By Francis Cianfrocca
I’m a cyber security expert. Have been for years. So are a lot of the people reading this piece.
When you’re an expert conversing with experts, the substance of the conversation is the conventional wisdom. It’s axiomatically the conventional wisdom.
To try to go beyond that, think about people who aren’t cybersecurity experts but who actually know the most about smart machines. For them, the cybersecurity problem pretty much comes down to how do I keep this machine running, without errors or interruptions, without wasting resources, and without injuring people.
And when I talk to these people about security for smart, connected machines, they tell me without hesitation that the key is for the machine not to do anything stupid.
To unpack that: Smart machines need to be designed and operated in accordance with a model that fundamentally precludes unsafe operating modes. This isn’t something that can be guaranteed by network-based security products such as firewalls, or by network strategies such as internal segmentation. Smart machines need to defend themselves.
Two Operating Models for Consideration
That sounds good, and obvious enough. But how difficult is it to do? And is it enough?
At the end of the day, it’s tractable to design machines and devices with constrained operating models that can be analyzed for security. (Super-complex machines such as automobiles are different because they’re actually systems in and of themselves.)
- The network-based security approach says: analyze and control the commands being sent to machines; the telemetry that they generate; and (in the new world of connected smart machines) the environmental information they receive.
- The device-based security approach says: model and define the machines’ allowed operational states so they are never unsafe.
The device-based approach breaks down because what is normal and safe in one machine may be extremely dangerous to the machine sitting next to it. This to me has always seemed the most fruitful ground for well-resourced attacks against cyber-physical systems. The really well-planned and scary attacks are bespoke ones against specific installations, not specific machines.
Implementing Operating Models in Design
It’s possible to design systems according to the model-based approach. I have in fact seen exactly this in many industrial companies, ranging from small operations with only a few dozen plants and a few thousand people, to the largest multinationals.
You will see over and over that plant automation systems have been soundly designed by a few people (sometimes just one), typically mechanical, electrical, or chemical engineers, and run very consistent operating models year after year with only minimal design changes. They are generally designed to accept a wide range of process-control inputs, but not to fundamentally change how they work. And if they’re secured at all, they are secured by isolation, often aggressively enforced by the same people that designed them.
In analyzing these systems, I find very few opportunities for attack, except through rogue commands issued by compromised computers, and through the many rogue devices one finds in these environments.
- The unitary-process model needs to be secured through isolation. The devices will accept rogue commands and do dangerous things otherwise.
- The smart-machine model must be secured through machines which can defend themselves, but remains highly vulnerable to system failures, possibly triggered through malicious action.
The AI-Based Approach
The best approach to secure the latter kind of environment, which encompasses much of what is often called the “Industrial IOT,” is to locally model processes through artificial intelligence to detect operational modes or system behaviors that are outliers.
Although many people have been working on this problem for a number of years now, there are relatively few broad successes.
The AI-based approach needs to discover and respond to system behaviors that are indicative of cyber-attacks (especially recon), as well as to model complex and emergent behavior patterns in systems of systems.
This is fundamentally a bespoke approach, which makes sense because it matches the bespoke nature of the threat.
At a time of increasing geopolitical threats, this approach to making robust our industrial and civil infrastructure is taking on an importance we’ve never seen before. The technology paths toward better solutions are challenging and expensive, but not mysterious. We need to get busy.
Francis Cianfrocca is CEO at Insight Cyber Group.