Yesterday I had two interesting questions posed to me about my post on the DHS designations of cyber dependent critical infrastructure.
First on TWITTER® from Aristotle Tzafalias - “Know of any non ‘Cyber dependent’ (as defined in prev) CI?”
And then on my blog from an anonymous reader - “Any thoughts on what sectors (and representative companies) make up the greatest representation?”
Both are important questions for homeland security reasons and I won’t be able to answer either definitively because DHS will not be disclosing either their list of ‘Critical Infrastructure’ facilities nor of their ‘Cyber Dependent Critical Infrastructure’ (CDCI) facilities for security reasons. That won’t, of course, stop me from offering my thoughts on the matter.
There are a number of variations of the basic definition of ‘critical infrastructure’ that are in current use. To make things easy let’s stick with the one found in §2 of the President’s executive order on Improving Critical Infrastructure Cybersecurity (EO 13636):
“As used in this order, the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
With the large number of undefined terms in that sentence it is obvious that there is a wide leeway for determining what is or is not ‘critical infrastructure’. In the narrowest sense I can think of only a single entity, the New York Stock Exchange, whose incapacity or destruction would have a debilitating effect on national economic security.
If we look at ‘systems’ however, there are a much wider variety of systems that would fit the bill. These could include the electric grid, fuel distribution systems, communications systems. In fact, the President has identified 16 critical infrastructure sectors of the economy that would meet a broad definition of critical infrastructure. Again, it is hard to imagine that the failure of any single entity within those sectors would meet the definition of critical infrastructure by themselves, but a limited number of individual failures within a sector could certainly have debilitating effects on the national economy or security.
I think that a reasonable supposition about how DHS has gone about determining which facilities are to be considered critical infrastructure would be those facilities that, if more than a couple failed at about the same time, there would be debilitating consequences for the national security or national economy. I think that most reasonable people would agree that this type of methodology would be the most usable way of designating critical infrastructure.
Cyber Dependent Critical Infrastructure
Aristotle raised an interesting question in his TWEET®; in today’s age isn’t everyone ‘cyber dependent’? To a certain extent this is true, but some sectors rely on cyber-systems more heavily than others. The ‘Information Technology Sector’ certainly relies more on their computers than does the ‘Dams Sector’, but no sector could long survive with their various electronic systems not functioning.
Using the broadest interpretation of the definition provided in yesterday’s Federal Register notice I would be hard pressed to think of any organization that would not be considered ‘cyber dependent’. And if DHS used that broad sweep to include all critical infrastructure, then the whole point of the exercise was lost. Section 9(a) of the EO required DHS to “use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security” [emphasis added].
So, instead of a complete loss of computer systems, DHS should have been looking at more limited incidents at these facilities that could result in ‘catastrophic’ effects. To be sure this would be a much more difficult standard to parse as DHS does not have a lot of internal information about most of these organizations and their systems. And again, even considering potential regional effects, there are very few facilities where a single cyber incident would cause catastrophic effects, so we should clearly expect that DHS would consider facilities where just a few related facilities affected by similar and concurrent attacks would cause catastrophic effects.
Now in my opinion, you are looking at just three types of facilities, the national stock exchanges, the electrical distribution system and fuel distribution pipelines. The remaining sectors have too much redundancy to be catastrophically disrupted by any reasonable set of cyber incidents. There could be economic disruptions in all sectors, but few that would even approach catastrophic on a regional or national basis.
It might seem strange that I do not include the chemical sector or at least chemical facilities storing large quantities of toxic inhalation hazard (TIH) chemicals in the list of cyber dependent critical infrastructure. After all, we continue to hear organizations like Green Peace insist that a catastrophic release at many of these facilities could result in deaths of hundreds of thousands of people. Wouldn’t that be a catastrophe on a regional or national scale?
It certainly would, but I would have a hard time positing a reasonable cyber incident that would result in a catastrophic release of one of these chemicals. A release yes, even a release that resulted in off-site casualties; certainly. But not a catastrophic release of the scale discussed by these organizations (and to be fair by me here in this blog), that would take a failure of the physical structure of the tank. A cyber incident could, at most, result in a valve being opened to the atmosphere that would take dozens of hours to release the total contents to the atmosphere. Long before that happened, manual efforts to close the line would be successful.
What about water system contaminations like we saw in Charleston, WV? While the Freedom Spill was certainly disruptive, even severely disruptive, to the lives of the folks that live in that area, it was hardly a catastrophe. But let’s assume that the definition of ‘catastrophe’ was wide enough to encompass that scale of disruption. I would be hard pressed to define a ‘reasonable’ cyber incident that would cause that type of problem. You would have to find an upstream facility that held a chemical that would not be removed by the municipal water treatment facility and find a way to electronically release that chemical in a way that bypassed existing secondary containment. You could not have done it at Freedom Industries; their tank valves were all manually operated.
There may certainly be facilities where this could be done. Identifying them would be very difficult for DHS and nearly impossible for anyone else but an insider. I’m certainly not saying that DHS or EPA shouldn’t be looking at this, but it wouldn’t be part of the cybersecurity program; at least not initially.
What Has Actually Been Done?
So that is my take on the limitations of the cyber dependent critical infrastructure designations covered by this notice. How closely does that track with reality? I haven’t the foggiest idea, DHS is keeping this information fairly closely held; they certainly are not discussing it with me.
I would guess that they are using a wider set of criteria than those that I have describe above. There is a certain bureaucratic incentive to broadly define the problem. The more facilities that are designated CDCI the more responsibility that DHS has for their oversight and assistance. So I would guess they include many more, and different types of, facilities than I have described. Which ones and how many? I just have no way of knowing.