The following are excerpts from a book set to be launched Nov. 1, 2023.
Much has been written about the differences between conventional IT networks and operational technology (OT) or industrial control system (ICS) networks: patching is harder in OT networks, antivirus is harder, OT networks use very old protocols and computers, and there is enormous resistance to change from the people who manage these networks. These differences are, however, all superficial. The intrinsic difference between these two kinds of networks is consequences: most often, the worst-case consequences of cyberattacks are sharply, qualitatively different on IT versus OT networks.
What is this difference? Ransomware hits our IT network and what do we do? We detect, respond, and recover. We identify the affected computers and isolate them. We take forensic images and erase the equipment. We restore from backups. We repeat. In the worst case, personally identifiable information (PII) or other sensitive information is leaked, and we suffer lawsuits. These are all business consequences. Said another way, on IT networks, the goal for managing cyber-risk is to prevent business consequences by protecting the information — protecting the confidentiality, integrity, and availability of business information.
On OT networks, however, the worst-case consequences of compromise are almost always physical. Things blow up and kill people, industrial malfunctions cause environmental disasters, the lights go out, or our drinking water is contaminated. The cyber-risk management goal for OT networks is generally to assure correct, continuous, and efficient operation of the physical process. The goal is not to "protect the information," but rather to protect physical operations from information, more specifically from cyber-sabotage attacks that may be embedded in information. This is the fundamental difference between IT and OT networks: neither human lives nor damaged turbines nor environmental disasters can be "restored from backups."
This means that even if we could somehow wave a magic wand and render all industrial networks fully patched, fully antivirused, fully encrypted, and otherwise completely up to date with modern IT cybersecurity mechanisms, this fundamental difference would remain. The difference in consequence today and always demands a different approach to risk management in safety-critical and reliability-critical networks versus business networks.
The good news is that the engineering profession has powerful tools at their disposal to address OT cyber-risks. For example, mechanical over-pressure valves prevent pressure vessels from exploding. These valves contain no CPUs and are therefore unhackable. Torque-limiting clutches prevent turbines from disintegrating, contain no CPUs, and are thus uhackable. Unidirectional gateways are not physically able to allow attack information to pass in one direction and are thus unhackable. Today, these powerful tools are often neglected, because these tools have no analogue in the IT security space.
Digging a bit deeper, the engineering profession has managed risks to public safety for over a century. It is because poor engineering poses risks to public safety that the engineering profession is a legislated, self-regulating profession in many jurisdictions, similar to the medical and legal professions. The engineering profession has an enormous contribution to make to managing OT cyber-risks, but this is poorly understood both inside and outside of the profession.
Why? To start with, there are 50 times as many IT security practitioners in the world as OT security practitioners, and so IT experts often are the first people consulted when we need industrial cybersecurity solutions. Most IT security experts though, are not engineers, and so are not aware of the responsibilities of, nor the contributions that can be made by, the engineering profession.
The engineering profession as a whole is not much better off. If cyberattacks with physical consequences continue more than doubling annually, then the OT cyber problem will reach crisis proportions before the end of the decade. But, in most jurisdictions the engineering profession has not yet come to grips with cyber-risk to the public and to physical operations. At this writing, there is no jurisdiction in the world where failing to apply robust cyber-risk management to industrial designs can cost an engineer their license to practice.
There is progress though. In the past half decade, a number of approaches to robust cybersecurity engineering have crystalized:
- Process engineering: The Security PHA Review for Consequence-Based Cybersecurity textbook documents an approach for using routine process hazard analysis (PHA) engineering reviews to put in place unhackable physical mitigations for cyber threats to worker, environmental, and public safety.
- Automation engineering: Andrew Bochman and Sarah Freeman's book The Countering Cyber Sabotage: Introducing Consequence-Driven, Cyber-Informed Engineering is primarily a text on risk assessment but includes a number of chapters on unhackable mitigations for cyber threats, including unhackable digital mitigations for cyber threats to equipment protection.
- Network engineering: My book Secure Operations Technology describes the engineering perspective of protecting correct physical operations from attacks that might be embedded in incoming information flows, rather than trying to “protect the information.” A large part of the text is focused on different ways to design industrial networks to enable monitoring information to leave a network without introducing any way for attack information to enter the networks.
In this theme, the US Department of Energy (DOE) also released the "National Cyber-Informed Engineering Strategy" (PDF) in June 2022. The strategy seeks to develop an engineering body of knowledge to, among other things, “use design decisions and engineering controls to mitigate or even eliminate avenues for cyber-enabled attack or reduce the consequences when an attack occurs.”
The main question the new book addresses is, when it comes to cybersecurity, "how much is enough?" Consequences determine the degree of protection that a system or network needs, and the best guidance out there says that we need to secure safety-critical and critical infrastructure systems really thoroughly. This is a very expensive process. Worse, even the best of cybersecurity programs do not deliver the deterministic protection that we expect of engineering designs when public safety is at risk.
Security engineering has the potential, if applied routinely and systematically, to eliminate a great many safety and reliability/national-security consequences from consideration. This has the potential to dramatically simplify the "how much is enough?" question by reducing the required strength and cost of cybersecurity programs that address remaining risks inn OT networks. Given the crisis that we see coming in terms of OT shutdowns, equipment damage and worse caused by cyber attacks, the time is ripe for this new approach.
More information about the book can be found on the link.