Differences in opinion and perspectives on control system cyber security

James (Jim) Lewis is the Senior VP and Program Director for the Center for Strategic and International Studies - CSIS. I testified with Jim March 19, 2009 before the Senate Committee on Commerce Science and Transportation. Jim’s focus then, and continues to be, an IT focus on confidentiality of information. His view of a cyber incident is the traditional view of your connected to the Internet, using Windows, and somebody is trying to steal or compromise data. In fact, Jim described cyber as a “weapon of mass nuisance”.

 My focus then, and continues to be, reliability and safety of physical processes. With physical processes, you can’t hide impacts such as pipes breaking, trains crashing, or lights going out (these have all occurred from cyber-related incidents). The difficulty is trying to identify if the incident is cyber-related and then if it malicious (whether targeted or not such as being affected by malware targeting Windows). With the Australian waste water attack, the first 20 times the attacker remotely opened the sewage discharge valve, the utility felt it was a mechanical or electrical failure. Stuxnet is another example where equipment damage was not identified as being cyber-related for well over a year. Often, the only difference between a malicious attack and an unintentional cyber incident is motivation which can’t be measured. The 2008 Florida outage is an example where the only difference between a cyber incident being malicious or unintentional was the motivation of the engineer in the substation. What’s more, even if the event is unintentional, generally it can also be done maliciously and it would be difficult to tell the difference. I follow the NIST definition of a cyber incident which is electronic communication between systems that impacts either confidentiality, integrity, or availability (unfortunately the definition doesn’t address safety). The NIST definition makes no mention of a cyber incident having to be malicious. Consequently, it doesn’t matter whether a cyber incident is malicious or not, people can die and catastrophic damage can occur.

Jim wrote the article “Fighting the Wrong Enemy, aka the Stalemate in Cybersecurity”  https://www.thecipherbrief.com/column/expert-view/fighting-the-wrong-enemy-aka-the-stalemate-in-cybersecurity?utm_source=Join+the+Community+Subscribers&utm_campaign=930597d73f-TCB+November+27+2017&utm_medium=email&utm_term=0_02cbee778d-930597d73f-122471541.  

According to Jim (my comments in Italics):

“...despite all the attention, cyberspace is far from secure. Why this is so reflects flawed technologies and conceptual weaknesses. The result is institutionalized stalemate.” I agree with Jim.

“Two questions highlight shortcomings in the discussion of cybersecurity. The first is why, after more than two decades, we have not seen anything like a cyber Pearl Harbor or cyber catastrophe.” There have been many catastrophic failures that were cyber-related and killed people (more than 1,000 deaths to date). However, there are minimal cyber forensics to identify the events as being cyber attacks and a reticence to identify physical damage as being cyber-related.

“The second is why, despite the increasing volume and quantity of recommendations and dire warnings, there has been so little progress”. This gap is even more pronounced for control systems.

“Our most dangerous opponents in cyberspace are states, two of which – Russia and North Korea – use cybercrime as a tool of state power. We can dismiss the idea that terrorist or non-state actors will launch massive and damaging cyber attacks.” It doesn’t require nation-state technology or expertise to impact control systems unless non-detectability or lack of attribution is important. Aurora is an example of an event that doesn’t require nation state attack tools and yet can have devastating consequences including shutting the grid for 9-18 MONTHS. Furthermore, DHS has declassified the Aurora information and it is on various hacker websites. Iran is also aware of the lack of cyber security in Level 0,1 devices.

 “The effect of “cyber attack” is exaggerated. There have been no deaths, little destruction, and the aggregate cost has been minimal. The actions of greatest concern have involved espionage, crime and political coercion – not attacks on critical infrastructure.” There have already been more than 1,000 control system cyber incidents to date. They have impacted electric grids, power plants including nuclear plants, water and wastewater facilities, pipelines, chemical plants, manufacturing plants, transportation, etc. Conservatively, there has been more than $50Billion in direct impacts and more than 1,000 deaths to date.

Joe Weiss