Widespread global awareness of threats to information systems (IS) has led government and business to focus significant attention and resources on IS cybersecurity. The same cannot be said regarding industrial automation systems, where there is an urgent need to focus on the cyberprotection of critical industrial control systems.
The U.S. Department of Homeland Security has been a thought leader in this area. Its cyber ecosystem concept calls for a comprehensive approach to protect critical infrastructure going beyond traditional network and information security methodologies. The ecosystem links five activities: prevention, detection, response, recovery, and information sharing. Prevention includes built-in security, risk-based data management, and the use of trusted spaces. Detection and response form a dynamic defense to monitor behaviors and respond to potential attacks with automated defensive actions. After responding to an attack, ecosystem recovery processes execute largely automated actions to restore essential capabilities. All these activities are tied together through internal and external automated information sharing.
Although the potential impact of cyberattacks, such as Stuxnet and Idaho National Lab’s experimental destruction of a power generator, is known through news stories, it still has not garnered significant attention from policymakers or industry. A recent workshop held at the Cyber Innovation Center in Bossier City, La., found that professionals find it difficult to envision the implications of an automated system protection failure. Key decision makers prefer to expend limited resources on attack prevention. Most believe that money spent in other areas detracts from this priority, and it is not necessary if the preventive measures are successful.
This perception is difficult to change. Most threats are defined in terms of their attack vectors, and security professionals are very familiar with the commercial solutions designed to defeat these attacks. This is a one-dimensional understanding of the problem. Another view is to assess the value of potential targets (in military parlance, centers of gravity) or to analyze the likely intended effects of attacks from a mission or business process perspective. The former lends itself to a variety of proactive defense approaches, while the effects view is the basis for developing resiliency processes to limit the effectiveness of attacks. Commercial products are available to support both approaches, but their capabilities are not widely known among cybersecurity professionals.
Addressing cyberprotection requires a sense of urgency among cybersecurity, industry, and government leaders. Proactive defense and resiliency solutions require extensive coordination between these groups. Systems maintenance and security professionals must develop a better understanding of the business lines they support, and business executives must better understand the challenges of operating automated systems in contested environments.
Workshop participants coalesced around several key recommendations. First, expect cyberspace to be degraded: design processes to remain effective when bandwidth is limited. Second, balance system maintenance ease with diversity and redundancy to enhance survivability and build recovery capacity. Third, implement rules to reduce network noise so detection processes can operate more effectively. Fourth, leverage inherent resiliency opportunities: integrate protective measures across the operational, logical, physical, and infrastructure networking levels. Fifth, provide a means to insert human decision making in automated response and recovery control loops. Finally, develop a risk management approach that balances resource allocations across the entire cyber ecosystem: protection, detection, response, and recovery.
This takes teamwork! Everyone involved has a critical role in the protection of industrial automation systems. Developers must eliminate vulnerabilities with a combination of hardware controls and software assurance. Threat analysts must seek information on attack vectors and develop a situational understanding of the intentions and behaviors of potential threat actors. Network and process designers must demand resiliency and diversity among critical systems, implementing controls and audits to detect potential issues before they become crises. Finally, operators of automated systems must implement business processes that support the professionals that maintain and secure these systems. Leadership is critical to implement these cultural changes.
Action is essential. Fortunately, there are many organizations available to provide assistance, including the Cyber Technology and Information Security Laboratory at the Georgia Tech Research Institute that uses expertise in systems engineering, signals, and other technology areas to create resilient control solutions for operations in contested environments and to help industry safeguard the nation’s critical infrastructure. ISA’s cybersecurity standards and programs are also a valuable resource.