2020-02 Open Letter to the US Cyberspace Solarium Commission

Optimistic remarks about the US Cyberspace Solarium Commission by Tom Fanning, CEO Southern Company, at the 2019 NERC Grid Security Conference inspired a sense of duty to contribute to the Solarium Commission.

As a professional chemical engineer, with the good fortune of experience from the dawn of digital automation and process control, I am witness to unprecedented betterment of human welfare enabled by such technology.

Insight for the Solarium Commission is rooted in the simple concept that our digital journey as a society is only at the very beginning. Potential advancements from automation and technology investment represent not only human prosperity, but likely are a matter of survival. Fortunately, these technology advancements will yield economic prosperity that dwarfs the added cost of inherently safer technology.

Policy imperatives, however, need to address the excessive dwell time in technology lifecycle – especially for operational technology that supports critical infrastructure.

Critical infrastructure continues to rely on legacy industrial process control protocols that are ‘unsafe at any speed’. Attempts to address this issue have been noble. Safer protocols are available but tend to fail in the market.

Public and private sector coordination will be needed to affect change. Our national struggle to move away from leaded gasoline involved regulation and retooling; we should expect much the same kind of approach will be needed to address the entrenchment of insecure by design industrial control protocols.

A private sector initiative successfully advanced a majority of world-wide web traffic from http to https; thus, it might be tempting to consider the private sector alone could do the same for industrial control protocols. However, rapid deployment of software updates was a key success factor and is not yet available for most industrial control systems where rate of change is dominated by hardware lifecycle characteristics.

Request for administrative subpoena authority by CISA to Congress in 2019 is symptomatic of chronic internet exposure to a growing legacy of industrial control systems. Bolder approaches are needed and in fact, vigilante experiments such as the internet chemotherapy project (aka ‘BrickerBot’) have been observed. While this project was terminated before causing unintended harm, the rash of destructive ransomware infecting all manner of organizations today raises the urgency for a coordinated approach to sunset of legacy industrial control protocols. A communication traffic ban or liability assignment to US ISP carriers could be considered an interim priority but the root cause will persist until there is technological advancement in the industrial control system market.

Incentives are needed to accelerate the sunset of unfit industrial control systems before reaching end of useful life. This is a difficult problem for economists and policy makers as well. A ‘cash for clunkers’ program would likely fail. Whereas models such as the clean water act, provide incentives for use of best available technology while exposing liability for laggards, seem feasible as a level playing field to drive ‘catch up’ investment needed to advance innovation for all operational technology.

Thank you in advance for your consideration. Any follow up you deem appropriate is welcome.

Sincerely,

Bryan S Owen PE