Commentary: New Perspectives on Cybersecurity

By Andrew Ginter

In 2023, 68 cyber attacks took down more than 500 sites worldwide, some of them water utilities. All modern automation includes computers, and so for the last 40 years we have been deploying more and more targets for cyber attacks.

Compounding the problem, data in motion is the lifeblood of modern automation, but every connection that lets data flow, also lets cyberattacks flow. Thus, for 40 years we have been deploying not only more targets, but more and more opportunities to attack those targets. Neither of these trends is reversing any time soon. Cybersecurity is expensive and becoming more so every year. We need a new approach.

Cyber-Informed Engineering

If ransomware cripples water treatment automation, how long can a city continue without a boil water advisory? Well, that depends on the size and fill-level of finished water reservoirs, doesn’t it? And on whether we can still operate treatment systems manually. How long will it take to erase all the affected computers and industrial devices and restore them from backups? Do we even have backups stored where ransomware cannot reach them?

These questions are increasingly asked by engineers, in addition to enterprise cybersecurity teams. After all, in most jurisdictions, it is the engineering profession that is responsible for protecting public safety, environmental safety and national security, at least to the extent that critical industrial infrastructures impact the society and the nation. When engineers design a bridge for example, the public expects that bridge to carry a specified load, in a specified operating environment, for a specified number of decades, with a large margin for error. Increasingly, the public also expects that our water utility automation will bear a specified threat load, until at least the next opportunity to upgrade our security posture with a large margin for error.

The new Cyber-Informed Engineering (CIE) initiative at Idaho National Laboratory (INL) is exploring these expectations and the tools that engineers have to manage cyber threats to physical operations. For example, some large water treatment systems are designed so that they can be operated manually in an emergency. For example, at one utility this author is familiar with, on the last day of every month, no matter if that day falls on a weekend or a holiday, the employees power off every computer and device in the automation system and operate the entire system manually. If a cyber attack impacts operations, the utility can declare an emergency, cancel all vacations, and operate manually for the weeks that it takes to restore automation.

But where is manual operations in the ISO 27001 standard? Manual ops is not in the standard. Where is a large, finished water reservoir in the NIST Cybersecurity Framework (NIST CSF)? Not there. What about the industrial IEC 62443 security standard? Again, neither is there. These are cybersecurity standards. Manual operations, finished water reservoirs and other fail-safes are engineering tools, not cybersecurity tools. CIE is defined as both cybersecurity and engineering, but it is engineering that has been neglected these last 20 years as a way to address cyber risk.

“…data in motion is the lifeblood of modern automation, but every connection that lets data flow, also lets cyberattacks flow.”

A Way Forward

The CIE initiative points out that we need to be more pragmatic in our planning for cybersecurity. If a two-week boil water advisory when ransomware hits our automation is acceptable, then say so, and have our teams design to that goal. If such an outcome is unacceptable, again we must say so, and task our cybersecurity and engineering teams with designing to what is acceptable. At a very high level, the new CIE perspective includes:

  • Understanding what the worst possible consequences of cyber compromise are, potentially including long-term equipment damage, burst pressure vessels and threats to public safety;
  • Deciding and documenting which of these consequences are acceptable vs. unacceptable;
  • Understanding what kinds of cyber attacks or situations pose credible threats of bringing about unacceptable consequences; and
  • Designing physical and cyber mitigations to prevent those attacks causing the consequences, again with a large margin for error.

The tool set for addressing threats includes:

  • For the smallest utilities, limiting some automation initiatives when the cost-saving benefits of automation do not pay for the cybersecurity and engineering protective measures needed to assure public safety;
  • Deploying network engineering, such as unidirectional gateways or analog signaling, to enjoy the benefits of business automation accessing OT data without the risk of Internet-based attacks leaking back into OT systems; and
  • Deploying cybersecurity measures in OT systems to address residual risks of deceived, disgruntled or compromised insiders.

There is no simple formula for this decision process, but neither is it insoluble. Every bridge, for example, is different, but the engineering profession has clear and slowly evolving expectations as to how bridges are designed. Similarly, the profession has both the skills and responsibility to look at water utilities in light of today’s attack environment, understand how that environment is expected to change in the decades ahead, and put together recommendations for acceptable designs, again with large margins for error.

Andrew Ginter is vice president of industrial security for Waterfall Security Solutions, co-host and Chief Security Officer of the Industrial Security Podcast and the author of three books on OT security. Ginter has 25 years of experience managing the development of products for computer networking, industrial control systems and industrial cybersecurity for leading vendors.

Leave a Reply

Your email address will not be published. Required fields are marked *