May 12, 2021, President Biden issued Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity. I am happy that cybersecurity is recognized at the Presidential level. However, I am disappointed the EO did not address the unique issues associated with control systems. The EO states: “The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).” That sentence was encouraging until you realize the term Operational Technology (OT) was mentioned three times in the 18 pages while the terms SCADA, Industrial Control Systems (ICS), control systems, and cyber-physical systems were not even used. The term Internet of Things (IOT) was used but it was for consumer product applications not industrial applications. It was evident reading the EO there were no CONTROL SYSTEM cyber security experts that either participated or had their input used.
Critical infrastructure cybersecurity is not new - it was first addressed by Presidential Decision Directive (PDD) 63 in 1998. Part of the lack of addressing control systems over the past 20+ years could be the lack of domain engineering participation in cyber security as it has transformed from an engineering issue of “keeping lights on and water flowing” to one of keeping networks secure to the exclusion of the process – the tail is wagging the dog. This can be seen where most universities teach cyber security but do not require an introduction to engineering and engineering disciplines teach engineering but do not require an introduction to computer security. This lack of cyber security training for the control system engineers has resulted in the inability of engineers to recognize upset events as potentially being cyber-related. My database, which is not public, includes almost 12 million control system cyber incidents that have caused more than $90BillionUS in direct damage and killed more than 1,500 people yet most were not recognized as being cyber-related as there are minimal, if any, cyber forensics at the control system device level.
The EO is focused on malicious cyberattacks as that is the focus of the IT community. For the control system community, unintentional cyber incidents are also important but that is not included in the cyber incident definition referred to in the EO. That becomes even more of a concern when sophisticated attackers make a cyberattack look like an equipment malfunction. As a result, attacks such as Stuxnet would not be addressed by the EO as they do not appear to be cyberattacks. That is obviously a gap that can be exploited.
I am not alone in my concerns about the EO’s lack of adequately addressing control systems. Vytautas Butrimas is the Subject Matter Expert at the NATO Energy Centre of Excellence in Vilnius, Lithuania. He is not an engineer but a "convert" about the need to secure controls systems and that control systems are different than IT. He has also reviewed cyber security of pipelines in Europe as part of his NATO position. He wrote this blog on May 16, 2021 for SCADASec. According to Vytautas, “Thinking about the Colonial Pipeline incident on May 7th and the recent Executive Order coming out in less than a week reminded me of “Abbott and Costello” - https://scadamag.infracritical.com/index.php/2021/05/16/policy-makers-these-days-give-peculiar-names-to-what-they-are-protecting/.
There are some general concerns that need to be addressed. However, rather than go line-by-line through the EO, I thought the better way to demonstrate the EO’s limitations would be to take a number of actual control system cyberattacks that could have devastating impacts on US federal facilities as well as the US economy and identify the shortcomings of the EO to address these incidents. In fact, at least one of the cases occurred in a US federal facility. As mentioned above, I am not including examples of unintentional control system cyber incidents that also would not be addressed by the EO.
General concerns:
- The EO states the Federal Government contracts with IT and OT service providers to conduct an array of day-to-day functions on Federal Information Systems. There is no such thing as an OT service provider (see Vytautas’s similar concerns).
- The EO is almost exclusively network-focused which drives an even bigger wedge between the network and engineering organizations and makes information sharing even that much more difficult. The EO needs to take a more realistic and pragmatic view of the whole operations of systems and not focus the perception of vulnerability only on IT and OT networks. A cyberattack on control systems and sensors can have a much more deleterious effect on equipment as well as effect IT as much as if the attack occurred at the IT level. Therefore, there cannot be an effective strategy that only focuses on one aspect of the interrelated operations of infrastructure.
- The EO establishes a Cyber Safety Review Board. This appears to be analogous to the National Transportation Safety Board (NTSB), and its investigations of fatal aircraft and pipeline accidents. Marshall Abrams from MITRE (now deceased) and I did the assessment of the 1999 Bellingham, WA Olympic Pipeline Rupture for NIST (the analysis can be found in Protecting Industrial Control Systems from Electronic Threats). In obtaining the information from NTSB to do our assessment, NTSB told Marshall and myself that the SCADA aspect made the Olympic Pipeline assessment more complex than any pipeline rupture they had analyzed to date. The same was true for the San Bruno natural gas pipeline rupture. It will require engineering expertise which does not appear to be addressed in the EO.
- The most popular process sensor and field device network with more than 60 million devices installed in both federal and private industry is built on 1200 baud modems. The EO recommendations don’t apply to these basic, yet critical systems and device networks. Additionally, process sensors, actuators, and drives have no cyber logging capability.
- The EO is heavy on information sharing. My experience is that engineers are willing to share information on actual control system cyber incidents (often in a sanitized manner) but network security people are either not willing to share or not knowledgeable about the control system cyber incidents and appear to be unaware of the size and scope of actual control system cyber incidents. Most organizations are unwilling to allow engineers to share cyber incidents, beyond regulatory requirements, but would prefer it be handled at the IT or upper management level. (https://www.controlglobal.com/blogs/unfettered/control-system-cyber-incidents-are-much-more-plentiful-than-people-realize). To date, DOE and DHS have not focused on incidents but vulnerabilities.
Examples of deficiencies in the EO:
Data center hacks: The EO has a heavy focus on protecting the cloud and responding to the SolarWinds hack. Data centers are a necessary part of the cloud infrastructure. My database has several cases where data center equipment has been damaged by control system cyber incidents preventing data from being “sent to the cloud”. In one case, a disgruntled insider hacked the Simple Network Management Protocol (SNMP) card in a data center’s Uninterruptible Power Supply (UPS). This attack led to doubling the voltage being provided to the servers resulting in “frying” every server in the data center. With the servers inoperable, there is no data to send to the cloud. Russia has already hacked the UPS in the 2015 Ukrainian cyberattack to take out the communications center. Moreover, SolarWinds implements SNMP which is used by building control system equipment including UPSs, air handling equipment, HVAC, etc. (https://www.lawfareblog.com/solarwinds-hack-can-directly-affect-control-systems). Impacting building control systems and devices can impact the data center IT infrastructure as well as the people in the data center. This same equipment is used in all federal buildings, hospitals, laboratories, etc. Much of this equipment has no cyber security, authentication, or cyber logging.
EO limitations: The EO does not address hardware including sensors, actuators, drives, air handling equipment, HVAC, etc. SolarWinds implements SNMP yet SolarWinds impacts on control systems is not addressed by the EO. Additionally, buildings, as other critical infrastructures, utilize serial (non-IP) protocols which are not addressed by the EO. The lack of cyber logging capability in this control system equipment precludes the ability to identify cyberattacks or perform cyber incident monitoring.
Hardware backdoors in large Chinese-made electric transformers: In August 2019, hardware backdoors were found in a large electric transformer manufactured in China and installed in a US federal utility. The hardware backdoors led to the issuance of EO 13920. In early 2020, a second large Chinese transformer was diverted to the Sandia National Laboratory (SNL) – a utility is missing a large electric transformer. The backdoors bypass all cyber security and engineering protections and are meant to accept “spoofed” process sensor signals that will enable China take over or damage the large electric transformers including the load tap changers which would allow control over system voltage. There are more than 200 large Chinese-made electric transformers already installed in the US bulk electric grid including transformers providing almost 10% of the power to New York City and almost 20% of the power to Las Vegas. At present, there are no measures to remotely detect the presence of the backdoors or spoofed sensor signals. This is an existing major threat to the US bulk electric system – the Chinese have their fingers on the trigger today!
EO limitations: The EO does not address process sensors. The EO addresses Zero Trust but process sensors are 100% trusted - the Zero trust model does not apply. The sensors have no cyber logging or do they have any authentication, much less a capability for multi-factor authentication. The EO also focuses on software supply chain issues – this was a hardware issue which is why EO 13920 focused on hardware not software. Moreover, there has been no information sharing to date on what has been found at SNL.
Cyberattack of the safety systems in a petrochemical plant: This was an attack on the safety systems of a petrochemical plant in Saudi Arabia in 2017. The safety systems attacked are used extensively throughout the US in oil/gas, chemicals, water, nuclear, and other industries including in federal facilities. The petrochemical plant shutdown because of malware in the engineer’s safety system workstation. The shutdown was not identified as being caused by a cyberattack and consequently the plant was restarted with the malware still installed.
EO limitations: The EO assumes a cyberattack would be identified. The Saudi Arabian case demonstrates that a cyberattack that shuts down a large facility may not be identified as being cyber-related. Most of the cases in my database, which include US federal facilities, also were not identified as being cyber-related.
Colonial Pipeline shutdown: The pipeline was shutdown for safety considerations when the scheduling information which identified what was in the pipeline at the various locations was compromised by the ransomware. The pipeline directly and indirectly supplies US federal facilities. Operations was not involved in deciding what was on the IT network.
EO Limitations: The EO does not address participation by engineering or operational organizations including in the Safety Cybersecurity Safety Review Board.
Aurora vulnerability: Aurora is a physics-based attack that uses NO malware. The Aurora vulnerability can bring the grid down for 9-18 MONTHS by damaging or destroying critical generators and other large Alternating Current (AC) equipment as well as large electric transformers. Aurora incidents (whether unintentional or malicious) have already damaged chiller motors in a data center as well as damaged large power plant equipment. In 2015, DHS declassified much of the details of the 2007 Aurora test at the Idaho National Laboratory. The Russians did the first of the two steps of an Aurora attack with the 2015 Ukrainian power grid attack. Moreover, the Russians have been in the US electric grids since at least 2014.
EO Limitations: Physics-based attacks such as Aurora are not network attacks so there is nothing in the EO to address these types of attacks. There are effectively no cyber forensics to detect these types of catastrophic attacks. The people that would be needed to address Aurora are engineers not network security personnel.
Summary
An EO on cybersecurity has been desperately needed. However, the May 12, 2021 EO did not address the unique issues associated with control systems and exacerbates the cultural gap between network and engineering. It did not address the control system cyber security issues with SolarWinds, Colonial Pipelines, or other significant control system cyber incidents that have occurred to date. As noted by Vytautas’s blog, the lack of adequate control system cyber security is not unique to the US. These control system cyber security gaps in the EO need to be reconsidered before it is too late.
Joe Weiss