Anybody who has been at all
involved in cybersecurity for the US electric power industry for more than just
the last two years knows who Tim Roxey is – and if you don’t know (or you’d
like an update on things you didn’t know about Tim – which includes me), see
his bio at the end of this post.
Today I received this email from
Tim, regarding the post I put up yesterday. He agreed to let me publish it. He’s
adding some real perspective on my assertion (which I admit I’m revising now)
that our definition of critical infrastructure needs to be expanded to include much
more than asset owners in what are traditionally called CI industries – e.g.
electric power, oil & gas, etc. It especially needs to include the
providers of software and services whose compromise might lead to serious
consequences – which could never be adequately redressed through purely legal
means – to important government agencies (including agencies involved with
national security) and CI industries.
It is refreshing to see the folks
are opening up to some concepts like those you mention here. Although I'm in my
retirement years, I do still have interests in this issue.
Many years ago, having been
involved in many exercises and actual incident responses, I realized that the
concept of "what is important" or even "Risk" was not well
understood. As automation swept through the industrial control surfaces of the
BPS, several trite phrases came to my mind. For instance, if some automation is
good, more is likely better, and if more is better, then too much is not enough.
But specific to this issue is realizing that societally
significant dependencies were not a thing when these industrial systems were
developed.
I made a statement to Mikey (Assante) while working on the
first draft of the NIPP (National Infrastructure Protection Plan) that this
CIKR (Critical Infrastructure and Key Resources) stuff we were struggling to
craft defenses for was far more significant than the owners and operators
sometimes realized.
Imagine the owner's surprise when they learned of a
significant defense critical dependency (DCEI – Defense Critical Energy
Infrastructure) for their system. Imagine the surprise when an electricity
sector owner/operator (AOO – Asset Owner/Operator) learned of some load put
onto the grid by a new commercial development adding in a hospital complex
(sector-sector interdependencies).
Now imagine the surprise on the adversary’s face as they read that Colonial had shutdown their entire pipeline. HC BFFs we only wanted money.
There were just so many more of these examples that we used
the expression: “No one ever told us that all of this would be critical
infrastructure, or we would have built it differently.”
Today we have advanced adversaries, exploiting the seams in
our systems that we don't even know exist (critical interdependencies), using
capabilities only dreamt of in nightmares (for example, an AI-assisted
attack).
So I do stick to my sentiment - "Had we known then
how dependent our society would become on {Insert Thingy} today; we would have
designed {Inserted Thingy} differently." Or words to that effect.
Complexity, which was once fun, has become our collective nemesis.
Tim’s Bio:
Mr. Roxey has 30 years of nuclear industry experience and
over 50 years of computer-related experience. Tim was formerly VP and Chief
Security Officer of NERC, and Senior Director of the E-ISAC.
Following each attack against the Ukrainian power systems,
Tim spent time in-country, deconstructing physical and cyber-attacks against
the Ukrainian electrical grid as part of a public-private sector response team.
As part of Tim's fifth trip in-country, The US Embassy in Kyiv asked Mr. Roxey
to present his findings and recommendations to the Ukrainian Parliament (their
RADA).
As President of Eclectic Technologies, Tim helps advance
Grid security by designing simplified, physics-based attack surface disrupters
such as the one recently marketed for defense against an asynchronous attack
(Aurora is the example). One US-based utility is presently deploying these
devices.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared by the National Technology and Information Administration’s Software Component Transparency Initiative, for which I volunteer. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment