Cyber Threat to Control Systems: Are Companies Expecting Too Much Info?

Jan. 25, 2011
The Industry Uses the General Term "Threat Information," but During More Detailed Discussions, It Seems That The Information Companies Seek Is More Like the Traditional Military Concept of "Tactical Information"

By Michael Peters1

A recent GAO report [GAO-10-628, Critical Infrastructure Protection Key Private and Public Cyber Expectations Need to Be Consistently Addressed, ] reveals that a key expectation from industry was for actionable cyber threat information from the federal government. The dissemination of this tactical level of information [See sidebar "Threat" Versus "Tactical" Information] has not been completely met. Because of this lack of information, a company may choose not to implement cybersecurity defenses because it feels there is no threat. I believe this reliance on tactical threat information is a false interpretation of the environment and is a major impediment to securing our critical infrastructures from attack.

"Threat" Versus "Tactical" Information
The industry uses the general term "threat information," but during more detailed discussions, it seems that the information companies are seeking is more in line with the traditional military concept of "tactical information" (e.g., individual "Able" from bad guy group "Baker" is planning on attacking Critical Infrastructure "Charlie" specifically company "Delta" on Friday using technique "Echo" at 1500 EST). The government has been providing strategic threat information for several years (e.g., Bad guy group "Baker" is interested in attacking Critical Infrastructure "Charlie" and is researching techniques to do so.)
I do not believe this tactical level of information is necessary for a critical infrastructure company to implement cybersecurity defenses. The federal government has provided strategic- level cyber threat information to the various critical infrastructures, and this type of information sharing can easily continue, as the strategic threat is the information that the government most likely will be able to acquire and distribute.

However, even this level of threat information really isn't necessary in order to justify and implement cybersecurity defenses. Many threat actors exist today that can impact the security of a control system. If these adversaries are successful in gaining access to the control system, they then can manipulate the control system and wreak havoc on the devices and the processes the control system is overseeing and, therefore, impact the reliability of the operation. These adversaries range from the traditional hacker to the criminal, disgruntled insider or terrorist to the nation-state adversary. All of these adversaries have a range of capabilities and intents, though the common assumption is that the nation-state is the most technically sophisticated, and the hacker the least. In addition, many of these adversaries are capable of very structured as well as unstructured operations. What is crucial here is that the level of sophistication, structure, capabilities, etc., varies for all of the adversary types. So while many feel that hackers are the least sophisticated, least structured and least capable, quite a few are highly sophisticated, highly structured and highly capable. By the same token, a few nation-states are not very sophisticated, not very structured and overall not very capable. A security professional should never fall into the trap of assuming that a specific type of adversary has "specific" traits.

Wobbly Leg?

Understanding these adversaries and determining their capabilities and intents is a very difficult problem and often results in less-than-complete information. And it is this information that forms the basis of the threat leg of the traditional risk equation of Risk = Threat x Vulnerability x Consequences. This lack of information often results in reducing the perceived risk to the system. However, what every critical infrastructure company should assume is that at some point in time one or more of these adversaries will attack them. In my opinion, critical infrastructure companies should assume that the threat level is "1" (i.e., that a viable cyber threat to their control systems exists). Because in reality, what threat actor attacks them is immaterial, as the company and its customers should not and do not care what adversary has successfully exploited the system. All they care about is that the system has been exploited, and the services/products that the company provides and the customer desires are not available.

Now a frequent counter-argument raised by the critical infrastructure companies is that they can't afford to address everything, and without this threat information, they don't know what to spend their resources on to fix. While I agree that their resources are limited, and they can't address everything, I believe that there is a better way of determining where to spend their scarce cybersecurity dollars rather than waiting for tactical cyber threat information that they may not receive and would probably be constantly changing even if it were readily available.

Two Ways of Looking at Things

I think critical infrastructure companies should examine themselves from two main perspectives and not rely on threat information. The first perspective is most directly tied to the mission of the company, whether it is providing electricity, making potable water, refining gasoline or manufacturing a television, etc. One recommendation I make is that companies should create tiger teams of specialists, including their most knowledgeable operators, control system experts and IT personnel, and charge them with the task of developing scenarios for causing the most harm, destruction or danger to company personnel or to the public. These individuals have the most detailed intimate knowledge of the company's systems and processes, and they will often know exactly how to cause the most damage to the company's operations. They then can build on this knowledge and determine how to best mitigate the attack vectors that they developed.

The second perspective is from a traditional vulnerability assessment/evaluation arena. The critical infrastructure companies need to examine their systems looking for vulnerabilities. They then need to determine the consequences/impacts to the company's operations and to their customers of a successful exploitation of the vulnerability. They need to determine the capabilities that are necessary in order to successfully exploit the vulnerability and cause the identified consequences. Then the last facts that should be determined are whether the capabilities needed to successfully exploit the vulnerability currently exist, and whether these capabilities are easy to use. Finally, the company needs to determine how to mitigate the vulnerability identified and to minimize the impact of a successful exploitation. The company should also answer all of these questions for the scenarios developed by its internal tiger team.

Now the company can prioritize what it fixes by working through the results of the above analysis. Vulnerabilities with high/major impacts, where the capabilities to successfully exploit currently exist and are easy to use, should be fixed first. Vulnerabilities with minimal impacts and where the capabilities to successfully exploit them don't currently exist would, therefore, be of a lower priority and would only be addressed after the vulnerabilities that are at a higher priority level have been fixed. This shouldn't be a difficult process, as it is similar to ones being used today to determine how to prioritize/handle reliability or safety issues.

The overall goal is to improve the security of the system, and the above methodology only uses the vulnerabilities and consequences—information that is most likely known—rather than needing threat information which is typically unknown. (This is information that is definitely unknown at the tactical level and often considered not detailed enough at the strategic level.)

Learning from Accidents

One other area where I believe that critical infrastructure companies can gather information that they can use to convince senior executives to authorize the implementation of cybersecurity defenses is to examine real-world industrial incidents/accidents and see if they can extrapolate a purely cyber scenario that results in the same consequences. For instance, most industrial accidents involve three "legs": 1. Some sort of physical issue/problem; 2. Some form of human error; 3. Some form of cyber issue (cyber system not running; cyber system running, but on incorrect data; or malicious cyber attack (currently rare)).

For some industrial accidents, it is quite simple to extrapolate to a purely cyber vector to cause the same consequences as the original accident. However, this is normally done by considering two main assumptions. The first is that an electronic pathway exists from the targeted control system to the outside world. (Note: a disgruntled insider needs to be considered as well.) The second assumption is that this electronic pathway is exploitable, and again in my experience, the likelihood of this is very high. Or you could simply assume a supply chain issue that allowed the adversary to implant his malicious access at an earlier stage.

I believe that by undertaking the above three efforts, any critical infrastructure company will have developed/acquired more than sufficient information to convince its senior executives that cybersecurity defenses must be implemented in order to ensure that the company can continue to carry out its mission safely, reliably and securely without needing tactical cyber threat information from the government before they are persuaded to act to adequately secure their control systems.

Now while I believe that tactical actionable cyber threat information of a potential attack is not needed prior to making decisions to implement basic cyber defense mechanisms, there is one arena where it is needed. Mechanisms must be developed and deployed so that information is shared when an attack is occurring that will allow companies not under attack to ramp up their defenses to prevent the current attack from succeeding. This assumes, however, that the companies have already implemented cybersecurity defense measures and have developed the plans and procedures to rapidly increase their cybersecurity defense posture.

The Bottom Line

I believe that critical infrastructure companies should not depend on tactical cyber threat information to deploy cybersecurity defense mechanisms. Instead, the companies should consider that the cyber threat is "1" and focus on understanding their vulnerabilities and the consequences of a successful exploitation of those vulnerabilities. Waiting for tactical cyber threat information could delay critical infrastructure companies from starting to examine their systems from a mission perspective and implementing cyber defenses that help to ensure that they can continue to operate their missions safely, reliably and securely. The discussions concerning tactical cyber threat and the resultant expectations (and of course, the resultant need for clearances for an expansive number of industry personnel) are primarily a distraction and are being used to justify a lack of action for implementing cyber defenses. The government and the critical infrastructures need to get past this self-imposed roadblock.

1About the Author
Mr. Michael Peters is an Energy Infrastructure and Cybersecurity Advisor for the Federal Energy Regulatory Commission Office of Electric Reliability. He specializes in analyzing cybersecurity issues, including those affecting control systems, and is instrumental in FERC's cybersecurity oversight of the electric industry. Prior to joining FERC in 2006 he spent ~23 years at the National Security Agency dealing with information operations/ information warfare issues. He is frequently requested to participate and speak at various conferences dealing with critical infrastructure and cyber security. This article is personal opinion and does not represent the opinion or position of the Federal Energy Regulatory Commission or the federal government.