US President Donald Trump has declared that cyber threats to the Bulk Electric System (BES) constitute a national emergency and has put measures in place to eventually prohibit the “acquisition, importation, transfer or installation” of products from companies under the control of foreign adversaries. The term “foreign adversaries” has not yet been legally defined, but the 2019 Worldwide Threat Assessment of the US Intelligence Community states that “China, Russia, Iran and North Korea increasingly use cyber operations … to disrupt critical infrastructure.” That same report calls out China and Russia as currently able to bring about such disruption, with Iran and North Korea actively developing these capabilities.
It is not yet clear what this means for BES operators using products and components that were developed or manufactured in China or Russia, or developed by businesses subject to these nations. Emergency replacement of entire industrial control systems, or wholesale replacement of components such as protective relays will be very costly and will certainly not be possible in any short-term time frame. The North American grid is one of the world’s largest and most complex human creations. Poorly engineered or inadequately tested replacement systems risk causing the very outages that these replacements are intended to prevent.
Stepping back a little though, what the order means is clear: cheap, reliable electric power is vital to all developed societies and economies. In the United States and in many other western nations, this resource is very much at risk because of the actions of nation-state adversaries. Those of us working to secure the electric system against cyber threats cannot be pre-occupied with mundane attacks such as common malware or Internet-based distributed denial of service – we must focus the design of our defenses on sophisticated attacks.
Now this comes as a surprise to many practitioners. In the world of traditional conflict, there is a clear expectation that beyond a certain level of attack capability, private citizens and private industry can rely on government and military intervention for protection. A power plant for example, might expect to deploy a physical security system able to defeat a lone shooter, but generally does not expect to defeat a squadron of enemy tanks.
In the cyber world though, there is only so much that a government can do for private industry and for the public against certain classes of attack. When a sophisticated adversary silently seeds malware through dozens of different power plants and then triggers the malware in all plants simultaneously, physical consequences are realized faster than government representatives can react and fly out to the affected sites. If the individual sites do not reliably prevent this kind of attack, then there is nothing the government can do to help.
Those things that governments are very good at take time. These include:
- General threat intelligence,
- Regulations (which are very costly),
- Post-incident analysis and information sharing, and
- Detection of enemy agents, sleeper cells and conspiracies targeting on-site, in-person attacks.
All these contributions have value, but again, none are fast acting.
This is why the world’s most secure sites practice Secure Operations Technology (SEC-OT). My latest book by the same name documents what secure BES and other industrial sites do and develops a common terminology for these sites’ approaches. The heart of the methodology is not protecting information but preventing attack information from reaching control-critical settings. All cyber attacks are information, from the most mundane to the most sophisticated. If we can prevent attack information from reaching electric sector targets, then we can defeat all cyber attacks, no matter how sophisticated. While this ideal is just that, an ideal, SEC-OT sites come close enough to the ideal that with some government assistance, even the most sophisticated nation-state actors are frustrated.
In just a little more detail, what SEC-OT sites do locally is implement strict controls over the physical movement of information: removable media controls, removable device (laptop, tablet) controls, supply chain controls and so on. They also implement strict controls over the online transfer of attack information – these sites generally forbid firewalls between control-critical networks and non-critical networks, permitting only Unidirectional Security Gateways and related technologies at such interfaces. Secure sites do these things in addition to the usual protections against more mundane threats. With these measures in place, the only practical way to insert attack information into protected control systems is through the deliberate cooperation of insiders – malicious or coerced.
This residual risk is where governments can help a lot. Governments have powers, systems and institutions that have for generations dealt with the threat of enemy agents, sleeper cells and conspiracies. This class of threat is precisely what governments are good at, and what all industries generally expect our governments to step up to.
So again, the electric sector is very important. There are serious and sophisticated cyber threats targeting that sector. We as security practitioners need to step up and control attack information flows into our OT networks, because there is only so much that the government can do against sophisticated cyber attacks. However, once we have reliably defeated such attacks, the government can step in and deal effectively with residual, physical threats, most of which involve people and the potential for insider attacks.
There are no secrets when it comes to what secure sites do – all of us can and should defend our control systems so thoroughly that even our most resourceful enemies are defeated reliably.
If you would like to learn more about how thoroughly secured BES sites design security systems to reliably protect continuous, correct and efficient physical operations, please visit the SEC-OT page on the Waterfall website. Waterfall is making copies of the Secure Operations Technology book available free of charge for industrial security practitioners, while supplies last.
- CISA ICSJWG Event – A Lot to Look Forward To - April 14, 2023
- Air Gaps – I do not think it means what you think it means - April 6, 2023
- The OT Security Revolution - March 13, 2023