Cyber-Physical Resilience (PCAST) Report: Implications for daily business operations

As digital workflows become more integral to our operations, our reliance on cyber-physical systems (CPS) has intensified. This growing dependence brings with it new vulnerabilities, creating more opportunities for exploitation by malicious actors.  

A recent Presidential Report on Cyber-Physical Resilience for Critical Infrastructure, from The President’s Council of Advisors on Science and Technology (PCAST), highlights these vulnerabilities, affecting not just local water utilities and power grids, but also schools, property management firms, home builders, and a myriad of other businesses that form the backbone of our communities.

As cyber attackers adopt an increasingly sophisticated array of AI-powered tools, security teams find themselves perpetually on the defensive, struggling to protect a sprawling and vulnerable cyber-physical landscape. Although recent advancements in Multi-Factor Authentication (MFA), Managed Detection and Response (MDR), and Zero Trust have provided temporary defensive gains, the rapid evolution and potency of new technologies such as AI (Artificial Intelligence) and drones have allowed cyber-criminals to regain the upper hand, creating an ever-growing need to reduce operational and security risk in CPS environments

‍Enhancing the resilience of cyber-physical systems

What exactly is a cyber-physical system (CPS)? And how do we better protect increasingly digitized critical infrastructure against system failures or attacks?  

PCAST sheds light on this concept in their report, defining CPS as "physical systems that utilize computing technology for sensing, analysis, tracking controls, connectivity, coordination, or communications." This broad definition encompasses a vast array of sectors, affecting every business, organization, and individual in the United States.  

PCAST further urges the 16 critical infrastructure sectors to urgently adopt an integrated cyber-physical resilience strategy. This approach should not only prioritize security and attack prevention but also guarantee the provision of services with a "minimal viable operating capability." It must account for scenarios where access to digital systems or the Internet is disrupted for extended periods. The core message is clear: our physical systems, which deliver essential services to millions across the nation, need to be robust enough to handle any cyber system disruptions through thorough planning and effective implementation.

‍The growing threat of cyber-physical convergence

Threat dynamics today are evolving at an unprecedented pace, marked by significant advancements and novel approaches. Over the past 18 months, Artificial Intelligence has made remarkable strides, providing threat actors with powerful tools for swift reconnaissance and rapid exploitation. Beyond AI, we have observed incidents where drones, outfitted with sophisticated hacking devices, have landed on rooftops to infiltrate WIFI access points. Additionally, innovative gadgets like the Flipper Zero can replicate access badges, credit cards, crack WIFI passwords, and perform numerous other functions. These emerging tools expand the arsenal of tactics, techniques, and procedures available to hackers, enabling them to outmaneuver security teams with increasing creativity and efficiency.

In response to the swiftly escalating challenges and to offer direction to the diverse and expansive managed critical infrastructure sector, the President’s Council of Advisors on Science and Technology (PCAST) published a report on February 28, 2024, titled "Strategy for Cyber-Physical Resilience: Fortifying Our Critical Infrastructure for a Digital World." The report emphasizes that our cyber-physical systems are becoming more susceptible to threats from nation-states, terrorist organizations, criminal elements, and various natural disasters.

‍PCAST recommendations for building cyber-physical resilience

PCAST outlines a comprehensive set of actions aimed at strengthening the resilience of the Nation’s critical infrastructure. The report provides detailed measures for implementing each action. Among its key recommendations are:

• Prioritizing the construction of resilient systems, particularly within the 16 critical infrastructure sectors.
• Adopting a minimum viable operating capability to meet delivery objectives.
• Ensuring radical transparency throughout processes.
• Designing systems to be inherently secure and resilient.
• Containing potential damage through strategic design to limit failure impact.
• Utilizing advancements in AI for enhancing resilience.
• Developing the ability to decode and understand attacks.
• Implementing effective countermeasures in response to threats.
• Integrating cybersecurity, resilience, reliability, and recoverability within information systems, critical infrastructure, and operational technology.
• Achieving cyber-physical convergence by dismantling security silos and fostering improved communication.

‍Reducing the impact of cyber-physical breaches on core assets

Although the central theme is the convergence of cyber and physical security, the report contains numerous substantial recommendations that merit individual discussion in future posts. One crucial yet often overlooked issue is “bounded failure,” which involves containing the impact of security breaches through thoughtful design. Emphasis should be placed on safeguarding the core assets—the primary product or service offered—by establishing a "minimum viable operating capability," as advocated by PCAST.

Consider a community water supply business as an example. The critical assets, or "crown jewels," span the entire water delivery chain: from the water's origin sources and quality assurance systems to filtration mechanisms, pump and valve infrastructure, and main water pipelines. Physical security measures like AI-enhanced surveillance cameras, barriers, and the protection of necessary digital systems are vital to maintaining the integrity of these assets. In contrast, functions such as marketing, accounting, and human resources, though supportive, are not crucial to the core mission of delivering clean water.

Therefore, greater focus should be directed towards fortifying these essential systems and limiting the damage from any breaches. If a cyber incident impacts a non-essential function, it must be effectively isolated from the core operations. Additionally, robust contingency plans should be developed to enable manual operations, ensuring continuity without reliance on digital or cyber systems.

‍Conclusion

The PCAST report, though primarily aimed at guiding the 16 critical infrastructure sectors, contains invaluable information and principles that any organization can adopt to enhance their operational capabilities. The foundation for optimizing cyber-physical operations lies in the intentional design of systems that are inherently resilient and secure, safeguarding key assets and delivery goals. Integrating cyber and physical security teams to improve incident response and ensuring a minimum viable operating capability during cyber system downtimes or breaches, are also crucial.

Achieving resilient cyber-physical systems requires a continual process of identifying service delivery vulnerabilities, strategic planning, and remediation—topics that will be explored in upcoming posts. The resilience of systems hinges on the resilience of well-crafted teams, committed to persistent effort and incremental learning, which collectively drive the achievement of critical performance objectives.