The latest cybersecurity report to land on the President’s desk is a significant and necessary deviation from the norm of the last two decades. It urges practitioners and decision makers to get off the hamster wheel of basing the resilience of cyber-physical systems—systems operating in industries like water, electricity, finance, communications, and healthcare at the core of the critical services that underpin our lives—on a reactive strategy of simply finding and patching vulnerabilities, and instead devoting more effort to preventing their introduction in the first place.
Consistent with the work of the 2019-2020 Cyberspace Solarium Commission and the 2023 US National Cybersecurity Strategy, the President’s Council of Advisors on Science and Technology (PCAST)’s February 2024 “Report to the President: Strategy for Cyber-Physical Resilience: Fortifying Our Critical Infrastructure for a Digital World,” reaffirms that cyber-resilience-by-design should be the standard and urges a coalition of government leaders and private sector critical infrastructure asset owners and operators to refocus their energies to build resilient cyber-physical systems (CPS) that are designed to withstand attack.
Given the pacing threat of a growing body of cyber threat actors, it is past time that this approach is codified and, more importantly, widely adopted.
In turn, it’s also time we concede that attacks are inevitable and that a broad array of criminal and rogue state actors are already focused on holding our electricity, communications, water, healthcare, and manufacturing networks at risk. Time and again foreign APT entities such as Volt Typhoon have demonstrated the porous nature of some critical infrastructure networks—many of which are privately owned in the United States. And more worrying, those threat actors are moving beyond espionage and appear intent on disrupting and manipulating cyber-physical systems and threatening the availability of services at the core of our safety and economic prosperity.
Given the pacing threat of a growing body of cyber threat actors, it is past time that this approach [of cyber resilience] is codified and, more importantly, widely adopted.
The PCAST report acknowledges that the status quo isn’t working. Lacking built-in cyber resilience, we simply cannot keep up with the volume of vulnerabilities and still meet the business and cultural demands for new technologies that enhance our ability to innovate and compete globally.
So how do we break this cycle of trying to become resilient to threats, and shake off the foundational practices of “react-and-patch” of cybersecurity programs that have been in place since the early 2000s?
First, it’s important to understand that cyber-physical systems differ from traditional IT servers, clients, and endpoints. CPS integrates computing with physical processes that are narrowly focused on the achievement of some specific function, and uses sensors, robotics, and networking technologies for process control. Everything from industrial control systems, to healthcare monitoring systems, and smart factories integrate cyber-physical systems to improve and deliver services.
Many of these environments cannot—and do not—tolerate downtime. Any disruption may impede service delivery, which is likely the overriding key performance indicator (KPI) that matters in these areas. Designers and practitioners of the resulting operational technology (OT) understand this dynamic and don’t typically patch systems like their IT counterparts on a regular cadence. They often see cybersecurity as an unwelcome disruption to the continuous delivery of critical functions, even going so far as to argue that there haven’t been enough real-world attacks to merit a paradigm shift.
Importantly, the PCAST report makes the case that building in cyber-physical resilience is the best way forward for both security and optimal system performance. Taken in this larger context, cyber resilience is the capacity of an integrated system such as CPS to maintain availability and output in the face of both a cyber-intrusion, and degraded conditions that derive from the loss of computing power resulting from natural disasters, component failures, or human errors.
Quoting from the report: “Our key to success lies in developing systems that can not only defend against attacks but also minimize effects on delivery of critical services, regardless of the cause of failure.”
Unfortunately, history is not on our side. The core process control systems at the heart of many CPS’s in operation today were designed to operate as air-gapped entities, never meant to be connected to public networks. Security was based on restricting physical access so that cybersecurity was overlooked in initial design work and had to be bolted on years later as those discrete systems were interconnected to achieve greater process efficiency.
“Our key to success lies in developing systems that can not only defend against attacks but also minimize effects on delivery of critical services, regardless of the cause of failure.”
— PCAST report to the President
It’s time to recognize that band-aids will never address the essential need for built-in resilience. Principles such as Cyber-Enformed Engineering (CIE) must be core to current and future designs of cyber-physical systems, as is stressed in the PCAST report. This practice would ensure that cybersecurity considerations are present in the design, development, and operation of physical systems. Simply put, CIE gives us a fighting chance to mitigate or eliminate risky paths that can be exploited better than our untenable chase of vulnerabilities and downstream patching.
The meat of the report to the president revolves around four recommendations that the PCAST recommends be taken up by the Cybersecurity and Infrastructure Security Agency (CISA), the federal government’s Sector Risk Management Agencies (SRMAs) and the associated Sector Coordinating Councils (SCCs). The recommendations set out tangible goals with achievable metrics that the PCAST believes will drive, measure, and improve the resilience of cyber-physical systems and our critical infrastructure.
Recommendation 1: The first—and perhaps most important—recommendation tasks CISA and its SRMAs and SCCs to Establish Critical Infrastructure Performance Goals that define minimal viable delivery objectives. These objectives provide the foundation for measuring and maintaining the resilience of CPS across industries. This recommendation asks that CISA develop measures of “bounded impact and bounded failure,” i.e., the delivery goals that ensure no more than a certain number of people would be without a critical service for a defined period of time (bounded impact), and characterize not only the impact of a failure due to a cyber incident, but how well the failure is prevented from cascading across dependent systems.
Furthermore, CISA would be tasked with developing general accepted performance (GAP) goals, a standard for CPS resilience, and the SRMAs would in turn report status against those GAP goals.
Finally, this first recommendation includes language around transparency around reporting to determine the efficacy of GAP goals and whether minimally viable objectives are reachable.
Recommendation 2: The second recommendation proposes Bolstering and Coordinating national research and development focused on critical infrastructure cybersecurity and cyber-physical systems resilience. Core to this is the establishment of a National Critical Infrastructure Observatory whose aim would be to put defenders on an equal footing with attackers in terms of their understanding of risks caused by system dependencies and vulnerabilities. The report asks for a classified mapping system that would inventory critical infrastructure and identify risks such as single points of failure. In addition, the plan asks for the creation of a Federal Cybersecurity Research and Development Strategic Plan that spells out challenges, plans for leveraging advanced technology such as AI, and determinations on how those technologies can be applied to improve resilience.
Recommendation 3: The third recommendation is crucial: Move authority and capability to organizations closest to the risk by Break[ing] Down Silos and Strengthen[ing] Government Cyber-Physical Resilience Capacity. Essentially, this would empower the SRMAs with more resources and capabilities to reduce that risk, while CISA acts in a management capacity to ensure coherent and coordinated effort. It also spells out that CISA should reinvigorate the National Risk Management Center and establish a sector-by-sector list of entities crucial to critical infrastructure: prioritize critical capabilities for each sector and map the systems required to deliver them.
In addition to strengthening the SRMA authorities, the report recommends empowering and resourcing the Department of Homeland Security’s Cyber Safety Review Board to do more reviews, identify weaknesses and what underlies breaches, and make impactful adjustments to systems.
Recommendation 4: The final recommendation takes aim at private sector executives, given that most critical infrastructure is privately owned in the U.S., and incentivizes business leaders to invest in cybersecurity and resilience. Under a recommendation entitled “Develop Greater Industry, Board, CEO, and Executive Accountability and Flexibility” the private sector is asked to take a leading role in charting and implementing needed reforms. Sector Coordinating Councils (SCCs) are asked to establish Sector Executive Committees that are chaired by CI owners and operators. The SCCs, meanwhile, would also update performance goals based on leading indicators that would be guided by the minimum viable operating capabilities and delivery objectives.
While the devil is, as ever, truly in the details, the PCAST report provides a compelling argument that resilience-by-design must be implemented in the cyber physical systems that underpin broad swaths of infrastructure upon which the conduct of our daily lives, commerce, and national security depend. The good news is that the technologies and practices needed to make this change have been developed and, better still, the leadership to effect that change is present in the form of CISA, the SRMA’s, and the private sector. All that remains is to “Just Do It.”
Chris Inglis is the former inaugural Senate-confirmed U.S. National Cyber Director in the White House from 2021-2023. Chris' career spans both military and civilian service, including as a Commissioner on the U.S. Cyberspace Solarium Commission, eight years as the Deputy Director and Chief Operating Officer of the National Security Agency, and three years as the Special U.S. Liaison to London. Chris is a Visiting Professor at the U.S. Air Force and Naval Academies, and also serves as a senior advisor to Hakluyt and Company and is a valued member of the Huntington Bancshares Board. Chris is a member of Claroty's Advisory Board.