The world we live in is highly interconnected, increasing the complexity of protecting our infrastructure systems from natural and man-made disruptions. Our daily lives depend on the efficient functioning of cyber-physical systems (CPS); we must not only effectively mitigate risks to these systems, but also enhance resilience. The line between the physical and cyber spaces continues to blur. Today, many of the methods we use to protect our physical assets utilize digital technologies, whether it be electronic locks, biometric access controls, or digital video surveillance. Correspondingly, the digital systems we rely on must have physical security measures in place to protect them from tampering by both internal and external sources.
CIOs and security professionals need to develop an organization-specific strategic plan to identify how their physical and cyber worlds intersect and interact to ensure a comprehensive means of protection is in place. This involves fostering collaboration between IT professionals and facility and operations staff to effectively protect from cyber/physical threats. An all-inclusive approach will also aid in the resilience of the organization by helping to gain a better understanding of which physical processes rely on cyber means for operations.
CPS are playing an increasingly important role within critical infrastructure assets and systems. While CPS can foster innovation, lower costs, and offer a competitive advantage, cybersecurity risks and attack surfaces increase. Recent events have highlighted the need for an in-depth analysis of the cyber-physical convergence within critical infrastructure.
On June 27, 2017, computers, telephones, point-of-sale machines, and other types of internet-connected devices belonging to several different organizations were taken out of commission around the world. Users of these devices were not immediately aware, but they were being impacted by “the most destructive and costly cyber-attack in history.” The source of the issue was an attack on the servers that control the software that provided updates for M.E. Doc, Ukraine’s tax software similar to TurboTax used by citizens of the United States. It is believed the intent of the malicious actors that compromised the M.E. Doc infrastructure was to impact systems within Ukraine, however, the devastation from the attack manifested across the globe. Multinational organizations such as the Danish shipping firm Maersk, logistics company FedEx, pharmaceutical company Merck, and other major corporations were impacted by the attack. These organizations also fell victim because their business networks were connected to systems that were targeted by the attackers.
"We must not only effectively mitigate risks to these systems, but also enhance resilience"
This cyber-attack on physical systems exemplifies a new and growing threat to critical infrastructure around the world, and the extent and nature of this threat is presently not well understood. Current research provides important insight about critical infrastructure assets and their interdependency, as well as industrial control systems and the cyber threats influencing them. These research efforts now need to be integrated to provide a reliable, measurable, and data-driven model of the threats posed by cyber-attacks on the Nation’s critical physical infrastructure.
The effects of cyber-attacks on critical infrastructure, such as those described above, have traditionally been difficult to identify and visualize. Researchers have started to build capabilities to address relevant components of this challenge: modeling of cyber-exposed components typical of specific classes of infrastructure and establishment of a physical dependency profile for each class of infrastructure. It is vital to integrate these approaches to allow for the analysis of cyber-attacks on various types of critical infrastructure. Linking physical dependency profiles to the cyber-focused model allows for an analysis of what a cyber-attack may mean to downstream infrastructure, providing organizations with the decision support necessary to plan for, respond to, and recover from undesirable events, whether natural or man-made.
Idaho National Laboratory (INL) researchers have been working diligently to develop solutions for the security challenges facing CPS. INL’s Resilience Optimization Center (IROC) leverages cyberterrorist and hacker methods to help organizations protect themselves, their businesses, and their stakeholders. INL works collaboratively to develop mitigation techniques and tools, supported by a vast infrastructure test range, to reduce cyber vulnerabilities found in many of the Nation’s critical infrastructure systems. In addition, INL’s All Hazards Analysis (AHA) framework provides a methodology for identifying how infrastructures are connected, as well as associating physical and cyber assets to functional business processes. INL’s Component Analysis for Industrial Control Systems research area examines the potential vulnerabilities within the hardware and software components incorporated into industrial-control and operational-technology systems.
Our world will continue to become more connected through CPS as these systems allow us to carry out our way of life in more convenient, connected ways. Researchers continue to develop strategies and solutions to mitigate risks and enhance resilience of CPS to protect the Nation’s infrastructure. Through more informed decision-making and increased implementation of state-of-the-art solutions, we can better protect our critical infrastructure that rely on CPS to reduce operational impacts.