Critical Infrastructure – How Secure (or Unsecure) are Industrial Control Systems?

It’s common, Information Technology knowledge that a myriad of vulnerabilities and threats continue to emerge for network-based systems connecting to or running Industrial Control Systems (ICS). In his 2013 State of the Union Address, President Barack Obama spoke to this end, when he said, “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems.” Thusly, the question is not if but how we should increase ICS protections. On the same day, President Obama signed Executive Order 13636 (EO 13636), Improving Critical Infrastructure Cybersecurity, wherein “Critical Infrastructure” was defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

ICS, which form the backbone of our nation’s critical infrastructure, fall into sixteen sectors (e.g. Communications, Energy, and Transportation Systems) detailed in the U.S. Department of Homeland Security’s NIPP 2013. Despite the guidance set forth in EO 13636 and NIPP 2013 to increase partnerships with private sector organizations maintaining ICS, the results to date can be categorized as lackluster, at best. Based on the probability that the private sector organizations who were willing to cooperate are likely the same ones already responsibly securing their network-based ICS, more inertia, in the form of incentives is needed.

Incentives are generally an effective approach because they complement the partnership approach put forth in government releases like EO 13636 and are more likely to be supported by private sector organizations than legal or regulatory approaches. To this end, a laissez-faire approach relying upon a shared sense of ethics and a duty to do the right thing is the most virtuous option but the reality is that a technical solution cannot be found for a problem involving human values or morals…or the lack thereof. The U.S. Department of Commerce, as part of its report on incentives for infrastructure owners, has also discussed options to include limitation of legal liability, awarding of federal grants, and preferred procurement status.

Of course, it must be acknowledged that gains achieved through incentives would be difficult to measure, and success would largely depend upon a shared, accepted definition of what a reduced, ICS threat-scape looks like. The necessity for incentive-based action is supported by Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) annual 2015 and 2016 reports, which list 295 sector-based incidents in FY-2015 and 290 in FY-2016 and reflect a decrease in in Critical Manufacturing sector incidents (97 to 63). They also reflect significant increases in Communications sector (13 to 62) and Energy sector (46 to 59) incidents. 

While this indicates an overall quantitative decrease from one fiscal year to the next, it can be argued there is no qualitative increase, since the overall drop is offset by sharp spikes in the increasingly critical sectors of Communications and Energy. This is based on the fact that network or physical intrusions into ICS could lead to the incapacity or destruction and residually result in a debilitating impact, relating to the security and economy of the United States. For these reasons, incentivizing the technical safeguarding and security of ICS is the most advantageous approach for the U.S. Government and likely the only way private sector players will respond. Without the incentive-based approach or the identification of another more effective one, ICS within the U.S. will continue to be at risk into the foreseeable future and beyond.

The document links below contain more detailed information on the topic discussed herein:

Executive Order 13636 Improving Critical Infrastructure Cybersecurity

https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

ICS-CERT Year In Review 2015

https://ics-cert.us-cert.gov/sites/default/files/Annual_Reports/Year_in_Review_FY2015_Final_S508C.pdf

ICS-CERT Year In Review 2016

 https://ics-cert.us-cert.gov/sites/default/files/FactSheets/ICS-    CERT_FactSheet_IR_Pie_Chart_FY2016_S508C.pdf

Remarks by the President in the 2013 State of the Union Address

https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/remarks-president-state-union-address

Discussion and Recommendations to the President on Incentives for Critical Infrastructure Owners and Operators to Join a Voluntary Cybersecurity Program

https://www.ntia.doc.gov/files/ntia/Commerce_Incentives_Discussion_Final.pdf

2013: Partnering for Critical Infrastructure Security and Resilience

https://www.dhs.gov/sites/default/files/publications/NIPP%202013_Partnering%20for%20Critical%20Infrastructure%20Security%20and%20Resilience_508_0.pdf