When critical infrastructure cybersecurity is discussed, there are two main camps of thought:
- The Alarmists: "Industrial Control Systems (ICS) are fragile and easily hacked, we're days away from a 'cyber pearl harbor' or 'cyber 9/11' that takes down the grid and threatens civilization;"
- The Realists: "ICS assets are fragile, but causing meaningful disruption directly of ICS requires first understanding and then abusing the site-specific industrial processes, and this kind of attack is very rare and has limited scope (e.g. Stuxnet, Triton/Trisis, BlackEnergy)."
I have not, however, seen discussion of a third viewpoint:
- The Functional: "ICS assets exist to support functions (fuel distribution, manufacturing, water treatment, etc.), and IT systems support those ICS devices. Simple IT-side cyber operations can disrupt ICS, in turn disrupting the functions that ICS supports."
This third viewpoint is the one I hold, and I believe it is where the main risks to our OT systems lie.
I am not saying that the US should ignore the threat posed by highly sophisticated attacks against OT—those threats are real, and present the gravest risks to critical infrastructure. But I am saying that the US has deeply undercalculated the threat posed by attackers conducting well-planned but technically unsophisticated attacks against OT.
Let's look at a quick example:
Colonial Pipeline — IT disrupting OT
From all reporting and congressional testimony, Colonial Pipeline's OT (Operational Technology) systems were not technically disrupted and intruders did not interfere with industrial processes or gain access to OT assets.
Nevertheless, the critical mission supported by Colonial's OT assets was disrupted. Intrusion into upstream IT systems (in this case allegedly finance and billing systems) caused disruption of the OT assets.
This was not a case of an adversary seeking to target critical infrastructure by attacking OT assets; yet this 'simple' attack incidentally caused a major disruption in the US. A similarly simple attack, but supported by intelligence and planning, would be able to cause a more significant outage without using more technically complex capabilities.
Preference for the Complex
The US has a deep-seated love of 'sophistication' and complexity as virtues in their own right. (There could be a whole essay on that topic, and I'll likely write one; but in the meantime I'm going to declare it as an assumption. Hopefully it is obvious to you as well, but if you disagree reach out and I'd enjoy discussing with you.)
As a result, when discussing disruption of OT, US thought gravitates toward complex schemes and methods. Additionally the common allegations that Stuxnet was US-developed, coupled with national pride, has in many circles cemented the idea that only a highly sophisticated actor burning 4 zero days and with a deep knowledge of the OT processes (coupled with advanced close access operations) can effectively disrupt an OT system. But that is not the case.
Simple is Strong
OT security professionals are correct when we say that disrupting OT processes and taking down 'the grid' are difficult and unlikely to be successful. However, such discussions frame industrial processes as independent self-contained systems, which is not how they operate in their business context.
Instead, ICS have a slew of dependencies including classic physical (like cooling/HVAC and power) and logical (like communications between OT devices) dependencies, as well as business dependencies (like billing systems, or communications between operators and managers).
Attackers can cause significant impact of the critical functions that OT enables without engaging in sophisticated intrusions that target the processes used by OT. Targeting business processes to prevent asset owners from billing properly, or
Colonial provided a simple example of how a relatively simple intrusion can still impact OT functions. ERCOT and the Texas power outage provides another. Deployment of malware that impeded response during the outage (or during other critical times) could have supported a much larger impact. By leverage planning and pre-positioning, attackers can leverage natural events to amplify the impacts of simple attacks.
Yes, hackers on their own are going to have a very difficult time (or will fail at) causing significant disruption to OT by targeting the processes and attacking the assets at layers 2 and below of the Purdue Model , but cyber operations can still critically impact the missions supported by those OT assets without highly sophisticated actions on target.
Rather than attempting to invent bleeding-edge technologies to improve the security of our OT systems, the best solutions will be simple. Using legislation and regulation to incentivize better software development will drastically reduce the attack surface available to adversaries, requiring incident reporting will produce a better understanding of the scope and scale of operations against OT systems within the US, and government information-sharing with asset owners will aid businesses in improving their defenses using security tools available today.