Taking the "High Assurance" Road for Critical Systems
The National Commission on Grid Resilience Report has been published. It is a "must-read" for all concerned citizens. Achieving grid resilience will be an incredibly complex undertaking, but we already have some weapons in our "technology arsenal" that might help. As a start, how about considering a "pilot project" at one of our federal power generation and distribution facilities? We should build a highly-assured, kernel-based Programmable Logic Controller (PLC) for Industrial Control Systems. We can base the design on the A1 Class operating system specification from the Trusted Computer System Evaluation Criteria (TCSEC), published by the NSA several decades ago. Technology developed by commercial industry using the TCSEC as a guide has repeatedly resisted the most sophisticated cyber adversaries and threats of subversion.
Some people would argue that the TCSEC was abandoned because it was too difficult to build general-purpose operating systems adhering to that specification. They might also say that systems built to the TCSEC standards were too difficult to upgrade. There is merit to both arguments but they were mostly applied to general-purpose systems. I am suggesting a pilot project to apply that well-tested knowledge to a very narrow but highly critical set of systems. PLC/ICS systems aren't intended to run games, word processing, or capture cat videos. They are dedicated, special-purpose systems that control critical processes that we must secure for our future safety. They are effectively the kind of system the TCSEC was created to address—highly critical systems under significant threat.
The TCSEC alone will not be sufficient to build these systems, as the TCSEC doesn't address safety and continuity of operations. The TCSEC also didn't address the full set of concerns related to supply chain security. However, the tremendous amount of thought that went into the TCSEC and follow-on work provides a solid foundation on which to build a high-assurance system—much more so than most (if not all) systems on the market being used in this domain. Taking this approach will not solve all of the grid resilience problems, but it might buy us the critical time we need to develop more holistic solutions. It certainly will be a step forward from the current “business as usual."
Related Washington Post article: A cyber-risk we're not prepared for: What if the power grid collapsed and America went dark?
Cyber Resilience & Information Security Services Practice Lead
4 年I used to be an admin of a Novell national security system secured to C-2 (who remembers, "C-2 by '92"?) As a cyber policy SME I have referred back to my hard copies of the Red and Orange books to help understand the origin, intent and evolution of current policy. I also programmed and maintained Ladder Logic, Allen Bradley PLCs at an Oregon automated plywood mill in the early 90's and the idea of applying TCSEC concepts to PLCs is very interesting.
Agile Master, AI/ML/ZTA Public Private Partnership
4 年????????????
IT Strategy | Cybersecurity Risk Management | Enterprise Architecture
4 年Great proposal Ron! Applying TCSEC A1 concepts to such a critical application would be a fantastic contribution and exciting challenge. Power grids have many external dependencies that could impact safety and imposing rigor could prevent adverse/vulnerable conditions.