To share and coordinate effective cybersecurity practices more widely, Idaho National Laboratory is participating in the U.S. Dept. to Energy's (DoE) $70-million project to launch the Cybersecurity Manufacturing Innovation Institute in mid-November at the University of Texas San Antonio (UTSA).
The institute's three goals are "securing automation, securing supply chain networks, and building a national program for education and workforce development." It will include the DoE's INL for ICS cybersecurity and physical infrastructure, Sandia National Laboratory for supply cybersecurity, and Oak Ridge National Laboratory for advanced manufacturing. CyManII will also include 22 universities, 15 institutes, 50-60 partners, and 600 manufacturers, according to Wayne Austad, CTO for National and Homeland Security programs at INL.
"CyManII will connect cybersecurity on digital plant floors with supply chains and he business level," says Austad. "It will combine INL's experience in process control cybersecurity with expertise from academia and the supply chain. The vision is to include all manufacturing centers and industries for the long term."
Design-in like an adversary
Beyond endorsing secure design lifecycles based on the Purdue model for ICS security, Austad reports that INL also supports its Consequence-driven, Cyber-informed Engineering (CCE) program, which focuses on the final results of performance and service interruptions caused by cyber-intrusions, and how to secure the national critical infrastructure (CI) systems. Of course, the Purdue model is based on the seven-layer Open System Interconnect (OSI) Model for Control Hierarchy.
CCE advises users to "think like an adversary," and begins with the assumption that if a CI facility is targeted by a skilled and determined adversary, the targeted operation can and will be sabotaged. INL adds that the CCE methodology gives CI owners, operators, vendors and manufacturers a better-focused, bottom-line approach to: determine their most critical functions, evaluate complex systems, identify methods an adversary could use to compromise the critical functions, and design-in proven engineering, protection, and mitigation strategies to isolate and protect a user’s most critical assets.
"Process and plant engineers have an essential advantage because they control what governs their operations, such as the limit switches on tanks and flow equipment, or the separate components and buses for safety," says Austad. "So, if cyber-threats can't be engineered out, they do show the best locations and devices in which to invest in cybersecurity."
Assess, scale and culture
Similar to most cybersecurity efforts, Austad reports a CCE project begins with an in-person assessment by INL and other experts, who scale their solution for each client, so they can maintain it themselves. CCE also works in conjunction with INL's ResilienceOptimizationCenter (ROC), which applies its laboratory-wide capabilities to tackle infrastructure challenges through applying laboratory-wide capabilities and expertise.
"We see CCE as a culture change that allows users to regain control of their application's consequences, and engineer their security within their own cyber-physical context, instead of waiting for a black box or IT to do it all," says Austad. "If physics enable nuclear reactors to scale down, or let computers eliminate moving parts and cooling requirements, and let smart phone operate reliably and safely, then why can't we do the same for ICS cybersecurity?
"Likewise, as they've evaluated the critical functions of more applications, CCE and ROC learned there are design pressures for agility beyond what's needed distribute cybersecurity among associated organizations or address today's COVID-19 requirements. Those issues are just the beginning because designed-in solutions are needed for digital ecosystems and long-term transformation, too."