Andrew A. Bochman - Countering Cyber Sabotage: Introducing Consequence-Driven, Cyber-Informed Engineering (CCE)

It is time to recognize how traditional engineering practices have fully absorbed cyber technology across the full engineering lifecycle. We must do more to fully understand our most critical systems, how they were built, how they work, on what they depend, and how they can be mistakenly operated. With this knowledge we need to make next generation designs demonstrably more secure. For many engineers, and the managers who employ them, this will require a series of conceptual leaps as the behavior of software is completely unlike the laws of physics in which they have until recently placed their full trust.

The aerospace sector provides a few recent instructive examples. The 2018 and 2019 Boeing 737 Max crashes revealed, catastrophically, erroneous assumptions about how software would compensate for observed flaws in engineered design. Earlier, other assumptions encoded in an overreliance on software doomed an AirBus A400M, prompting me to write this at the time:

This tragic accident reminds us of the nature of cyber and its ability to achieve scales that often surprise us. The safety basis for the aircraft failed to analyze a scenario involving software problems for more than one engine. There are numerous process safety efforts that also failed to account for software errors or malware conditions in many places at once (horizontal susceptibility) throughout the worlds power systems, chemical plants, and transportation systems.

Safety use case assumptions coded in software that are effective in individual systems can quickly break down when software links multiple systems. These risks exist separately from what can go wrong when an adversary enters the picture.

Although we are already well down the road to total dependency on digital systems, there remains much to be discovered about how engineers have come to trust software to fill gaps in first principles engineering. We must achieve and promulgate a much deeper understanding of the cyber contents of critical physical systems and the potential conflicts within them, including the processes used to create, operate, and maintain them.

This isnt just a recommendation; theres a warning here related to what is occurring in infrastructures around the world. Nation-states are leveraging substantial technical capabilities to put and hold critical infrastructure at risk, with ever-increasing cyberattacks against target (or victim) countries. While thats happening at the state-on-state level, companies are also being caught in the crossfire. Where infrastructure providers (e.g., energy, water, communications) used to focus emergency planning on assaults from Mother Nature, theyve now become pawns in a geopolitical chess match. Its been demonstrated that strikes on them can and will be used as shots across the bow, to deter military mobilization, to punch back, or to send whatever message one country feels like it needs to communicate to another, with all others watching.

Thats where we find ourselves. Its not Tom Clancy, its not marketing, and its not hyperbole. If you take what weve seen and heard as intentions, this is an iterative, unending, defensive call-to-arms. You must strive to understand your most vital systems more deeply than you ever have. This is one of the main tenets of consequence-driven, cyber-informed engineering (CCE), as is the need to identify potential paths of entry and closely monitor potential adversary activities in your supply chain and subcontractors, as well as network paths of entry, egress, and maneuver. This level of understanding is needed to achieve the earliest of warnings and tripwires, so you can move in ways that minimize consequences, work through attacks, recover fully, and get ready to do it again.

Cyberattacks like these have been going on beneath the surface for years, but cyber was used with more restraint as an instrument of projected international power and intimidation. Today the genie is out of the bottle and theres no going back. In this new world, critical infrastructure providers find themselves among the most attractive targets, not because of who they are but because of the essential services they provide and to whom they provide them.

Something I want to be sure to get across is that by understanding your most essential processes and systems deeply enough, you have a very good chance of minimizing the worst consequences during an event. Not only that, but you may be able to stall longer campaigns aimed at you. Those who lack the requisite level of understanding hand adversaries repeated opportunities to access and re-access their networks and systems.

What was the origin of CCE? For me, in the wake of the 9/11 attacks, it was when a series of government-sponsored experiments exposed the fact that very creative cyberattacks against complex infrastructure systems could be surprisingly effective and highly destructive. In ways reminiscent of General Billy Mitchells post World War I demonstration which showed, in the face of nearly universal skepticism, that aircraft could sink large-surface combatants, we quickly came to understand that as a nation, we were living with a huge, unacknowledged Achilles Heel.