Fredrik Heiding (PhD Student) wrote the other day:
I am doing a PhD on cyber security in critical infrastructure. Currently I study the security trends for critical infrastructures in Europe, analyzing where it is heading and how it is developing. To strengthen the study I have identified seven general questions, they are general in nature so they can be answered by people in critical positions without revealing sensitive information.
Here are the Questions from Fredrik and Answers from a very senior expert:
This a particularly interesting time in CIP. I come from and IT background and have focused mostly on the cybersecurity of industrial control systems in the past 10 years. This has been a long learning curve for I found that my IT knowledge did not provide enough to understand the engineering and laws of physics that are dominant in the monitor and control of physical processes found in the pumps and compressors on fuel pipelines, treatment of drinking water, routing of trains, and the generation and distribution of electricity. One needs to know the implications and peculiarities between working IT office time and real time to work in this field.
I looked at your questions and will give brief answers. If you wish to further discuss them with me then we can do so offline.
---------------------------------
Question 1:
What concerns for the future do you have regarding cyber security in critical infrastructure?
Answer 1:
How the introduction of increased complexity of systems (systems of systems, adding more sensors, increased connectivity) will be managed without taking away from safety, reliability and performance.
Question 2:
Over the past decade, digital attacks have become more central to the security of critical infrastructure. Do you think the trend will continue to increase or culminate?
Answer 2:
There are some signs that things will get better but at the same time they will get more complicated. Security practitioners need to realize that much more attention is needed where the physical process is taking place and the devices closest to it that are monitoring and controlling it, not where they are being monitored by humans in a remote location or control room. ** One more thing we should not just be focused on „ATTACKS“. We also have to consider unintended actions or accidents. As the complexity of systems and connectivity of devices increases so will the unintended or „why did that happen?“ incidents.***
Question 3:
What relevant research or technological advances do you find most interesting for the future?
Answer 3:
Have to think about this one. It feels we are all trying to keep afloat in a tsunami of technological advances. The ones that worry me the most are the new features which also come with vulnerabilities that need to be addressed before a malicious group decides to exploit them.
Question 4:
Do you see IIoT (Industrial Internet of Things) as an opportunity or a concern, if both, which part is greatest (positive or negative)?
Answer 4:
I see it mostly as a concern (see my earlier answers). I suggest watching a video available on youtube called "Brave New Internet 4.0 " by one of your famous countrymen, Ralph Langner. The questions and concerns he raised in that lecture IMHO have not been addressed.
Question 5:
Do you have plans to, or do you think that you will expand the cyber security department in the coming years?
Answer 5:
I am currently working my out of "mandatory retirement" and am not in position in expand anything (perhaps later this year I will change my answer). If I was in a position of influence at an operator of CI (energy sector for example) I would do my best to set up some support for the senior engineer of the plant. When he sees something unusual going in the operation he should be able assign this problem to an security operation center. Could be at least one person or a small team that understands cyber threats and how they could be applied to the engineering side of the operation. The senior plant engineer has to keep things running and does not have time to stop and investigate something. He needs someone to help him and a ICS SOC could be a good solution is management is willing to spend the money for the positions and training.
Question 6:
Can you share anything about past attacks/intrusion attempts, both successful and unsuccessful attempts are interesting?
Answer 6:
Look at the freely available information on line. Look up Ralph Langer to learn about STUXNET. It happened 10 years ago and this is probably the most analyzed and documented incident we have today that is publicaly available. Much can still be learned for the methods continued to be applied today. In 2014 in Germany your government (BSI) published its yearly report on cyber incidents. There is a section devoted to a cyber attack on a steel mill that had an uncontrolled shutdown and resulted in damage. Look at Triton/Trisis/Hatman incident of 2017 where the safety systems of a petrochemical plant tripped not one but twice. Look for video lectures on this from Dale Pedersons S4 conferences in 2018/2019 (see lecture by Julian Gustmanis and by Schneider Electric)
Question 7:
Has the attitude towards cyber security changed in the last 5 years, why and in which way/
Answer 7:
The attitude is changing and for the better. Much better in the engineering community who have understood how threats from cyberspace can get into their operations. On the other hand as far as government policy makers go they still have a long way to go. Much technical expertise has left government for the private sector leaving some governments blind to some issues. The 3 Little Pigs problem is evident where one thinks one has taken the appropriate measures and build a house of straw or of sticks to protect from the wind and the rain but the possibility of their being a wolf is somehow missed. You would be surprise at how many government policy makers do not know what scada is and yet think they are doing a great job at protecting critical infrastructure.
--------------------------------