Congressman Ro Khanna represents California's 17th District, the heart of Silicon Valley. August 27th, 2018, I participated in Congressman Ro Khanna's Cybersecurity Roundtable. The panelists included Alex Stamos, ex CISO of Facebook now Adjunct Professor and Fellow at Stanford; Shamir Allibhai, CEO of Amber Video; Jennifer Geisler, Vice President of Marketing at ForeScout Technologies; Paul Hooper, Chief Executive Officer of Gigamon; Coleman Mehta, Senior Director of US Policy at Palo Alto Networks; Tim Hastings, Director Consulting Services at FireEye; and myself. The panel was originally to be focused on cyber hygiene. After meeting with Congressman Khanna Sunday morning August 26th, critical infrastructure was added to the agenda. Cyber hygiene ended up being somewhat minimized. Effectively, the roundtable participants assumed that cybersecurity equaled network security. Network security is necessary but not sufficient to protect control systems used in the critical infrastructure as the process sensors can be cyber vulnerable before the sensor data becomes packets on the network. The streaming for the roundtable can be found at https://www.facebook.com/RepRoKhanna/videos/219175025620730/
My short prepared presentation follows:
“Infrastructure and control systems are the “invisible visible”. There everywhere but you don’t notice. Addressing the recent issues about hacking the electric grid, the US electric grid was designed more than 100 years ago. The grid has operated effectively, though not necessarily as efficiently as possible, before there were Internet Protocol (IP) networks and Microsoft Windows Human Machine Interfaces (HMIs) which is maybe 15-20 years old. My mantra is: The grid can operate without the Internet but the Internet cannot operate without power.
The business systems the public interfaces with at electric utilities, water utilities, oil/gas companies, transit agencies, manufacturers, etc. were designed with cyber security in mind. The computer control systems that run power plants, substations, pipelines, manufacturing, rail, etc. were not designed with that same degree of cyber security. Securing your laptop or cell phone is important but the technology and procedures you would use is not the same as for securing a power plant or water facility. The impact to society for your confidential information being compromised is different than loss of power, pipelines exploding like San Bruno, or loss of water to put out a fire.
What should be done to protect our way of life:
- Critical infrastructure should be part of all cyber security policy meetings with the knowledgeable control system people participating
- Owners should be directly responsible for reliability and safety of any critical infrastructure facility, large or small
- Credit ratings should reflect cyber risk and mitigation
- Engineers built and run these systems, they should be involved in securing them
- Critical infrastructure should be treated as if it is your own house…because it is”
Jennifer Geisler’s stated that ForeScout had commissioned Forrester Research to do a survey. The survey asked who was responsible for Operation Technology (OT) – control system networks. Nobody was accepting responsibility for securing OT. Additionally, more than 50% of respondents said they could tolerate a medium to high level of risk. I believe these responses as being reality, but they are not consistent with many other surveys.
Congressman Khanna asked the following questions of the panel. You can hear the discussion on the link. I am adding my thoughts that were not part of the discussion.
- Is there a real election risk? Others responded.
- Will there be a Cyber Pearl Harbor? To me, a Cyber Pearl Harbor is not attacking one substation or plant but a coordinated attack on multiple critical infrastructure locations to cause major wide-spread damage. I mentioned there may be a Cyber Pearl Harbor but because of lack of control system cyber forensics we may not know it was cyber. Other panelists were focused on how hackers could get in but not the overall impact. The other feeling is that a major country would not cause kinetic damage because of fear of kinetic reprisals.
- Social media – good or bad? Others responded.
- Facebook hearings- who should be making the rules? Panelists felt that other countries such as France and Germany are ahead of us because of the dysfunction and lack of coherent cyber security direction in the US. I don’t believe any country is adequately addressing cyber security of control systems.
My closing statement was we need engineers to be involved along with cyber security experts. Also the “CIA” paradigm - Confidentiality, Integrity, Availability - needs to be expanded to include the letter “S” for safety.