We have a lot of bright people working on this problem, but the faster we go, the more behind we get. We donāt seem to be getting ahead of it.1
āGeneral Michael Hayden
The wellspring of risk is dependence.2
āDan Geer
If the nation went to war today, in a cyberwar, we would lose. Weāre the most vulnerable. Weāre the most connected. We have the most to lose.3
āMike McConnell
āI Can Deal with Disruption; I Canāt Handle Destructionā
The complete statement was āI can deal with disruption; what I canāt handle is destruction of long lead-time-to-replace capital equipment.ā These words were spoken by the CEO of Florida Power & Light, one of the largest US electric utilities, in his 2018 Consequence-Driven Cyber-Informed Engineering (CCE) brief to Congressional staffers.4 Situated in the path of some of the largest hurricanes every year, his company, Florida Power & Light (FP&L), is more than ready for large-scale, multiday weather-induced disruptions. Stockpiles of essential parts and equipment, employees trained in restoration, plus well-established mutual assistance programs with other regional utilities are standing by to get the power back on fast even after enduring Mother Natureās worst.
Itās another matter entirely when the adversary is planning cyberattacks that target energy companiesā most important, long-lead-time-to-replace capital equipment, for example, the concurrent destruction of multiple combined cycle generators; natural gas distribution lines; or ultrahigh voltage transformers; or widespread destruction of thousands of geographically dispersed, digital protective relays, which could shut a utility down for months while waiting on the supply chain before rolling trucks to the site of each relay. In other sectors like water and wastewater treatment, massive pumps that would take months or years to replace are must what not fail, and therefore, make for the most prized targets.
While the struggle to protect the entire enterprise will continue to challenge Chief Information Security Officers (CISOs) for the foreseeable future, whatās needed now is a way to take a highly specific subset of all systems, the things upon which infrastructure companies most depend, the adversariesā most desirable targets, off table.
Implications for Critical Infrastructure and National Security
Itās one thing for a restaurant, a lawn service, or a nail salon to be dependent on digital systems; itās quite another for some of the most important companies and government organizations in the nation to put themselves in that position. No matter how you define critical infrastructure, be it by sector5 or by critical national function,6 there is far more at stake than the well-being of the organization. In the private sector, downstream dependencies on electricity, water, and communications services often greatly eclipse mainly the economic, military, or societal value of the individual company, its employees, or its investors.
Consider what happens in a local or regional blackout. Almost everything, except whatās powered by fuel still in the tank, stops in its tracks. Hospitals, military bases, and companies with the wherewithal to have backup power strategies can maintain essential operations for a few days or hours. Cell phones keep working until their batteries are depleted, and cell towers either stop transmitting or run a while longer on backup diesel generators. The macro effects are that offices and houses go dark and production lines stop midstream. More tangible effects are felt when passengers are trapped in elevators, traffic lights blink out, food spoils in warming home and grocery store refrigerators.
Hereās what ex-Mossad director X Pardo said about victim hopes that governments will come to the rescue if and when cyberattacks create large-scale infrastructure effects:
Of the 16 critical infrastructure sectors monitored by the Department of Homeland Security (DHS), most rely to a great degree on the reliable functioning of Industrial Control Systems (ICS). And some of those that at first glance donāt appear as reliant, like Financial Services, depend heavily on other sectors that do. Many ICS suppliers serve multiple sectors. For example, General Electric turbines propel jetliners and power cities. Caterpillar diesel generators provide emergency backup power to commercial and government facilities as well as to ships and submarines. Whether called ICS, operational technology (OT), or cyber-physical systems, it is thoroughly documented that the technologies that support industrial processes are highly susceptible to exploration and exploitation by parties interested in targeting them.
Goodbye to Full Manual: Automating Critical Infrastructure
It used to be machines did the one or several things they were designed to do, and the principal concerns for owners and operators were about how to operate them safely and keep them running as long as possible with scheduled maintenance. For example, think farm tractors, steam engines, diesel-powered backhoes, and coal-fired power plants. Bad things could happen when some part of them broke down from wear or a material defect, but from todayās perspective, the upside was that with rare exceptions, they couldnāt be made to perform tasks diametrically opposed to what their designers intended. And they especially couldnāt be made to perform other tasks by distant humans.
As the saying goes, that was then, this is now. Weāve become quite accustomed to digital machines running the show, in factories and farms, in cockpits, and increasingly, in cars. The āSecond Machine Age,ā āIndustry 4.0,ā and the āIndustrial Internet of Things (IIoT)ā signal a full-on, buzzword-filled embrace of digital automation.8 Unpredictable and error-prone human operators are replaced with programmable and reprogrammable machines that perform tasks much more quickly, efficiently, and without error and require neither paychecks nor benefits. Automationās business benefits are so clear, and the business case for it is so compelling that economists are warning that despite the likelihood that some jobs are being created to support the advance of automation, an unprecedented wave of job losses in a number of low- and middle- skilled job categories is likely to ensue.9
As human decision-makers are replaced with algorithms, efficiency advantages are offset occasionally by automation-induced catastrophes10 that give some momentary pause. And even though sometimes it initially appears otherwise, the vast majority of these accidents are not the result of malicious bad actors but rather engineering design decisions that took humans so far out of the loop that there was no way for them to take back control when needed. The trend seems unstoppable and largely unnoticed.
Water sector engineering subject matter expert (SME) Daniel Groves sometimes teases his clients into examining their massive dependence on automation by daring them to consider going one full day without it. Hereās how he describes the typical reactions:
