The second perspective is from a traditional vulnerability assessment/evaluation arena. The critical infrastructure companies need to examine their systems looking for vulnerabilities. They then need to determine the consequences/impacts to the company's operations and to their customers of a successful exploitation of the vulnerability. They need to determine the capabilities that are necessary in order to successfully exploit the vulnerability and cause the identified consequences. Then the last facts that should be determined are whether the capabilities needed to successfully exploit the vulnerability currently exist, and whether these capabilities are easy to use. Finally, the company needs to determine how to mitigate the vulnerability identified and to minimize the impact of a successful exploitation. The company should also answer all of these questions for the scenarios developed by its internal tiger team.
Now the company can prioritize what it fixes by working through the results of the above analysis. Vulnerabilities with high/major impacts, where the capabilities to successfully exploit currently exist and are easy to use, should be fixed first. Vulnerabilities with minimal impacts and where the capabilities to successfully exploit them don't currently exist would, therefore, be of a lower priority and would only be addressed after the vulnerabilities that are at a higher priority level have been fixed. This shouldn't be a difficult process, as it is similar to ones being used today to determine how to prioritize/handle reliability or safety issues.
The overall goal is to improve the security of the system, and the above methodology only uses the vulnerabilities and consequences—information that is most likely known—rather than needing threat information which is typically unknown. (This is information that is definitely unknown at the tactical level and often considered not detailed enough at the strategic level.)
Learning from Accidents
One other area where I believe that critical infrastructure companies can gather information that they can use to convince senior executives to authorize the implementation of cybersecurity defenses is to examine real-world industrial incidents/accidents and see if they can extrapolate a purely cyber scenario that results in the same consequences. For instance, most industrial accidents involve three "legs": 1. Some sort of physical issue/problem; 2. Some form of human error; 3. Some form of cyber issue (cyber system not running; cyber system running, but on incorrect data; or malicious cyber attack (currently rare)).
For some industrial accidents, it is quite simple to extrapolate to a purely cyber vector to cause the same consequences as the original accident. However, this is normally done by considering two main assumptions. The first is that an electronic pathway exists from the targeted control system to the outside world. (Note: a disgruntled insider needs to be considered as well.) The second assumption is that this electronic pathway is exploitable, and again in my experience, the likelihood of this is very high. Or you could simply assume a supply chain issue that allowed the adversary to implant his malicious access at an earlier stage.
I believe that by undertaking the above three efforts, any critical infrastructure company will have developed/acquired more than sufficient information to convince its senior executives that cybersecurity defenses must be implemented in order to ensure that the company can continue to carry out its mission safely, reliably and securely without needing tactical cyber threat information from the government before they are persuaded to act to adequately secure their control systems.
Now while I believe that tactical actionable cyber threat information of a potential attack is not needed prior to making decisions to implement basic cyber defense mechanisms, there is one arena where it is needed. Mechanisms must be developed and deployed so that information is shared when an attack is occurring that will allow companies not under attack to ramp up their defenses to prevent the current attack from succeeding. This assumes, however, that the companies have already implemented cybersecurity defense measures and have developed the plans and procedures to rapidly increase their cybersecurity defense posture.
The Bottom Line
I believe that critical infrastructure companies should not depend on tactical cyber threat information to deploy cybersecurity defense mechanisms. Instead, the companies should consider that the cyber threat is "1" and focus on understanding their vulnerabilities and the consequences of a successful exploitation of those vulnerabilities. Waiting for tactical cyber threat information could delay critical infrastructure companies from starting to examine their systems from a mission perspective and implementing cyber defenses that help to ensure that they can continue to operate their missions safely, reliably and securely. The discussions concerning tactical cyber threat and the resultant expectations (and of course, the resultant need for clearances for an expansive number of industry personnel) are primarily a distraction and are being used to justify a lack of action for implementing cyber defenses. The government and the critical infrastructures need to get past this self-imposed roadblock.
1About the Author
Mr. Michael Peters is an Energy Infrastructure and Cybersecurity Advisor for the Federal Energy Regulatory Commission Office of Electric Reliability. He specializes in analyzing cybersecurity issues, including those affecting control systems, and is instrumental in FERC's cybersecurity oversight of the electric industry. Prior to joining FERC in 2006 he spent ~23 years at the National Security Agency dealing with information operations/ information warfare issues. He is frequently requested to participate and speak at various conferences dealing with critical infrastructure and cyber security. This article is personal opinion and does not represent the opinion or position of the Federal Energy Regulatory Commission or the federal government.