Now the company can prioritize what it fixes by working through the results of the above analysis. Vulnerabilities with high/major impacts, where the capabilities to successfully exploit currently exist and are easy to use, should be fixed first.
The overall goal is to improve the security of the system, and the above methodology only uses the vulnerabilities and consequences—information that is most likely known—rather than needing threat information which is typically unknown. (This is information that is definitely unknown at the tactical level and often considered not detailed enough at the strategic level.)
Learning from Accidents
One other area where critical infrastructure companies can gather information they can use to convince senior executives to authorize the implementation of cybersecurity defenses is to examine real-world industrial incidents/accidents, and see if they can extrapolate a purely cyber scenario that results in the same consequences. For instance, most industrial accidents involve three legs, including a physical issue/problem,some form of human error, and a cyber issue, such as a cyber system not running, cyber system running, but on incorrect data, or a malicious cyber attack, which are currently rare.
For some industrial accidents, it is quite simple to extrapolate to a purely cyber vector to cause the same consequences as the original accident. However, this is normally done by considering two main assumptions. The first is that an electronic pathway exists from the targeted control system to the outside world. A disgruntled insider needs to be considered as well. The second assumption is that this electronic pathway is exploitable, and the likelihood of this is very high. You could simply assume a supply chain issue that allowed the adversary to implant his malicious access at an earlier stage.
I believe that by undertaking the above three efforts, any critical infrastructure company will have developed/acquired enough information to convince its senior executives that cybersecurity defenses must be implemented to ensure that the company can continue to carry out its mission safely, reliably and securely without needing tactical cyber threat information from the government before they are persuaded to act to adequately secure their control systems.
There is one arena where tactical actionable cyber threat information of a potential attack is needed prior to making decisions to implement basic cyber defense mechanisms. Mechanisms must be developed and deployed that allow information to be shared when an attack is occurring, which will allow companies not under attack to ramp up their defenses to prevent the current attack from succeeding. This assumes, however, that the companies have already implemented cybersecurity defense measures and have developed the plans and procedures to rapidly increase their cybersecurity defense posture.
The Bottom Line
Critical infrastructure companies should not depend on tactical cyber-threat information to deploy cybersecurity defense. Instead, they should consider that the cyber threat is "1," and focus on understanding their vulnerabilities and the consequences of a successful exploitation of them. Waiting for tactical cyber-threat information could delay critical them from examining their systems from a mission perspective and implementing appropriate defenses. The discussions concerning tactical cyber threats and the resulting expectations (and need for clearances for industry personnel) are primarily a distraction, and are being used to justify a lack of action for implementing cyber defenses. The government and the critical infrastructures need to get past this self-imposed roadblock.
Michael Peters is an energy infrastructure and cybersecurity advisor for the Federal Energy Regulatory Commission's Office of Electric Reliability. He specializes in analyzing cybersecurity issues, including those affecting control systems. This article is personal opinion and does not represent the opinion or position of the Federal Energy Regulatory Commission or the federal government.