Atlantic Council 8th Annual International Conference on Cyber Engagement - Observations

I attended the April 23rd Atlantic Council’s 8th Annual International Conference on Cyber Engagement. This was a policy, not technical, conference. As an engineer, I found the discussions fascinating but many of the discussions were hard to apply to a control system environment. The term “Operational Technology – OT” was used liberally without a clear understanding of what it means. There appeared to be an appreciation that the power grid and other “SCADA” applications were at risk to cyber attack. However, the discussions were about the security of the networks not the actual control systems and control system field devices that directly impact the reliability and safety of the grid.  As best as I could tell, there were very few “practicing” engineers that attended. The Atlantic Council should consider having more engineers participating to support the policy makers on the technical issues underpinning policy.

I participated in a panel session – “IOT & Operational Technology Cyber Implications” with Robert Huber, Chief Security Officer, Tenable (moderator), The Hon. Karen Evans, Assistant Secretary, Office of Cybersecurity, Energy Security, and Emergency Response, US Department of Energy, Ronald Hahn, Executive Vice President, Strategic Growth, AECOM, Ms. Reiko Kondo, Director, Office of the Director-General for Cybersecurity, Ministry of Internal Affairs and Communications, Japan,  Dr. Jarno Limnéll, CEO, Tosibox Ltd; Professor, Aalto University (Finland), Jeanette Manfra, Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency, US Department of Homeland Security, and myself.

Enclosed are my prepared remarks:

“I am a control systems engineer that entered the world of cyber security. I deal in facts and physics. Securing the networks are necessary but not sufficient to secure control systems. That is because the grid can work without the Internet, but the Internet cannot work without power. Consequently, control system cyber security was about keeping lights on, not networks up. The concern was that if you damage equipment, you can kill people and cause VERY long term outages of months to years which is why engineers were involved in the design and operation of the grid. However, post 9/11 neither engineers nor engineering systems were involved which is why there is no cyber security in our process sensors, actuators, or drives. Ironically this means there is no cybersecurity where you go “boom in the night”.

Following 9/11, the focus moved from protecting systems to protecting networks. Compromising networks generally leads to outages of hours to days, if that. As an example, a US utility SCADA system was targeted and compromised. The utility lost SCADA for 2 weeks and required 4 man-months to recover, but didn’t lose power. The 2015-16 Ukrainian power grid attacks were outages of hours as there was no engineering equipment damaged. These outages were expensive but not catastrophic.

The Aurora vulnerability in 2007 was a sea change. It demonstrated you could cause physical damage to equipment by simply remotely opening and closing breakers and letting physics do the rest – no malware. The Aurora vulnerability can bring the grid down for 9-18 months as long-lead engineering equipment is damaged. This can’t be found from network monitoring.

Stuxnet in 2010 was also a sea change. This was hacking to damage equipment and make it look like the damage was from mechanical malfunctions. In this case, these were Siemens systems.

What changed even further was the 2017 Safety System cyber attack in Saudi Arabia. The safety systems were Triconex (Schneider-Electric) which means every control system vendor is vulnerable. This attack was targeted to blow up the plant. When the plant tripped (unscheduled, emergency shutdown) in August 2017, sophisticated malware was found. It was scary to find that malware was developed to attack a safety system but it was found before it could do any real harm. However, the plant initially tripped in June 2017 and no one knew it was cyber as OT did not identify malware in the networks and there was no malware in the engineering safety modules that tripped the plant. It was not possible to detect a malicious cyber attack even when it tripped a plant. What does that mean to cyber security policy and regulations that assume a cyber attack will be readily detectable after causing a plant trip?

A data center was hacked from the Uninterruptible Power Supply (UPS) damaging all servers. This was not identified from network monitoring. The data center was not a traditional industrial facility but a commercial building demonstrating that control system cyber security is not just an industrial issue.

The real gap is not the IT/OT divide but packets versus process. That is the networking community and the process/safety engineers are still not talking. This gap extends all the way through the executive levels. What does that say about the cultural and technological progress in securing the most critical systems?”

Observations from the panel discussion:

There were about 200 attendees at this session. There were discussions about the “size of IOT”. I did a walkdown of a utility scale solar plant. This plant had over 2 MILLION solar panels each with a sensor and inverter as well as banks of solar panels controlled by Programmable Logic Controllers (PLCs). There was no cyber security in any of the sensors, invertors, or the sensors in the solar panels or the transformers converted the output of the solar panels to high voltage for the transmission grid. The number of sensors in this plant was like having a sensor on every lump of coal going into the boiler of a fossil plant.

DOE’s Karen Evans brought up the advanced manufacturing initiative by DOE. If you can’t trust your sensors, advanced manufacturing is at risk just as any other process.

There was a question about standards. I believe the ISA99 IEC62443 series of standards are the most appropriate standards for control systems in any application. Unfortunately, there has been little participation by the electric and nuclear utilities. In addition, currently there are no standards that directly address the tens of millions of legacy control system field devices and low-level sensor networks where there is no cyber security and cyber security cannot be backfit.

There were discussions about vulnerability assessments. Because the control system field devices have no cyber security, vulnerability assessments do not apply to these devices and require appropriate risk assessments.

Joe Weiss