The Cyberspace Solarium Commission was established in the John S. McCain National Defense Authorization Act for Fiscal Year 2019 to "develop a consensus on a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences." The finished report was presented to the public on March 11, 2020. The report proposes a strategy of layered cyber deterrence and consists of over 80 recommendations to implement the strategy. There was an extensive study including over 300 interviews, a competitive strategy event modeled after the original Project Solarium in the Eisenhower administration, and stress tests by external red teams. The three deterrent layers are supported by six policy pillars that organize more than 75 recommendations.
The intent of the Solarium Commission is to prevent a cyber 9/11. There are several ironies to the report. The first is 9/11 was an attack to damage physical equipment and structures. Yet the report does not address the cyber issues that cause damage to physical equipment and structures. The preamble to the report by Peter Singer and August Cole entitled “A Warning from Tomorrow” is all about control system cyber attacks and states: “…The water in the Potomac still has that red tint from when the treatment plants upstream were hacked, their automated systems tricked into flushing out the wrong mix of chemicals…They have pumped out the floodwaters covering Washington’s low-lying area after the region’s reservoirs were hit in a cascade of sensor hacks.” Yet process sensors were not addressed in the Solarium Commission report. Ironically, the reason that control system-unique issues including process sensors were not addressed was an unanticipated consequence of 9/11. That is, following 9/11 cyber security was changed from a business issue where the engineers were responsible for cyber security of their systems to a national security issue where cyber security was taken from the engineering organizations and moved to IT (now Operational Technology-OT). This move severed the control system/engineering experts from the world of cyber security which is continuing to this day which has led to ignoring the integrity of the process sensors. The breach between the engineering and cyber security organizations must be repaired and neither the Solarium Report nor the CyberMoonshot program is addressing that breach by not requiring engineering management to be on an equal basis with the CISO in establishing control system cyber security policies.
As mentioned in my observations from the 2020 RSA Cyber Security Conference where both the Solarium Commission and CyberMoonshot were briefed without details, it was clear the reports were addressing IT cyber security concerns (https://www.controlglobal.com/blogs/unfettered/observations-from-the-2020-rsa-conference-control-system-cyber-security-is-being-discussed-but-still-with-misunderstandings/). After reading the Solarium Commission report, many technical issues about control systems and critical infrastructure cyber security also were addressed. However, many critical control system-unique cyber security issues were not adequately addressed. The technical issues that were missed could be because of the lack of clear definitions. For example, what is meant by the terms Internet of Things (IOT), Operational Technology (OT), control systems, and cyber incidents. From my experience, people coming from different backgrounds have their own definitions. It could also be because of the difference in perspectives between network security and operations, or what I call, “packets vs process”. As a result, this report and its recommendations will not prevent a cyber 9/11 affecting critical infrastructures because the control system-unique issues that could produce a cyber 9/11 were not adequately addressed.
Control systems consist of both field devices and networks that are not Internet Protocol (IP)-based and IP networks and associated Human Machine Interfaces (HMIs) with commercial-off-the-shelf (COTS) technologies such as Windows. The Solarium Commission report and recommendations are applicable to the control system IP network and COTS systems. However, there are tens of millions of Purdue Reference Model Level 0,1 devices (e.g., process sensors, actuators, drives, power supplies, etc.) installed in public and private facilities (this does not include IOT devices). The Level 0,1 process sensors are the input to IP networks yet have no cyber security, authentication, cyber logging capability, nor is there cyber security training for the control system engineers. These legacy Level 0,1 devices will continue to be employed in our critical and other infrastructures for the next 10-15 years. It is also unclear if new control system and plant equipment will have cyber security as part of the initial design. That is, hardware design features can become significant cyber vulnerabilities because the engineering organizations and the cyber security organizations have different design/operational requirements. Moreover, the gap between engineering and cyber security starts at the college level where engineering and security are separate departmental silos. The most critical cyber threats to our economy are the issues that can cause physical damage to the long-lead equipment used in commercial, industrial, transportation, and medical facilities. These issues are not direct cyber issues but use cyber remote access to manipulate physics, such as the Aurora vulnerability. Yet these types of attack were not addressed.
The Cyberspace Solarium Commission report consists of over 80 recommendations which are organized into 6 pillars. The pillars that affect control systems are included with my comments and recommendations in Italics:
1. Reform the U.S. Government's Structure and Organization for Cyberspace. While cyberspace has transformed the American economy and society, the government has not kept up. Existing government structures and jurisdictional boundaries fracture cyber policymaking processes, limit opportunities for government action, and impede cyber operations.
As noted by https://www.controlglobal.com/blogs/unfettered/an-open-letter-to-cyber-security-policy-makers-control-system-cyber-security-is-different-than-it-and-requires-an-understanding-of-issues-unique-to-control-systems/, the cyber policy making process needs engineering input throughout the policy-making process, top to bottom.
2. Strengthen Norms and Non-Military Tools. A system of norms, built through international engagement and cooperation, promotes responsible behavior and dissuades adversaries from using cyber operations to undermine American interests.
There are international standards on control system cyber security such as the ISA62443 series, but issues such as patch management for control systems are generally not addressed by cyber security policy makers. Where critical infrastructure, is being addressed, control system cyber security standards should be included.
3. Promote National Resilience. Resilience, the capacity to withstand and quickly recover from attacks that could cause harm or coerce, deter, restrain, or otherwise shape U.S. behavior, is key to denying adversaries the benefits of their operations and reducing confidence in their ability to achieve their strategic ends. National resilience efforts rely on the ability of both the United States public and private sectors to accurately identify, assess, and mitigate risk across all elements of critical infrastructure. The nation must be sufficiently prepared to respond to, and recover from an attack, sustain critical functions even under degraded conditions, and, in some cases, restart critical functionality after disruption.
For the next 10-15 years, control system Level 0,1 devices will be needed to accomplish these functions. However, Level 0,1 devices cannot be upgraded for cyber security and yet are the input for IP networks. .The lack of cyber security capabilities directly affects process safety and resilience. Maintaining resilience will require the ability to manually operate many control systems as the IP networks may not be trusted after cyber attacks such as what occurred following the Ukrainian power grid cyber attacks. Moreover, because of the lack of cyber forensics and training, it may not be possible to identify cyber equipment malfunctions as being cyber attacks such as with Stuxnet. Resilience may be questionable if you can’t trust what your measure. This means process sensor cyber security needs to be addressed.
4. Reshape the Cyber Ecosystem. Raising the baseline level of security across the cyber ecosystem—the people, processes, data, and technology that constitute and depend on cyberspace—will constrain and limit adversaries’ activities. Over time, this will reduce the frequency, scope, and scale of their cyber operations. Because the vast majority of this ecosystem is owned and operated by the private sector, scaling up security means partnering with the private sector and adjusting incentives to produce positive outcomes. In some cases, that requires aligning market forces. In other cases, where those forces either are not present or do not adequately address risk, the U.S. government must explore legislation, regulation, executive action, and public-as well as private-sector investments.
This is where the governance gap gets reinforced without engineering participation – see https://www.controlglobal.com/blogs/unfettered/an-open-letter-to-cyber-security-policy-makers-control-system-cyber-security-is-different-than-it-and-requires-an-understanding-of-issues-unique-to-control-systems/). Senior engineering management/operations need to be part of the cyber policy making process. There is a concern that raising the baseline security of new devices may directly or indirectly affect the operation of Level 0,1 control system devices. This needs to be addressed to minimize unanticipated consequences.
5. Operationalize Cybersecurity Collaboration with the Private Sector. Unlike in other physical domains, in cyberspace the government is often not the primary actor. It must support and enable the private sector. The government must build and communicate a better understanding of threats, with the specific aim of informing private-sector security operations, directing government operational efforts to counter malicious cyber activities, and ensuring better common situational awareness for collaborative action with the private sector. While recognizing that private-sector entities have primary responsibility for the defense and security of their networks, the U.S. government must bring to bear its unique authorities, resources, and intelligence capabilities to support these actors in their defensive efforts.
The government uses the same control systems and Level 0,1 devices as the private sector meaning the government will have the same issues. As the government is a significant customer of instrumentation and control system vendors, the government can influence the need to upgrade cyber security in these critical devices.
There are many specific issues identified in the report such as the need for patching and multi-factor authentication which may not be able to be employed in a control system environment as they can in an IT environment.
In Section 3, there were discussions about risk from a sector perspective such as bulk power and electric distribution systems, interstate oil and natural gas pipelines, and water supplies. Each were treated as separate critical sectors. However, each of these sectors, as well as all other industrial, manufacturing, and transportation sectors use similar control system equipment from a limited set of control system suppliers both as original and replacement equipment. Consequently, the control system supplier supply chain should be considered as its own cross-industry sector.
In Section 4.1.1, there are discussions of control system issues. They include Product Certifications and Attestation. This is relevant for certifying an “individual box” but is very difficult to do in a control system environment that is a “system of systems” including workstations, control system devices, device level and IP communication protocols, maintenance devices, etc. any of which can compromise the entire system. There was a description of A Center for Connected Industrial Control Systems which would include testing the security of connected programmable logic controllers, supervisory control and data acquisition (SCADA) servers and systems, and other connected industrial equipment. This is definitely important. My question is what will this new center do that isn’t currently being done at INL? Or for that matter, will the new center address what hasn’t been done which is to address the Level 0,1 devices? As these devices have no cyber security, there is a need to develop the appropriate testing and assessment methodologies for cyber “insecureable” devices. That is important because the cyber security of these devices continue to be ignored by DOE, DHS, the National Laboratories (except for one), and others. In fact, it is these devices that directly affect safety, reliability, and resiliency, do not need an IP network to compromise them, and can directly cause a cyber 9/11. Moreover, a focus was IOT which is really “fitbits and refrigerators”, not “pipelines and powerplants”.
The Solarium Commission report established steps to prevent a cyber 9/11. Despite the extensive efforts expended on interviews, the identified control system gaps demonstrate the review process was not sufficiently comprehensive. Part of that can be due to the lack of precise definitions of key terms such as control systems, IOT, cyber incidents. Digital or analog, the control system-unique issues are important as they are the underlying basis for our economy for reliable, safe, and resilient systems. Yet, the most important unaddressed cultural issue was the need to have engineering management on an equal basis with the CISO in establishing control system cyber security policies. Because of this omission, it is not possible to assure that a cyber 9/11 will not occur.
Joe Weiss
