Two weeks ago, President Obama issued an executive order to improve critical infrastructure cyber security. Together with Perry Pederson, a cyber security specialist at the US Nuclear Regulatory Commission and an old hand in ICS security, Ralph explains why the executive order is a recipe for failure, and suggests alternatives to securing a nation’s most critical systems against cyber attacks. The 16 page article, titled “Bound to fail: Why cyber security risk cannot simply be ‘managed’ away”, can be downloaded from the Brookings website.

Executive summary:

Rather than a much-needed initiative to break the legislative deadlock on the subject in Congress, President  Obama’s  new  executive  order  for  improving  critical  infrastructure  cyber  security  is  a  recipe  for continued failure. In essence, the executive order puts the emphasis on establishing a framework for risk management and relies on voluntary participation of the private sector that owns and operates the majority of u.S. critical infrastructure. both approaches have been attempted for more than a decade without measurable success. a fundamental reason for this failure is the reliance on the concept of risk management, which frames the whole problem in business logic. business logic ultimately gives the private sector every reason to argue the always hypothetical risk away, rather than solving the factual problem of insanely vulnerable cyber systems that control the nation’s most critical installations.

The authors suggest a policy-based approach that instead sets clear guidelines for asset owners, starting with regulations for new critical infrastructure facilities, and thereby avoids perpetuating the problem in systems and architectures that will be around for decades to come. In contrast to the IT sector, the industrial control systems (ICS) that keep the nation’s most critical systems running are much simpler and much less dynamic than contemporary IT systems, which makes eliminating cyber vulnerabilities, most of which are designed into products and system architectures, actually possible. Finally, they argue that a distinction between critical and non-critical systems is a bad idea that contradicts pervasiveness and sustainability of any effort to arrive at robust and well-protected systems.