| Sumario: | Less than 10 years ago, cyber security of critical infrastructure was a topic of interest in various circles of focused technical subject matter expertise. Today, it has become a mainstream topic of discussion all too often highlighted by large scale incidents with global visibility and impact such as Stuxnet, Triton, the Colonial Pipeline, or the multiple Russian cyber-attacks on Ukraine. Highlighted by President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity issued 12 May 2021, and solidified in the March 3rd 2023 release of the brand new National Cybersecurity Strategy, deliberate action and improvement has been demanded at the highest levels of the Federal Government.
Although the digital revolution has established its presence in the automation, oversight, and management of critical facilities and utility systems, the knowledge gap between the management of the mechanical and digital platforms remains significant. This exposes a critical vulnerability in the oversight of electromechanical processes such as those used to control utility systems, machinery, and industrial processing; often referred to as Operational Technology (OT). OT, by way of delivering its fundamental value amongst the systems and environments in which it operates, demands both routine and non-routine maintenance and repair. Increasingly often, the required maintenance/repair cannot proceed without the introduction and use of an electronic device (e.g. to run diagnostics, troubleshoot error codes, update OT firmware/software, test and balance, etc). While not a ubiquitous term amongst all infrastructure industries, the North American Electric Reliability Corporation (NERC) defines the electronic device in this scenario as a Transient Cyber Asset (TCA).
The introduction of a TCA to the FRCS/OT ecosystem is a well-known and significant threat vector. In this scenario, there are multiple actions that can be taken to mitigate the cybersecurity risk introduced by the TCA, but the solution is entirely dependent on the time, resources, and capabilities available in that specific location. Increasingly often, the electronic device required for the maintenance/repair is untrusted and operated by a technician focused on the operational need of the maintenance/repair. Notably, this scenario requires a field level decision to be made by a non-IT professional (e.g. a Facility Manager) that must consider the tradeoff between the operational need of the maintenance/repair and the cybersecurity risk associated with the use of the untrusted device.
Through literature review and subject matter expert interviews in conjunction with the Department of Defense, MIT Lincoln Laboratories, Cyber Security at MIT Sloan (CAMS), and private industry, this thesis offers an attempt at providing a repeatable, tailorable, risk-based decision framework referred to as CRAM (Cybersecurity Risk Assessment Matrix) that incorporates both cybersecurity risk and operational risk associated with a given maintenance/repair scenario, in an effort to provide facility managers in the field a reliable tool to assist in the timely assessment and risk mitigation of day-to-day operations and maintenance conducted by outside contractors with untrusted electronics.
This thesis aims to provide a rudimentary framework to aid in the determination of how much risk is acceptable in order to maintain operations, and how can decision makers in this space make sensible, informed, Cybersafe decisions on a routine basis.
|
|---|