What We Must Do To Protect Critical Industrial Systems From Cyber Attacks

The following is a highlight of an interview with Authority Magazine. Read the entire article here.

Ransomware attacks have sadly become commonplace and increasingly brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack? In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about what we must do to protect critical industrial systems from cyber attacks. As a part of this series, I had the pleasure of interviewing Craig Miller.

Craig Miller is a respected expert in issues related to energy supply and policy, and control and operation of the electrical grid with particular emphasis on and particularly grid cyber security. He holds a Ph.D. Energy System Engineering and has worked in the area since 1975. Computer control system have been at the core of his work throughout his career, with a focus on architecture and security from through the evolution from monolithic system to modern system that span geographic, corporate, and legal boundaries. In 1990 he joined the National Rural Electric Cooperative Association (NRECA), which embraces the more than 900 electric cooperatives that serve more than 50% of the U.S. land mass. He became the first Chief Scientist of the organization, leading about $100 million in research and development. On retiring from NRECA, he was invited to join Carnegie Mellon University as a Research Professor. There he continues his grid R&D with a focus on the problem on recovery from cyber attack.

What are the “5 Things We Must Do To Protect Critical Industrial Systems From Cyber Attacks” and why?

1. Move forward. I do not believe that any organization can say “If I do A, B, and C I will be secure.” The space is too complex and too dynamic and the road to security is too long. Instead, I would favor an approach in which the organization asks itself relentlessly, “How can I become more secure?” Take a step forward, and then another, and then another. Continuous improvement has been the key to corporate success since modern, data-driven management emerged. Consider Six-sigma and similar strategies.
2. Doubt yourself, then trust yourself. Build a strategy for continuous improvement and then criticize it. Ask for criticism and treasure the person who criticizes thoughtfully. Consider what they say, but ultimately trust yourself to make the decisions, then move forward with confidence and energy.
3. Pay attention to how things are operating. We must operate under the assumption that the systems we are protecting will be breached someday. How will we know? In the infamous first hack of the Ukrainian grid, the penetration event took place nine months before the mal actors took down the grid. Could the breach have been detected sooner and, if so, could the damage have been prevented or reduced? I believe in anomaly detection, i.e., looking for system behavior that is abnormal. Anomaly detection has a bad reputation in parts of the security community but that is mostly related to its application to business systems. Business systems lack the regularity of the operations of industrial control systems. The grid, for example, operates with metronomic regularity. Any disruption should be detected in seconds.
4. Segment your systems. We should architecture our systems so that compromise of one component or subsystem does not propagate. This worked last week in Colorado. Colorado.gov, the state’s main website, was hacked. Within an hour there was a page explaining that the page was down and that users should go to the sites for individual agencies which were still up. The next morning, the new home page had links to each of the agencies. There was no art — no majestic plains, high desert, or waving fields of grain, but it worked. This was an example of a huge cyber success.
5. Plan for failure. Many cyber organizations are diligent in protecting systems but fall short when it comes to plans to deal with failure. If (when?) the systems are hacked, the team has to know what to do and who is going to do it. Colorado clearly had a plan and architected their system for resilience.