This week a gem in the deluge of mostly repetitive cyber security information and initiatives coming out of the US Government. The President’s Council of Advisors on Science & Technology (PCAST) issued their Strategy For Cyber-Physical Resilience. A lot of it is reshuffling chairs, better information sharing, and other usual suspects. And yet the first item in the document is the gem:
Minimal Viable Delivery Objective
As I wrote in August 2022 in OT Cyber Security Regulation (if I were omnipotent):
- Identify the country’s critical infrastructure companies / organizations where the OT is necessary for the critical product or service.
The key here is to avoid the temptation to say everything is critical, and this is a more difficult task with political ramifications in a large country. For example, the US has over 140,000 water facilities. It would be difficult to get enough talent to handle this number. What are the 100 or 1,000 that are critical?
2. Determine minimal effective operations required for each company identified in Step 1.
In a perfect world, everything would run at 100% of capacity at all times. We know this doesn’t happen, so there is usually excess capacity. In addition, the community can live in a degraded state without having an unacceptable quality of life, impact to the economy, or environmental damage.
The government and the critical infrastructure entity shall determine the minimal effective operations criteria. How much drinkable water is required? How much product must flow through the pipeline to which locations? How much product must be manufactured in what timeframe? How much power must be produced?
The ability in step 1 to limit the number of regulated critical infrastructure entities and the political will to approve degraded operations are key. Remember though, I’m omnipotent.
3. Determine required recovery time objective (RTO) for minimal effective operations in the event of a cyber incident.
Again in a perfect world the critical infrastructure never goes down, but in the real world it does go down for a variety of non-cyber reasons. For water, pipelines, refineries, manufacturing, and many other sectors the RTO may be days. The government and the entity need to discuss what the RTO needs to be, with the government regulator making the final decision.
The report is 50 pages long and is not as direct as an earlier PCAST presentation that gave an example that was spot on, exactly the format the government needs to determine, put out, and regulate around. Pull quote:
Bounded Impact: expressions of minimum delivery goals e.g.:
No more than 50,000 people will be without x (e.g., water, food, electricity, communications) for more than 1 week.
An important and related recommendation in the report is to stress test organizations where outages could exceed the bounded impact. The US Government already does this in the financial sector.
Bravo PCAST team and members, although I wish PCAST had issued a two-page report with this item in very plain language.
The danger, dare I say likelihood, is this will get lost among the flood of guidance documents and initiatives coming out of the US Government. The most important, the thing that would make the biggest difference, can become one among many not wrong, but low impact items and get little attention and not be done.
Even in the PCAST report it is one item, albeit the first which is great, among many. Some of the other items are bureaucratic and easier to check off like the Cyber Solarium and National Cyber Strategy Implementation Plan. Start this initiative, explore this idea, stand up this role or task force, … Not bad and may be necessary, and the next step, the output is key and as yet mostly lacking objectives.
Let’s hope it gets attention and action.
It will take maturity and political will to not take the easy way out, if this becomes an objective, and set the bounded impact so that no one is inconvenienced. For example, Colonial Pipeline was required to get operations running in seven days. They did it in six days. There were lines and panic, and the outage resulted in a loss of efficiency and commerce. Still it was not catastrophic. Seven days may be the right RTO, the bounded impact. Aliquippa and Oldsmar water would likely fall below the bounded impact.
I urge those with influence to give this recommendation attention and priority.