First on
TWITTER® from
Aristotle Tzafalias - “Know of any non ‘Cyber dependent’ (as defined in prev)
CI?”
And then
on
my blog from an anonymous reader - “Any thoughts on what sectors (and
representative companies) make up the greatest representation?”
Both are important questions for homeland security reasons
and I won’t be able to answer either definitively because DHS will not be
disclosing either their list of ‘Critical Infrastructure’ facilities nor of
their ‘Cyber Dependent Critical Infrastructure’ (CDCI) facilities for security
reasons. That won’t, of course, stop me from offering my thoughts on the
matter.
Critical
Infrastructure
There are a number of variations of the basic definition of ‘critical
infrastructure’ that are in current use. To make things easy let’s stick with
the one found
in §2
of the President’s executive order on Improving Critical Infrastructure
Cybersecurity (
EO 13636):
“As used in this order, the term
critical infrastructure means systems and assets, whether physical or virtual,
so vital to the United States that the incapacity or destruction of such
systems and assets would have a debilitating impact on security, national
economic security, national public health or safety, or any combination of those
matters.”
With the large number of undefined terms in that sentence it
is obvious that there is a wide leeway for determining what is or is not ‘critical
infrastructure’. In the narrowest sense I can think of only a single entity,
the New York Stock Exchange, whose incapacity or destruction would have a
debilitating effect on national economic security.
If we look at ‘systems’ however, there are a much wider
variety of systems that would fit the bill. These could include the electric
grid, fuel distribution systems, communications systems. In fact,
the
President has identified 16 critical infrastructure sectors of the economy
that would meet a broad definition of critical infrastructure. Again, it is
hard to imagine that the failure of any single entity within those sectors
would meet the definition of critical infrastructure by themselves, but a
limited number of individual failures within a sector could certainly have
debilitating effects on the national economy or security.
I think that a reasonable supposition about how DHS has gone
about determining which facilities are to be considered critical infrastructure
would be those facilities that, if more than a couple failed at about the same
time, there would be debilitating consequences for the national security or
national economy. I think that most reasonable people would agree that this
type of methodology would be the most usable way of designating critical
infrastructure.
Cyber Dependent
Critical Infrastructure
Aristotle raised an interesting question in his TWEET®; in
today’s age isn’t everyone ‘cyber dependent’? To a certain extent this is true,
but some sectors rely on cyber-systems more heavily than others. The ‘
Information Technology
Sector’ certainly relies more on their computers than does the ‘
Dams Sector’, but no sector could
long survive with their various electronic systems not functioning.
Using the broadest interpretation of
the definition
provided in yesterday’s Federal Register notice I would be hard pressed to
think of any organization that would not be considered ‘cyber dependent’. And if
DHS used that broad sweep to include all critical infrastructure, then the
whole point of the exercise was lost.
Section 9(a) of the
EO required DHS to “use a
risk-based approach to identify
critical infrastructure where a
cybersecurity incident could
reasonably
result in catastrophic regional or national effects on public
health or safety, economic security, or national security” [emphasis added].
So, instead of a complete loss of computer systems, DHS
should have been looking at more limited incidents at these facilities that
could result in ‘catastrophic’ effects. To be sure this would be a much more
difficult standard to parse as DHS does not have a lot of internal information
about most of these organizations and their systems. And again, even
considering potential regional effects, there are very few facilities where a
single cyber incident would cause catastrophic effects, so we should clearly
expect that DHS would consider facilities where just a few related facilities
affected by similar and concurrent attacks would cause catastrophic effects.
Now in my opinion, you are looking at just three types of
facilities, the national stock exchanges, the electrical distribution system
and fuel distribution pipelines. The remaining sectors have too much redundancy
to be catastrophically disrupted by any reasonable set of cyber incidents.
There could be economic disruptions in all sectors, but few that would even
approach catastrophic on a regional or national basis.
Chemical Catastrophes
It might seem strange that I do not include the chemical
sector or at least chemical facilities storing large quantities of toxic
inhalation hazard (TIH) chemicals in the list of cyber dependent critical infrastructure.
After all, we continue to hear organizations like Green Peace insist that a catastrophic
release at many of these facilities could result in deaths of hundreds of
thousands of people. Wouldn’t that be a catastrophe on a regional or national scale?
It certainly would, but I would have a hard time positing a
reasonable cyber incident that would result in a catastrophic release of one of
these chemicals. A release yes, even a release that resulted in off-site
casualties; certainly. But not a catastrophic release of the scale discussed by
these organizations (and to be fair by me here in this blog), that would take a
failure of the physical structure of the tank. A cyber incident could, at most,
result in a valve being opened to the atmosphere that would take dozens of
hours to release the total contents to the atmosphere. Long before that
happened, manual efforts to close the line would be successful.
What about water system contaminations like we saw in
Charleston, WV? While the Freedom Spill was certainly disruptive, even severely
disruptive, to the lives of the folks that live in that area, it was hardly a
catastrophe. But let’s assume that the definition of ‘catastrophe’ was wide enough
to encompass that scale of disruption. I would be hard pressed to define a ‘reasonable’
cyber incident that would cause that type of problem. You would have to find an
upstream facility that held a chemical that would not be removed by the municipal
water treatment facility and find a way to electronically release that chemical
in a way that bypassed existing secondary containment. You could not have done
it at Freedom Industries; their tank valves were all manually operated.
There may certainly be facilities where this could be done.
Identifying them would be very difficult for DHS and nearly impossible for
anyone else but an insider. I’m certainly not saying that DHS or EPA shouldn’t
be looking at this, but it wouldn’t be part of the cybersecurity program; at
least not initially.
What Has Actually
Been Done?
So that is my take on the limitations of the cyber dependent
critical infrastructure designations covered by this notice. How closely does
that track with reality? I haven’t the foggiest idea, DHS is keeping this
information fairly closely held; they certainly are not discussing it with me.
I would guess that they are using a wider set of criteria
than those that I have describe above. There is a certain bureaucratic
incentive to broadly define the problem. The more facilities that are
designated CDCI the more responsibility that DHS has for their oversight and
assistance. So I would guess they include many more, and different types of,
facilities than I have described. Which ones and how many? I just have no way
of knowing.