Faced with threats to industrial systems, cyber defense must turn to mechanisms similar to electrical protection, well known to manufacturers.
The US agency responsible for the security of vital systems (CISA) has just launched an initiative aimed at the country’s critical infrastructures (CI): “CI Fortify”.
CISA starts from an observation:
- Attackers know how to pre-position themselves in critical industrial infrastructures and are able to create malfunctions.
- They can reach the underlying telecommunications infrastructure necessary for operators.
This observation leads them to highlight two points:
- Isolation for the continuation of services.
- The importance of providing the means and procedures for resuming service after a crash.
It’s a paradigm that seems incredibly new from an IT point of view, and apart from the GIMELEC OT cybersecurity working group, we don’t really see where a similar initiative could come from in France.
But for an industrialist who has always been attentive to the distribution of energy on his installations, it is completely logical: no energy, no service.
This generally means two sources, and when the site is large, it is a local source: a backup generator, sized to run the site for several hours independently.
More precisely, the electrical distribution passes through panels, where there are devices capable of cutting off one supply artery in order to preserve the others. These devices have always been automated: the propagation of a short circuit is instantaneous. The design and implementation of these systems are costly and require studies (including selectivity analyses, to cut as close to the problem as possible while maximizing the availability of the rest of the electricity network).
The experience of great electricians
Do electricians have anything to teach us for Continuity Plans (PCA) and Business Resumption Plans (PRA) for our industrial sites and other critical infrastructures? Certainly.
The measurement of currents and voltages, on which network protection decisions are based to isolate this or that segment, is secure and corresponds exactly to the protection need. In cybersecurity, we collect a large number of logs, and we trust a SOC to sort the wheat from the chaff, finding the signal in all the noise.
But this is a “laziness” of cybersecurity engineering: the important logs, what they mean, must be known and carefully selected. At the point of their evolution with the threat, where the electrical laws are known and stable.
Then, by having the ability to isolate a segment of the network automatically. A SOC does not react in real time. In the age of AI attacks, this is no longer the right posture: the isolation reaction must be immediate, therefore automated; and local, because if CISA is right, it is risky to trust the telecommunications network to preserve its site.
We have an equivalent of electrical panels on our OT networks with segmentation by firewalls. But this segmentation is static, and depends on rules which are not adaptive. These rules are not designed for insulation against intrusion, but for perimeter protection. The equivalent of a selectivity study would however be entirely possible, with a correlation between attack detection (what, where in the network) and the filtering rules.
A system that did this, probably consisting of an EDR, an NDR and firewalls, could then function as a cybersecurity circuit breaker. If the CISA recommendations are well-founded – and it would be surprising if they were not – there is an urgent need to move in this direction.
