Critical infrastructures include electric power, water/wastewater, manufacturing, transportation, chemicals, food, beverage, agriculture, defense industrial base, etc. These sectors require control systems to work and can be substantially impacted if they don’t work as designed.
Tuesday, May 7, 2024, Infragard will be holding an all-day session “Cyber Defenders: Guardians of Critical Infrastructure” at the RSA Conference in San Francisco. The Infragard description states:
“As declared by Executive Order 14028, the United States and U.S. businesses face persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately, the American people’s security and privacy. This one-day seminar will arm cybersecurity professionals and non-technical executives alike with the knowledge, tools and resources to become cyber defenders and protect our nation’s most critical assets. Attendees will: gain an understanding of today’s cyber threat actors with briefings from the FBI Cyber and Counterintelligence Divisions; explore the new landscape of emerging cyber laws and regulations; learn how to incorporate reasonable security into a defensible cyber program; understand the key risks associated with credential management, vendor and supply chain risk management, and vulnerability and patch management; learn how threat actors gain access to networks; hear case studies of cyber-attacks on U.S. critical infrastructure; participate in how-to sessions on building a modern incident response program; and participate as the jury in an innovative mock trial that places a CISO on the stand following a data breach.”
Issues with the seminar agenda for critical infrastructure control systems:
- Executive Order 14028 is good as far as it goes, but it does not fully address the unique issues associated with control systems. The terms SCADA, industrial control systems and cyber-physical systems were not used, and IoT was only addressed for consumer applications.
- Privacy is not a primary concern for control systems, but availability and safety are.
- Control system field devices such as process sensors and actuators typically have no security credentials. In fact, they have no cyber security, authentication, cyber forensics or appropriate training.
- IT patch management, in the usual sense, is not relevant to control systems and control system field devices for numerous technical and operational reasons.
- Control systems incidents are rarely identified as being cyber-related. Consequently, cyber incident response programs are not initiated.
Considering FBI Director Wray has been stating his concerns about the Chinese attacking our critical infrastructures, will the case studies of cyber-attacks on U.S. critical infrastructure address control system cyberattacks? These include Iranian and Russian cyberattacks on water/wastewater and food and beverage control systems causing physical impacts, Chinese hardware backdoors in large electric transformers to compromise the electric grid, and what may have happened to the Dali container ship in Baltimore that hit the Key Bridge.
These are not data breaches, but control system cyberattacks to cause harm. Unfortunately, control system cyber security is not the principal expertise of the FBI or the identified speakers. Perhaps they could expand their set of experts?
Since you can’t protect critical infrastructures when you don’t address the control systems, what are the cyber defenders guarding (beyond the data)?
