An Apt Excerpt from Countering Cyber Sabotage: on Sabotage, Surveillance and Supply Chain Risk
Since finalizing the manuscript for our book, Countering Cyber Sabotage: An Introduction to Consequence-driven Cyber-informed Engineering (CCE), two events occurred that would have definitely made it into the book. First, on 1 May 2020, the Trump administration issued an executive order announcing new efforts to better secure the supply chain of the North American Bulk Power System (BPS) or in shorter form, the grid. Then later in the year, as if on que, the world learned of Sunburst, the highly elaborate, highly successful cyber attack that leveraged the near ubiquity of the SolarWinds network management and security software suite. This attack began with infiltration of its supply chain and the insertion of a back door that gave the attackers ready access to tens of thousands of companies and government agencies. And that infiltration led to the likely exfiltration of an ocean of sensitive data.
In national security terms, an attack conducted by a nation state or proxies is called espionage, a form of targeted surveillance. However, when the data captured includes source code and access control credentials, it inarguably gets the adversarial state several steps closer to being able to conduct cyber-enabled sabotage. That is, the damage, disruption, or destruction, by digital means, of physical assets that support vital national and economic security functions. Sabotage of critical national and infrastructure assets is what we must not allow to happen. And cyber-enabled sabotage is what CCE was designed to thwart.
The following is a part of the book’s introduction by me and co-author, INL’s Sarah Freeman, that briefly introduces these topics, and sets the stage for the fuller description of the CCE methodology in later chapters:
Supply chain insecurity has emerged as one of the biggest concerns on the minds of critical infrastructure defenders in the past few years is the risk that potentially damaging, but for all intents and purposes undetectable, new elements will be included or changes will be made to the software or hardware components used to manage important infrastructure. Sometimes the purpose is mere surveillance, and many have already condoned monitoring of workplace and homelife behaviors through products like Facebook and phones, not to mention the entire universe of products prepended with the word “smart”: electric meters, industrial turbines, cars, TVs, home assistants, etc. Somehow we have grown used to mass surveillance in ways, until recently, only Orwell imagined.
At the same time, we seek as much integrity as we can get in the products we trust to support critical business and military functions, and we have ample reason to be paranoid. In spite of this paranoia, almost all complex products, hardware and software, include parts and code made in more than one country1. In the arena of cyber protection for the bulk North American power grid, NERC created a new mandatory protection standard forcing electric utilities to examine and actively manage cyber risks in their supply chain.2 The fictional future-war novel Ghost Fleet does an excellent job illustrating this type of risk, when, as one reviewer noted: “the anti-missile technology on board the F-35, sabotaged by replacement parts, turns the plane’s missile-evasion system into a missile-attraction system.”3
Suffice to say, in the 21st century global economy, it is virtually impossible to build anything more complex than a power drill in one place with high confidence that none of its constituent parts has been touched or modified by a 3rd party. In fact, even a drill may be corrupted if the machines used to fabricate it include software. If they do, and in fact they probably do, tools coming off that assembly line could be altered in ways their owners wouldn’t like one bit. Extrapolate this to the types of systems that make and manage electricity, deliver clean water, run manufacturing plants assembling cars and mixing chemicals, and you see where this is leading with our current approaches to cybersecurity. We now present a better way.
Andy Bochman presented at the 2021 CS4CA World Conference and delves into select details about the book on CCE: Countering Cyber Sabotage. CCE is designed to reduce the mystery of whether your systems are secure enough against top tier cyberattacks. Once put into practice, this methodology helps organizations make sure that the absolute worst things can’t happen by cyber means. To hear Andy’s full presentation at CS4CA World, please click here.
For access to the full book, please see here
