Widespread global awareness of threats to information systems (IS) has led government and business to focus significant attention and resources on IS cybersecurity. The same cannot be said regarding industrial automation systems, where there is an urgent need to focus on the cyberprotection of critical industrial control systems.
The U.S. Department of Homeland Security has been a thought leader in this area. Its cyber ecosystem concept calls for a comprehensive approach to protect critical infrastructure going beyond traditional network and information security methodologies. The ecosystem links five activities: prevention, detection, response, recovery, and information sharing. Prevention includes built-in security, risk-based data management, and the use of trusted spaces. Detection and response form a dynamic defense to monitor behaviors and respond to potential attacks with automated defensive actions. After responding to an attack, ecosystem recovery processes execute largely automated actions to restore essential capabilities. All these activities are tied together through internal and external automated information sharing.
Although the potential impact of cyberattacks, such as Stuxnet and Idaho National Lab’s experimental destruction of a power generator, is known through news stories, it still has not garnered significant attention from policymakers or industry. A recent workshop held at the Cyber Innovation Center in Bossier City, La., found that professionals find it difficult to envision the implications of an automated system protection failure. Key decision makers prefer to expend limited resources on attack prevention. Most believe that money spent in other areas detracts from this priority, and it is not necessary if the preventive measures are successful. This perception is difficult to change. Most threats are defined in terms of their attack vectors, and security professionals are very familiar with the commercial solutions designed to defeat these attacks. This is a one-dimensional understanding of the problem. Another view is to assess the value of potential targets (in military parlance, centers of gravity) or to analyze the likely intended effects of attacks from a mission or business process perspective. The former lends itself to a variety of proactive defense approaches, while the effects view is the basis for developing resiliency processes to limit the effectiveness of attacks. Commercial products are available to support both approaches, but their capabilities are not widely known among cybersecurity professionals.
Addressing cyberprotection requires a sense of urgency among cybersecurity, industry, and government leaders. Proactive defense and resiliency solutions require extensive coordination between these groups. Systems maintenance and security professionals must develop a better understanding of the business lines they support, and business executives must better understand the challenges of operating automated systems in contested environments.
Lieutenant General Robert Elder (USAF, retired) joined the George Mason University faculty as a research professor with the Volgenau School of Engineering following retirement from the Air Force. He also serves as a senior advisor to the Georgia Tech Research Institute and the Cyber Innovation Center. Elder was the first commander of Air Force Network Operations and led the development of the cyberspace mission for the Air Force. He holds a doctorate of engineering from the University of Detroit.