these nor (according to currently available information) has ransomware been directly blamed for lost lives.

The measures that CISA says *should* be urgently taken by senior leaders in “all organizations” are then presented in a brief bulleted list.  However, after reviewing the proposed urgent action list one can argue that it is heavily weighted toward addressing vulnerabilities found in office IT centric activities that are part of critical infrastructure operations but do not adequately address protecting the physical processes that are characteristic of those operations.

For example what is an industrial operator of say, a power grid, petrochemical plant, or water facility to make of the second proposed step: “ensure that all software is up to date, prioritizing updates that address known exploitable vulnerabilities”?   Can the critical infrastructure asset owner take the “urgent, near term” step of halting the generation and distribution of electricity to customers or stop the chemical processes of an oil refinery or water treatment plant in order to evaluate and field test a patch or upgrade for their industrial automation and control systems (IACS)?  This can be a tall order since there are days when CISA can issue up to 20 vulnerability bulletins for the manufacturer of a single piece of control equipment or software.  No advice (perhaps it was understood as not an issue by the authors) on how to evaluate and handle that amount of work and changes to schedules of industrial operations?  One can understand why some sr. plant engineers may “consider patching to be an unacceptable industrial risk”[4].

In a document that proposes active measures for protecting critical infrastructure it is strange that IT personnel are described as playing a very active, perhaps the key, role in implementing these measures.  For example the “organizations IT personnel” are tasked with disabling “all ports and protocols” that are not essential for business purposes” and in the case when the entity uses the cloud the IT personnel are then tasked with ensuring that the “strong controls outlined in CISA’s guidance” are reviewed and implemented. 

IT personnel is further tasked with identifying and assessing unexpected or unusual network behavior and to even “enable logging in to better investigate”.  Is this additional access to critical industrial operations a wise thing to do when we should be careful for isolating the industrial side from the business network? Is there not any need to also look at how the devices and sensors are working that perhaps are not on an IP network and communicate using RS-232 or baud rated modems? Can we assume that  IT personnel with this recommended additional access will spot an unusual process or data flow or anomalous equipment behavior on a fuel pipeline or its adjacent pumping station?  How also will an enterprise handle another “should” do insight to confirm that the entire organization’s networks are “protected by antivirus/antimalware software?  No caveats or cautionary language is used that would perhaps apply to industrial operations. For example any concerns about virus scanning on the operational side of a power grid or chemical plant?

Is it just me or isn’t it a little strange that the senior plant engineer of an industrial operation, who knows how it all runs and how some of these “should do” activities could cause unwanted harm, is not mentioned or included as a key actor in any of these “insights”?  Shouldn’t he or she have a say in which ports or protocols are to be disabled or which of those “strong controls” are to be implemented on those technologies used to monitor and control a physical process governed by the laws of physics and chemistry?

We must seek ways to avoid finding ourselves in reactive and ad hoc solution making mode.  Where is the long term comprehensive program that takes a more global view of the physical process and how to make it safer, reliable and resilient to cyber incidents and attacks?  Recently the International Society of Automation (ISA) released a White Paper: Implementing an Industrial Cybersecurity Program for Your Enterprise[5] by Gary Rathwell.  Discussed are ways to harmonize the IT and the Industrial Automation and Control Systems (IACS) of the industrial enterprise under the roof of a comprehensive program[6].  This is one way to move away from hurried reactive policies and instead go toward a more thought out and comprehensive pro-active policies.

This may perhaps be considered a harsh treatment of what I am convinced are well intentioned efforts by Governments to respond to the growing concerns for protecting an increasingly complex critical infrastructure.  The vital element supporting economic activity, national security and well-being of society, which has been increasingly targeted for disruption (with some demonstrated success) via cyber means over the past 12 years. A key element of the solution is still missing.  The good will and concern should be matched by a willingness to include the IT and the Industrial Operations side by side at the policy making table.  This is not a “should” but a “must” do issue if we are to come up with reality based measures that will result in the protection of identified critical infrastructure assets from identified threats in the most cost-effective way.


[1] http://cyberg.us/

[2] https://www.cisa.gov/uscert/ncas/current-activity/2022/01/18/cisa-urges-organizations-implement-immediate-cybersecurity

[3] https://www.cisa.gov/sites/default/files/publications/CISA_Insights-Implement_Cybersecurity_Measures_Now_to_Protect_Against_Critical_Threats_508C.pdf

[4] Heard this from one of my conversations with senior plant engineers responsible for industrial operations.

[5] https://gca.isa.org/implementing-an-industrial-cybersecurity-program-for-your-enterprise

[6] Discussed in the program are: 1. What is an IACS Cybersecurity Program, 2. Preparing an IACS Cybersecurity Program, 3. How IACS Cybersecurity program relates to IT Cybersecurity? 4. Presents costs and Benefits of an IACS Cybersecurity Program and 5. The way ahead.

*Spaniel, D., Weapons of Mass Disruption: An assessment of the Threat Disruptionware Poses to Energy Sector Continuity, ICIT July 2020, https://icitech.org/weapons-of-mass-disruption-an-assessment-of-the-threat-disruptionware-poses-to-energy-sector-continuity/

https://enseccoe.org/en

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in information technology and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) and is Co-chairman of ISA 99 Workgroup 13 that is developing Micro Learning Modules on the ISA 62443 Industrial Automation and Control System Security Standard.