Gregory L. Garcia, Deputy CIO/G6, HQ Department of Army
Not bad for a Friday Morning
For many of us, our cyber key performance indicators are filled with detailed analysis of key information technology (IT) metrics on capabilities, processes, and personnel. Though not perfect, many of us are feeling pretty confident that we might, just might, have this cyber risk thing understood and acted upon.
Reviewing your monthly list of cyber incidents with all the trends headed in the right direction, you muse, “Not bad for a Friday morning. Maybe I will actually leave on time today.”
It’s just then you realize, “That’s odd, it sure is hot in this office—what in world is wrong with the air conditioning?” Just hidden to the left of the room is a remote thermostat. “Current temperature is 86°, set on 99°”. That’s crazy. Your chief of the cyber desk crashes in. She looks straight past you and then closes her eyes. “We’ve been hacked! They got in through the HVAC. They have shut down the water supply to our critical manufacturing plant and locked out our headquarters A/C. They want money!”
“Wait, what?” You rush back to your desk pulling up key performance indicators report scanning down to the last section–“Cyber security of Control Systems: Metrics TBD.” The phone rings. “It’s the Chairman,” your executive assistant reveals. Sullen, you look down, “Great! There goes Friday, Saturday, and Sunday.”
Accelerator or Acicula
For many of us, we take for granted the building, factories, and utilities that just simply “operate” and assume the control systems which operate them are protected and secure. What we may have missed is the precipitous rise in operational technology’s rapid acceleration to be “smartified” to address the connected world expectations of ease and efficiency of use. The growing world of Operational Technology (OT) and “Industry Internet of Things” (IIOT) has certainly complicated the adaption, use, modification, and design of control systems. For many, legacy and emerging operational control systems have become a pointy, prickly part of the problem set that may actually hurt, not help, the business or the mission. In my assessment, the control systems’ cyber threat is going to increase exponentially putting mission and businesses at real operational and financial risk. For CIOs, there has to be a renewed focus to understand your organization’s posture, exposure and action plan to both champion the power of IIOT and protect your ability to operate and perform.
The Control Systems’ cyber threat is going to increase exponentially putting missions and businesses at significant operational and financial risk.
There are many people who have opinions on whether OT and IT are the same or different. I have peers that believe OT and the resulting cyber aspects are just a sub skill that IT can “pick up.” In my experience, even as control systems are becoming more comparable to traditional or emerging IT systems, there persists a set of critical, important differences that must be recognized and addressed. OT does not equal IT. Portions may seem like standard IT, but there are distinctive processes, architecture, and knowledge, skills, and ability requirements that are different. As the CIO, it is critical to partner with the function/mission executers to understand the unique and often complex aspects of the operational technology and its relation organizational performance. You must ensure people, processes, and policy are aligned and equipped with the unique skills that OT control systems require. For our organization, we established unique centers of excellence specialized in securing critical infrastructure control systems and ensuring cyber-secure construction processes are in place in order to build the specific policy, processes, and personnel to address and administer cybersecurity throughout the life cycle of OT from planning through operation to phase out.
What is your risk?
For us, the aggressive adoption of the National Institute of Standards and Technology and the adapted Risk Management Framework with insights from the DHS ICS-CERT work within our organization were the key tenets of our robust program. This framework and the resulting Unified Facilities Control guides and specifications give us meaningful policies, patois, and processes that can be applied to many functional types like security, logistics, medical, or safety control systems. It allows the basis for understanding, allocating, addressing, and monitoring one’s operations, the control systems that support that mission, and the elements to assess and classify risk to your business and operations. We were able to make “assess only” and “assess and authorize” decisions with clear documented processes.
An additional initial step all CIOs must take is to understand your current risk. What do you have, and what specific functions are these systems supporting? I was speaking at oil and gas cyber security summit a few months back and asked the audience of about 150 individuals in the control systems business, “How many of you know, with high fidelity, the actual inventory and types of control systems operating in your company’s facilities and buildings?”
The result, not a lot of hands went up. The critical steps are a) inventory, b) categorize, and c) prioritize. For our organization, the team developed specific criteria to document the baseline of systems. It is important to know what you have, how it is operated, and what most critical to your business/mission to address first.
For systems that are yet to be in operation, there are several great references on how to weave cyber security in the planning, design, construction, restoration, and modernization. The “Whole Building Design Guide” is a great website to review the process, guides, and specifications that are essential in fielding defendable solutions. The bottom line: you must address cyber as an element from the start with involvement of the architect, engineer, systems integrator and operators of the target capability. For in-work projects, careful analysis is warranted to interject specific cyber assessments before allowing the project to finish. Where possible, define key artifacts for each phase of the project in the areas of basis of design, concept design, design development, pre-final and final design submittals. Waiting until final completion is risky and expensive.
Cyber Design Considerations:
I have always been told, “It’s not if you will get compromised, it’s when will you get compromised.” That adage seems to hold true in today’s evolving IIOT approaches. Key design requirements include: a) design to minimize failure, b) design to manage failure, c) design out standard or shared IT functions, and d) design on the theory of closed restricted networks first (no remote access). I recently embraced the notion of back up “manual controls” for the most critical infrastructure operational systems. I have the vision of the old war movie where the navigator crawls down into the belly of the plane and hand-cranks the landing gear down just in time for the crippled aircraft to land. Some days, I sure have wished for that manual crank.
Workforce/Process/Resources and CULTURE:
To be successful, an organization must also specifically allocate people and resources to OT cyber. Is sounds simple, but for many organizations, the approach is “other duties as assigned” task with the challenge to “just stretch your existing dollars”. Ultimately, this will not bring success. Moreover, you must foster a cultural change. As the Authorizing Official, we made sure whenever we talk key performance indicators, we also talk Control Systems right along with our traditional network/IT security forums with the added dimension of compliance does NOT equal security. We apply a mission versus risk calculus to inform and frame discussions.
In the end, your mission, business, profit, loss, failure, success depends on operations. When it comes to ensuring critical infrastructure protection, your attention and preparedness and commitment to OT and your control systems cyber posture determines how your organization moves forward, or not.