The President’s Council of Advisors on Science and Technology on Thursday approved a set of recommendations to improve the resilience of cyber-physical critical infrastructure.
The 28-member advisory council, made up of scientists, educators, and executives, created the cyber-physical resilience working group in March. The working group, co-lead by Eric Horvitz, chief scientific officer at Microsoft, and Phil Venables, chief information security officer at Google Cloud, developed the report with the goal of finding new strategies to improve resilience. While the report was approved, it will not be released to the public until mid-February on the PCAST website.
“All of our modern infrastructure are cyber-physical by nature,” Venables said. “Our society is becoming ever more dependent on an interwoven set of physical and digital technologies, and all of our critical infrastructure depends on these. Whether it’s water, finance, telecommunications, energy, health care and many other sectors.”
Indeed, the report comes amid an ongoing shift in critical infrastructure sectors, which are digitizing and becoming more data-centric in an effort to improve efficiency. New technologies in various critical infrastructure sectors — such as renewable generation in the electric sector and automation in manufacturing — can also open up new avenues of attack for hackers if not properly secured. The increasingly interwoven and complex nature of these systems have complicated the understanding of how they impact one another in cases of failure, making them especially difficult to secure.
“The digitization of all aspects of society has made us all dependent on complex and often fragile cyber-physical systems that can easily break down or suffer from cyber-attacks, software glitches, supply chain problems, mechanical failures, natural disasters, or other disruptions,” the working group wrote in the announcement of its launch. “These breakdowns or attacks can have serious and unpredictable consequences for many sectors, such as banking, energy, transportation, and health care.”
Venables said that reliability efforts often focus on individual components such as patching or power backups, with the aim that fewer system-wide failures occur. However, reliance on those individual components can actually decrease system-wide resilience by creating bottlenecks or a single point of failure that can have cascading impacts.
For instance, a lack of segmentation in Colonial Pipeline’s IT network led to the precautionary decision to shut down the entire system — including operational technology — as the company did not know how widespread the ransomware attack had spread. That decision led to widespread disruption in gas supplies along the East Coast, Venables noted.
The working group, which collaborated with the National Institute of Standards and Technology, MITRE, the Defense Advanced Research Projects Agency, and the Department of Homeland Security, delivered a report that laid out four major recommendations: establish performance goals, bolster and coordinate research and development, break down silos and strengthen government cyber-physical resilience capacity, and develop greater industry accountability.
The first recommendation includes the defining of minimum operating capabilities and delivery objectives. For example, one measurable objective of minimum delivery goals is to ensure that no more than 50,000 people will be without water or food for more than one week. Additional examples of performance goals are leading indicators, such as how long it would take to reboot a system and bring it back into service.
In order to bolster research and development, the working group recommended that the Cybersecurity and Infrastructure Security Agency and the National Security Agency develop a National Critical Infrastructure Observatory to create a knowledge base and tools to better understand infrastructure across sectors.
“Experts have shared assessments with us that our adversaries likely have a better picture of our nation’s infrastructure and its weaknesses than we do,” Horvitz said. “We must assess this gap, and close it.”
In terms of strengthening government cyber-physical resilience, the working group suggested clarifying “the what and why” of the national critical functions list, which is a framework that contains vital services from the federal and private sector, including the ability to supply water or hold elections.
The goal is “to make sure that we have a more cohesive and consistent framework to understand what are the most important parts of our infrastructure, so we can direct the right focus and energy on that,” Venables said.
Additionally, the sector risk management agencies should have better funds, staffing, and additional authorities to direct minimum standards. Recently, the Environmental Protection Agency lost a battle for cybersecurity audits in sanitation surveys after three Republican-led states and water trade groups said the agency overstepped its authority.
The Cyber Safety Review Board should also seek additional resources to create a “larger and more permanent staff” to take on more reviews, the working group recommended. A panel of experts during a Senate hearing on the Cyber Safety Review Board this week levied harsher criticism, noting that the board lacks both the authority and independence it needs to effectively investigate major hacks.
Another recommendation was for greater accountability for private sector executives, as industry makes up the vast majority of critical infrastructure.
“Fundamentally, we believe the tone at the top from executives can amplify the resources in the ranks that are needed in these organizations to drive that increased resilience,” Venables said.