On February 23-24, the National Academies of Science, Engineering, and Medicine hosted one of its GUIRR Roundtables, which convene senior-most representatives from government, universities, and industry. The topic was Critical Infrastructure Security: The Role of Public-Private Partnerships. See agenda: http://sites.nationalacademies.org/pga/guirr/meeting/index.htm.
I was privileged to give the keynote presentation, titled Cyber Security of Industrial Control Systems: What It Is and What Is Actually Happening. My presentation was well-received, with many questions. Although the attendees were well-versed in cyber security and cyber policy, they were much less familiar with the state of ICS cyber security. They were generally surprised by the prevalence of ICS cyber events and my case histories. They were unaware of the significant holes in the NERC Critical Infrastructure Protection (CIP) cyber security standards, which leave the US electric grid vulnerable to the same attacks and blackouts which struck Ukraine in December 2015. They were stunned to hear that the electric utility and nuclear plant operators are not required to remove malware from their systems—a glaring omission given that that the BlackEnergy malware used to scan the Ukrainian grid has also infected the US grid. The audience was astonished to hear that in 2014, DHS had declassified a highly specific “hit list” of US critical infrastructure vulnerable to an Aurora attack. As an aside, there were no attendees from electric utilities or organizations.
A series of panel sessions took place on day two. My key takeaways were:
- Although most discussions focused on traditional IT issues. my keynote provoked a recognition that critical infrastructure and ICS must also be addressed.
- The discussions of interdependent vulnerabilities focused on industries. For example, almost all industries depend on the electric power industry, which in turn depends on the telecom industry, and so forth. However, the increasing standardization of ICS vendor equipment creates another kind of interdependency, in which all industries are vulnerable to concurrent attacks on particular equipment. This new interdependency is not receiving enough attention.
- Critical infrastructure is not being addressed in any pending cyber security legislation. After trying and failing in 2011, Congress is apparently not ready to try again.
- The DHS Deputy Assistant Secretary discussed supposedly “successful” DHS-industry interactions, including information sharing. He was unaware that the DHS continues to schedule ICSJWG meetings in conflict with other major industry meetings. (For example, the May 2016 ICSJWG meeting in Scottsdale overlaps the Offshore Technology Conference in Houston.) Either DHS is oblivious or indifferent: I am not sure which is worse. Additionally, DHS’ Aurora declassification has engendered mistrust in industry circles.
- GE’s Matt Bohne offered thoroughly misguided praise of the Nuclear Information Technology Strategic Leadership (NITSL) group, for supposed achievements in US nuclear plant cyber security. In fact, the nuclear industry has been very slow to adopt ICS-unique cyber security measures. Further, the nuclear industry, including NITSL, has stubbornly distanced itself from the vastly more experienced non-nuclear community.
Hopefully, the message about ICS cyber security is making its way into the mainstream cyber security community and key policy makers.