You’re Not Imagining It: Civilization is Flickering, Part 2

Posted on by Michael Assante

Did you miss Part 1? Click here:

Keeping to the Middle Ground 

At the end of the day, I possess a healthy skepticism when anyone tells me they are 100% sure one-way or the other, that the grid could go down and stay down any minute … or that we’ve got it under control and even the most capable cyber adversaries can’t do substantial, sustained harm. We should focus on the series of problems that have arisen from the evidence at hand.  

We are aware of multiple actors that possess both the experience and resources necessary to target and compromise energy systems. It is clear they are working to carry out a series of goals and have developed appreciable capabilities. Complex interconnected cyber systems dwell in a perpetual state of unknown integrity. Intrusions into one part of a larger highly networked system-of-systems may remain isolated or may have expanded into other parts of the network or system. What we do know is that we are at a point where a number of actors are interested in achieving and developing, at a minimum, persistent, reliable access.  Arguing against that point is difficult because 1) we know we are unable to detect all intrusions; 2) we lack the ability to prove (to ourselves and others) that a system has not been compromised; and 3) it is almost impossible to contain a compromise that one doesn’t even detect. Hence, they must be taken extremely seriously. 

But it’s important to remember that would-be attackers face some extraordinary constraints. First there’s the possibility of miscalculation … of launching a targeted attack with less than full knowledge of the defenses in place. There are some things, like out-of-band, non-digital measures advocated by former Navy Secretary Richard Danzig in his seminal paper “Surviving on a Diet of Poison Fruit,” or the Consequence-driven, Cyber-informed Engineering (CCE) methodology I pioneered with colleagues at the Idaho National Lab that are proving their worth in the field. Then there is the possibility, if not the likelihood, of drawing an overwhelming counterattack, that includes but isn’t necessarily limited to cyber means (e.g., think economic, kinetic or both). One doesn’t have to look much beyond Stuxnet to appreciate that, ten years later, the US possesses extraordinary offensive capabilities. With the current administration’s stronger cyber war policies, no attacker, be they nation state, terrorist organization or international crime syndicate, can do much beyond stealthy surveillance without fear of significant reprisal.

I advise doomsayers and those who doubt them to keep all of the above in mind and consider recalibrating their positions. All of us most likely agree that enough concern exists to explore how to address the possibility of cyber induced power outages. We must also take an honest look at our current capacity to deal with power system events that will look and behave very differently than the ones we’ve had experience with until now. What works for storm restoration or a mechanical failure will not be adequate to get us through a cyber attack that is prolonged, multi-faceted, widespread, or timed to coincide with a major storm event, much less one that has all four of these characteristics. Few in government or industry believe we have effective playbooks or equally distributed capabilities to mount effective active defenses in the face of some future cyber campaign to defeat power systems.  

Finally, it is unconscionable to debate without action. Countries and communities rely upon energy to support our modern way of life. A nation, committed by social contract to protecting its economy and its citizens, cannot simply allow another nation or group to hold essential lifeline infrastructures at risk. Instead, we must work to deter threat actors, manage the risks associated with infrastructure disruptions, and develop/test effective responses to failures. It is time to stop debating the threat or incident of the day and work toward more fully understanding the problems we face, and developing and broadly deploying solutions -- however imperfect -- to minimize potential consequences and quickly return systems to a normal reliable functioning state.  

This will require more and sustained investment by government and industry.  It will demand developing dynamic defenses, training skilled defenders and understanding how to leverage capabilities across industry and government lines to investigate and respond to successful intrusions or attacks. We must increase our competence and collective confidence by developing viable options that embrace and address the true nature of cyber and our civilizational dependence on cyber systems. Before we automate much more or put the fate of our grid and our civilization in the hands of AI, and before we stockpile torches and kerosene, it’s time to reassert control. Or you could say, develop plans and capabilities to make control more of a reality and less an illusion.

Michael Assante

Director of Industrials and Infrastructure, Lead for the ICS Curriculum, SANS Institute

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs