4.2 Self-Reported Impact Assessment Strategies (RQ1)
We report how participants responded to questions about what information they would need to assess the impact of a vulnerability in an energy OT system, highlighting similarities (Section
4.2.1), differences (Sections
4.2.2–
4.2.3), and interdisciplinary knowledge (Section
4.2.4). Despite bringing up similar high-level topics, there were notable differences in participants’ stated approaches to vulnerability impact assessment, indicated by the level of detail participants provided, such as how cyber SMEs had more specific considerations about gaining access to networks, or how energy OT SMEs spoke more about connections to the overall system and potential disruption of operations. While we include numbers in some of the results below and in Table
9 in Appendix
E to characterize this particular participant pool, we note again that these are not generalizable results.
4.2.1 Similarities in Self-Reported Impact Assessment Strategies.
We expected cyber SMEs and energy OT SMEs to show a stark imbalance in their stated approaches to vulnerability impact assessment, based on prior work (Section
2.1), but we did not find this to be the case. Experts across both groups raised similar vulnerability impact assessment topics relating to Accessibility, Connectivity, Consequence, Device Information, and Vulnerability (described in Table
1), as shown in Figure
1 and Appendix
E. Responses to questions about whether subsector and vendor would influence their approach were also similar. We hypothesize this may have been due to all participants having interdisciplinary experience. We describe these similarities below.
Accessibility. Both groups of participants spoke generally about how to gain access (remotely or physically), who might have access, and access controls.
Consequence. Both groups were aware of possibilities for large-scale impact, emphasized understanding systemic and broader scale implications, and offered general considerations about the potential impact on human life, damage to equipment, financial or business impact, remediation or recovery time, and whether it would affect critical systems.
Device Information. Participants from both groups said they would need information about what the system or device is, what its function is or how it is typically used, how it is configured, who uses it, where it is located and situated within the OT system, how widely it is deployed in the overall environment and in the country, and how well it is protected from a physical and network standpoint. One participant, E7, called for a software bill of materials (SBOM) to better understand where a vulnerable component exists and what the “most granular indivisible element that this vulnerability impacts” is.
Vulnerability. Participants from both groups said they would consider what the vulnerability was, the area or systems affected by the vulnerability, proof of concept, and exploitability.
Subsector. In response to questions prompting participants to tell us whether the energy subsector (e.g., generation, transmission, or distribution) would influence their vulnerability impact assessment approach, all but one participant felt that considering subsector was important for impact assessment, with one cyber SME saying the subsector would not impact their assessment at all (C3). In all cases where subsector was described as being important, it was due to the scale of the potential impact. Some participants ranked subsectors by importance, named the one they thought was most critical, or stated that all subsectors were equally important.
Vendor. Five participants (2 OT, 3 Cyber) listed vendor as a factor they would consider before being prompted to discuss how a vendor would influence their vulnerability impact assessment approach. In response to our question, four participants (2 OT, 2 Cyber) stated that the vendor doesn’t matter at all. All other participants stated that the vendor did matter. Some participants said different vendors had different track records with computer security, specifically with how open and communicative each vendor was with their customers regarding vulnerabilities, emphasizing the importance of strong lines of communication and relationships. Two participants discussed the difficulties of trying to report vulnerabilities to different vendors (E10, C12).
4.2.2 Differences in Cyber SMEs’ Self-Reported Impact Assessment Strategies.
Cyber SMEs’ responses were distinguished by a more adversarial focus on gaining access, identifying connections, and imagining device capabilities and exploits.
Gaining Access. Cyber SMEs spoke in more detail about gaining access to a system’s networks or devices than energy OT SMEs, saying they would want information about an attacker’s ability to move around within an OT environment (C13) or a company’s networks, including SCADA or control system networks (C12), or the potential for an attacker to access “additional resources that you can chain to get there or tie in with other controllers” (C11).
Identifying Connections. Cyber SMEs also emphasized identifying connections across networks and systems, imagining paths to hard-to-reach devices:
I would try to trace a path to this piece of equipment to try to understand how easy it is to get there. Some equipment is designed to be on a network that is more likely to have malicious traffic. Other equipment is not designed for that, and it’s expected that it’s going to be behind several firewalls. (C12)
C11 said, “Often, end devices are not very reachable. So you’d have to have access to several other networks or a different entry point to get to them.” Others asked questions such as “Does it cross the boundaries between different networks?” (C5) and “Can you go to the next system over?” (C15).
Device Capabilities. Cyber SMEs provided more examples about what affected devices or systems might be capable of doing. Three cyber SMEs suggested devices could be modified to perform unintended actions or be mis-programmed by abusing a given functionality. C5 wanted to know potential impact “if it was to be modified and if the vulnerability allows the code to be changed and just run something arbitrary instead.” C5 also considered the possibility of modifying a device or system that is “just supposed to be gathering data” to “send commands to something” on the same network. C12 considered looking for potential capabilities of hardware components:
Sometimes we think about a device as a single device, but if you open it up under the hood there might be two or three or four different devices inside with distinct functionality. And maybe one portion of that device is built to be more trusting, and so you have to look and do a divide and conquer approach. (C12)
C12 also contrasted the idea of looking for a “novel exploit, which you should definitely search for,” with an unintended or “insecure implementation” of a provided functionality. C17 considered the potential impact of “issues with the device,” such as an “accessible debug shell” that could be made to “continually crash and restart, taking up resources.”
In contrast, three energy OT SMEs spoke more generally about understanding what affected devices or systems were capable of doing, with E16 also considering the ability to change things “within the product to be used inappropriately.”
Exploit details. Cyber SMEs also considered details regarding potential exploits. C5 wanted to know if there were “creative” ways to modify the device or change the system’s code and if this could take the system offline. C9 said they would consider what kind of data could be released by the vulnerability, as well as its severity. C11 said they would be more concerned if it were possible to “chain” the vulnerability with knowledge about other vulnerabilities to create a larger impact. C12 expressed concern about older systems being exploited with published “off-the-shelf” vulnerabilities. C14 asked whether the vulnerability was persistent or temporary and whether it could spread to other things.
All five cyber SMEs who raised the topic of exploitability asked how “easy” it would be to exploit the vulnerability, while energy OT SMEs asked whether it was “actually” exploitable (E7, E16) or would require remote access (E10). The cyber SMEs’ responses implied that compromise was possible but that their consideration depended on difficulty, highlighting factors like how reachable the system is and the attacker’s skill level.
4.2.3 Differences in Energy OT SMEs’ Responses.
Overall, energy OT SMEs conveyed a more holistic view of the system and provided more concrete examples of parts of systems and how systems might be affected.
Connections to the larger system. Energy OT SMEs provided more details about how connections between devices and systems relate to the overall system. For example, E1 considered an engineering workstation as “something with a pretty low impact for safety or operations” but with high potential security impact because “it touches everything” and might contain credentials and configuration files. E7 and E15 were concerned about whether the vulnerability was “on something centralized that controls a lot of different things, like my SCADA or EMS” (E7). E8 expressed concerns about distribution systems “becoming more integrated,” saying, “Historically, a distribution system was one radial feed. Now it’s starting to talk to all the meters out in these residential areas.” E16 was concerned about effects on “the downstream load.”
In contrast, cyber SMEs asked general questions such as what it means for devices connected to the system (C17), “what equipment is being used and what ties they have to the outside world or to any type of network” (C3), what the system communicates with, controls, or monitors (C5), and what the dependencies on the system are (C14), not providing potential answers themselves, as some energy OT SMEs did, implying that they would obtain this information from another source, such as an energy OT SME.
Disrupting operations. Energy OT SMEs also spoke in more detail about potential disruptions in operations. For example, E15 considered whether the location might be a “high priority site” that needs to “maintain critical loads” and whether it would thus be among the last users to lose service and the first users returned to service after an interruption. E16 wanted to understand how much power or the “amount of megawatts and gigawatts” that might be “turned off” and what point in power distribution was disrupted: a meter at a residence or a transmission substation.
Energy OT SMEs also wanted to understand what kind of disruption might occur. For example, E18 wanted to distinguish between whether the vulnerability would “completely shut us down” or “only slow us down temporarily.” E7 suggested that temporarily mitigating a threat by “physically remov[ing] some kind of communication channel” might cause people to complain that they “need the data,” but suggested that the potential impact might not be great: “But do you really need it? Are you billing from it? Is it a regulatory thing, or is it just something that you’d like to have?” Thus, for E7, potential impact on business processes might be higher impact than lacking nice-to-have information.
Risk mitigation. When discussing vulnerabilities, energy OT SMEs also focused more on stopping or mitigating the vulnerability, containing the risk, patching, ensuring operational integrity, and understanding the residual impact or risk of the vulnerability for the larger system and operations. For example, E15 said that after stopping an attack, they would verify “the integrity of operational functions” and if they had control of all equipment and operational status, and then “find what was potentially accessible to the attack” and confirm protection systems were still functional and working “as designed” and “that my rules haven’t been changed on my communication devices.”
4.2.4 Cross-domain Knowledge.
Some participants displayed cross-domain awareness in their responses or said they would seek out such knowledge as part of their impact assessment strategies. C17 made a distinction between whether a system could be accessed by customers at their homes or by engineers at a generation plant:
If there’s an exposed port that you can connect to that gives you debug access or a shell, that would largely be an issue with a consumer device, because that means your consumer could do whatever the heck they want to with your device. But in the case of a high reliability system in generation, it might be significantly more important to have that as a means of debugging any issues that do occur with the device. (C17)
C12 said they would not consider a cabinet containing “a bunch of ethernet ports that you could connect to,” to be “very high impact” if it were inside “a facility with 10 layers of physical security.” Additionally, E6 considered the cyber hygiene of portable media and mobile devices accessing the system: “What do you do for maintenance? Do you bring a laptop over? Do you sanitize all of your portable media?”
Additionally, C14 and E7 conveyed cross-domain knowledge when speaking about isolating systems containing the vulnerability. E7 mentioned the “occasional” situation in which they are able to “wall off” a vulnerability “that’s not actually used for the functionality of that product”:
It is incredibly difficult and maybe in a few cases straight up impossible to actually exploit, and then that lets me back off and step back from the ledge a little bit and say “OK, this is important,” but it’s not like, “Oh my God,” the end of the world here. (E7)
C14 evoked concepts from a recent training on safety risks:
Going through lab training the other day, there’s a whole, when you have a safety risk or safety issue, the best thing to do is to eliminate it. The second thing to do is to have controls that contain it. The third thing to do is to tell people not to use it.... So I guess that applies also in this kind of system. (C14)
This suggests that C14 was applying knowledge from an energy OT safety training to a computer security context.
Additionally, one energy OT SME and one cyber SME participant suggested methods for obtaining interdisciplinary insight, emphasizing how they would consult the other expert group once they had seen proof of concept for the given vulnerability. E16 said they would consult a “product SME” and cyber SME to collaboratively understand what the vulnerability was capable of doing. C17 said they would “lean on the energy SMEs” to gain insight into potential implications for the system, how easy it would be to replace the device, if the device could be “ruined” by the vulnerability, or what kind of impact it might have “in terms of environmental impacts or larger societal impacts.”
4.3 Perceptions of SME Groups (RQ2)
We first present recurring generalizations or perceived tendencies about each group, in Sections 4.3.1–4.3.2. Because we didn’t spot any particular difference between the characterizations advanced by the two groups of SMEs, we present the stereotypes by the group who is the target of the stereotypes. Then, in Section
4.3.3, we convey what participants said were the occupational motivations, or driving factors, of the expert groups.
Participants’ positive or negative perceptions of both expert groups’ vulnerability impact assessment strategies are included in Appendix A. 4.3.1 Stereotypes of Cyber SMEs.
Some stereotypes about cyber SMEs were that they understand vulnerabilities, misunderstand energy OT systems and impact, reduce systems to computers, pay attention to details, overestimate impact, and cut off access to protect systems. Cyber SMEs were also seen as representing “IT” people or departments.
Cyber SMEs’ understanding of vulnerabilities and systems. Cyber SMEs were characterized as understanding exploits and vulnerabilities (3 OT, 4 Cyber), e.g., being able to tear devices apart to do things like extract firmware or find vulnerabilities. Ten participants said that cyber SMEs lacked understanding of energy OT systems (4 OT, 6 Cyber). Eleven participants said that cyber SMEs lacked understanding of impact or overestimated impact (5 OT, 6 Cyber), while only one said they underestimate impact (1 Cyber). C12 suggested that cyber SMEs “are more likely to think the sky is falling when it’s not.” E7 also suggested they may incorrectly think a vulnerability could crash the grid:
The cyber security folks tend to think of it as: “This is exploitable, and if you can do this, you can crash the grid with it.” Whereas the electric folks are like, “OK, no. You can maybe knock off that one generator, but in reality, you can just knock off the controller for that induced draft fan, and that means I would have to de-rate my generator.... I’m not making as much money that day. But it’s not the end of the world. (E7)
Thus, this overestimation could be due to not understanding redundancies in place and safeguards that prevent a vulnerability from impacting systems.
Cyber SMEs see computers. Cyber SMEs were depicted as treating OT systems as computer systems that can be manipulated as such (1 OT, 3 Cyber). E7 conveyed how systems perceived by engineers in terms of their function could be reduced to modifiable computers. “From the perspective of the maker, the people who install it, [and] the protection and controls people,” a protective relay is a device that quickly and reliably “reads electrical voltage and current,” then “does some math on them” to determine whether or not “to send a trip signal to a breaker.” Yet, they added:
From the adversary, cyber security perspective, this thing is a computer. It’s got a full-blown operating system. It’s running Yellowstone Linux or Windows 8.1 embedded or something else. And if I have the right passwords or I can figure out how to bypass the different protections on it, I can make this thing do anything that a computer could do. (E7)
Cyber SMEs focus on details. Four participants emphasized cyber SMEs’ attention to detail (1 OT, 3 Cyber). C11 and C12 said they go into “rabbit holes” and that this could be both a good and bad thing, with C11 suggesting the importance of “reigning yourself in” when focusing too much on one type of analysis, and C12 acknowledging that some things may be interesting from a cybersecurity standpoint but may end up being low risk. Yet, they said, it is not always clear whether it is low or high risk until it is fully tracked. E1 said cyber SMEs spend months on device vulnerability analysis doing a full evaluation of a device. C13 suggested that cyber SMEs underestimates impact because they focus on “the here and now” details about the immediate environment rather than thinking about implications and how something might “cascade” through a system.
Cyber SMEs cut off access to protect systems. Five participants said that cyber SMEs cut off access to protect system (3 OT, 2 Cyber). Several responses indicated that cyber SMEs were perceived as restricting access to systems in order to protect them. Indeed, some participants provided anecdotes or made suggestions that evoked frustration with a lack of usable solutions.
There needs to be open communication between certain applications, certain devices. And completely locking those down, to the level that a lot of cyber security experts would like to see, just isn’t feasible....A lot of times the OT, I think, just kicks out cyber security and says “Get out of my hair.” (E8)
Cyber equals IT. Four participants (3 OT, 1 Cyber) discussed cybersecurity and IT departments in the same statements, suggesting an association between the two. When responding to a question about cyber SMEs, E6 suggested that “IT people” don’t understand how controllers work and how they communicate, and thus they “think that they can just go onto the OT side and do the same thing and then they have they find out the hard way”:
They don’t have the understanding of how controllers work and how they communicate, so if you run certain things to do analysis, you could potentially take out your production system, where on an IT system, it wouldn’t matter (E6)
C14 suggested working with IT teams to develop authentication solutions, since if “the IT Department is enforcing things without actually talking to the people who have to use it, then you never figure out that you can come up with different authentication systems.” E15 also evoked IT being an enforcer when, for example, “IT says we’ve got to make a firewall or system” to avoid public access to the grid.
Other Perceptions. Less common perceptions included that cyber SMEs overemphasize the following: complicated exploits when simpler ones achieve same effect (1 OT), IP-level communications (as opposed to serial and proprietary level communications) (1 Cyber), patching (2 OT, 1 Cyber), and software (1 Cyber). Two energy OT SMEs said that cyber SMEs underestimate the importance of continuous operations and keeping things functioning (1 Cyber) and underestimate or fail to consider misuse of technology (2 OT). One participant suggested that cyber SMEs lack funding or resources (1 OT).
4.3.2 Energy SME Stereotypes.
Energy OT SMEs were represented as understanding systems and impact, not understanding vulnerabilities or exploits, lacking imagination, and taking shortcuts.
Energy OT SMEs understand systems. A repeated opinion was that energy OT SMEs understand the design, maintenance, and operation of energy systems, energy OT equipment and capabilities, and how system components are connected. E15 also said energy OT SMEs know how to install equipment, maintain it correctly by making sure it integrates well with other equipment that’s coming in, and replace old equipment. C11 highlighted how energy OT SMEs’ input about systems helps them understand impact:
Usually the people that are talking about it and introducing us to it are quite honest about, “And if this part goes down, it’s gonna be a huge pain.” They may not be thinking about it in risk, but they usually point out parts that are difficult to replace or computer systems that are very key to keeping up and running. (C11)
E4 also spoke specifically about asset owner operator energy OT SMEs, saying that they “will know their systems better than anyone else on the planet.”
Energy OT SMEs do not understand vulnerabilities. Energy OT SMEs were characterized as lacking understanding of exploit capabilities, attacks, vulnerabilities, technical details, and network communications. Regarding overestimating and underestimating, seven participants suggested that energy OT SMEs underestimate the ease with which vulnerabilities could be exploited (1 OT, 6 Cyber). C5 suggested that people who set up the OT systems may not think about how easy it is for the different systems to be compromised and not consider lateral movement across different parts of the network and creative ways of gaining access. Relatedly, three participants said that energy OT SMEs overestimate protections (1 OT, 2 Cyber).
Other things that participants said energy OT SMEs underestimate include: access & connectivity (2 OT, 2 Cyber), hardware attacks (1 Cyber), impact (2 OT), misuse (1 OT), and risk (1 Cyber). Participants also suggested that energy OT SMEs overemphasize the following: network security (1 OT), physical security (1 OT), prior vulnerabilities (2 Cyber), system resilience (1 OT), vulnerability score (1 OT), what a device is supposed to do (1 Cyber), and software (1 Cyber).
Energy OT SMEs lack imagination. Eight participants suggested that energy OT SMEs find it difficult to think of possibilities outside of what they already know (2 OT, 6 Cyber), i.e., are not able to imagine vulnerabilities or potential exploits or harms beyond what they already know.
Some of that stuff is not readily clear just by say reading about something or walking through its configuration, which is typically what an OT SME might do, where they don’t go to that layer below, they really just look at what’s there and kind of accept that that’s how it is. (C13)
E7 suggested that energy OT SMEs fail to see computers in OT devices: “It’s not a protective relay. That’s a computer. It can do computer stuff.” C11 suggested that some energy OT SMEs needed convincing or explanations when told that a device had to be replaced due to a severe vulnerability.
Some OT SMEs do not believe you, they’re like, ‘Oh no, you just reboot it. It’s made to be reliable.’...They have worked with systems for a long time, and they are used to things breaking and being good after a reboot or two. They think that’s the same thing for someone actively trying to exploit or damage a system....They’re so used to it just being able to recover because it’s made to have high reliability for the types of things that happen accidentally, that having someone purposely damage it is a completely foreign idea. (C11)
Additionally, E16 suggested that energy OT SMEs might not consider “the potential downstream” impact of a highly motivated and resourceful attacker exploiting a relatively minor vulnerability on a large scale, e.g., rather than simply opening one switch, creating a scenario with “hundreds of or thousands of switches that are opened and then you can’t re-close them because communication lines have been taken out.” C17 suggested that energy OT SMEs see some systems as always failing into a known state or behaving in known and proven ways, and that they do not consider vulnerabilities that can change how the system behaves. E18 suggested that how specific responsibilities are distributed amongst personnel in an organization could influence energy OT SMEs’ understanding of vulnerabilities: “You may have one person that is responsible for aspects of the operations on a daily basis. They need to make sure that the facility is functioning and might have less of a concern about quote unquote potential risk.”
Energy OT SMEs take shortcuts. Six participants warned about energy OT SMEs taking shortcuts, thus leaving vulnerable defaults open, in order to work around restrictive policies put in place by IT or cybersecurity departments (3 OT, 3 Cyber). E1 said that engineers circumvent or work around security policies if they’re too restrictive so that they can access the system, for example, by putting in a back door. C14 said “at some point you’re a little bit looser on your security because you need to get stuff done and there’s other defenses.”
Other perceptions. Energy OT SMEs were also depicted as lacking funding or resources (2 OT, 1 Cyber) and “mistak[ing] safety systems being certified safe or a security certification with securing a system from hacking” (1 Cyber).
4.3.3 Occupational Motivations.
Regarding impressions about cyber SMEs’ occupational mission, ten participants suggested that cyber SMEs identify exploits, vulnerabilities, and flaws (4 OT, 6 Cyber). Three participants said that cyber SMEs tear apart or dissect systems (1 OT, 2 Cyber), and three said they focus on protecting computer systems (3 OT).
The most common impressions about energy OT SMEs’ motivation were that they focus on making sure the system works and ensuring power delivery (5 OT, 3 Cyber). One or two participants also suggested that energy OT SMEs focus on the following: operational efficiencies such as maximizing reliability, minimizing costs, and saving time (2 OT), development or design (2 OT), protecting systems (1 OT, 1 Cyber), and human safety (1 OT).
4.4 Participants’ Suggestions (RQ3)
Throughout our interviews, participants shared insights about their collaborative experiences working with other type of experts and made many suggestions for how collaboration, usability, design, and education could be improved. Indeed, when discussing their own strategies for impact assessment, six participants suggested they would consult a SME from the other group themselves (3 OT, 3 Cyber), and when discussing perceptions of group strategies, eight said that they expected SMEs to consult the other group (4 OT, 4 Cyber) in certain situations.
Overall, eleven participants made suggestions about collaboration and communication (6 OT, 5 Cyber), emphasizing bringing together the two SME groups to work on the same team or collaborate in shared work settings, opening up communication and listening to each other, and understanding the goals and areas of the other SME group.
4.4.1 Integrate OT Environments to Include Both Experts.
Participants suggested integrating energy OT operational environments by having conversations that build mutual understanding, creating overlap in operational teams, and conducting red-team simulated attack exercises.
E15 suggested that one cross-domain problem is that the two groups have different conceptions of what it means to protect a grid: “I can talk to you about protection and line current differentials..., but to a cyber security person, it’s not going to make any sense. But that’s how I protect my grid. And they can talk to me in other terms about how they can protect the thing, that I’m not going to understand.” E7 suggested that a way to build mutual understanding is to have a discussion between the two groups that “resembles a lot of the same processes that an adversary would need to go through to develop a targeted capability to create a specific impact” and which requires both sides to go back and forth:
They’re going to converge towards a point of understanding in... that back and forth of, “What do you mean somebody exploiting this couldn’t crash the grid?” Well, because that piece of equipment, no matter what you do with it, can’t cause an electrical cascading event. “OK, I don’t know what that means, but it makes me glad that you can’t crash the whole grid. What can you do?” Well, here’s all the things you can do with this equipment, if you had total control over it. And the cyber guy is like, “Here’s what I would need to do to have total control over it.” (E7)
Thus, approaching issues “from different sides of the center” allows the interdisciplinary team to iteratively build understanding of potential impacts on the system.
E1 highlighted the importance of overlap in operational teams to securing critical infrastructure and said that “operational groups” should work with “the security side” in an integrated matter to understand risk and avoid “breakdowns” in operational contexts:
Why do I care if a cyber researcher understands power equipment, and why do I care if a power SME understands cyber? The only time I really care about that is implementing it in the actual operating utilities. If [those groups] can work in a more integrated manner, then they are going to do a better job. And engineers, if they understand the risks and the hazards, are very good at using that in their designs. But if they don’t understand that risk, then they’re going to exclude that. And that’s what I think happens in a lot of places, that you don’t have enough overlap, so even if your power SME wants to do things correctly, they don’t understand how to do it correctly. (E1)
E1 thus emphasized integrating energy OT operational teams to include cyber SMEs to help “utilities protect their systems operationally.”
C12 said that in their experience, the situations where “knowledge tends to go back and forth” were exercises that brought the groups together and assigned them roles to attack and protect the system.
You have a group of people that will be focused on trying to break something, and then you would have a group of your OT experts that are there to manage the system and restore and reign in the other team from going too far and damaging everything. (C12)
C12 said that through these exercises, “the cyber people would become more knowledgeable about the system, and the [energy] OT SMEs would become more knowledgeable about the cyber aspect and what could break.”
4.4.2 Consult Other SMEs for Domain-Specific Knowledge.
Participants emphasized the importance of consulting and listening to people who understand the other domain very well. Some cyber SMEs suggested that talking to energy OT SMEs who understand specific systems would help them understand how systems are set up or implemented, how they are supposed to work, how they actually work, and what they are connected to. C11 said that energy OT SMEs can identify which systems are key to keep up and running and thus difficult to replace, as well as provide advice for how to replace such systems when they are no longer operational or should be put out of service due to vulnerabilities.
E8 suggested that they gained knowledge from cyber SMEs and said they now assume an air gap is already compromised: “I’m more cautious [about air gaps], but that’s because I’ve worked with cyber security researchers and cybersecurity experts that told me otherwise. But that’s not the commonly accepted practice, from my experience.”
4.4.3 Make OT Systems More Usable.
Seven participants suggested making energy OT systems more usable (5 OT, 2 Cyber). As discussed above, some participants conveyed the impressions that energy OT SMEs take shortcuts or leave vulnerable defaults open and that cyber SMEs cut off access to protect systems. E1 said that cyber SMEs “should not have it be so locked down that the operational side can’t do their job,” emphasizing that energy OT SMEs needs easy access to systems to do their job. C5 specifically spoke about usability, making the following suggestion:
If something is extremely difficult to do, but it has to be done all the time, then people are going to try to find shortcuts or ways around it, so [try] to work with the people who are using something to design solutions that will work for them. (C5)
E8 said that there needs to be more open communication and more collaboration on how to accomplish securing devices and applications while allowing them to communicate as needed. C14 suggested tailoring or simplifying “cyber requirements” for the OT environment. E15 said, “You can’t have them putting so many layers of protection that you can’t use the system or operate it” and suggested “minimiz[ing] the complexity of cyber protections to avoid not being able to restore power due to cyber protections.” They added:
To keep power flowing I have to do maintenance, operation on these devices, and replace equipment. [Cyber protections] can’t be so difficult on the SCADA or communications sides that I’m unable to perform maintenance, repairs, replacements, and get the grid up. The system should not be so complex that we can’t make it work with [them]. (E15)
E16 said that a system or product might still “work very well” despite “poor code quality” and cyber SMEs’ disapproval, suggesting that there could be more flexibility in restrictions for products that continue to work well.
C14 provided some insight into the technical problems of applying recommendations, such as installing Microsoft updates “in a plant kind of environment” or in “the electric sector”:
They [energy OT SMEs] can’t reboot their systems all the time.... But if you want to change your authentication on one system, you have to update all the other systems that talk to it, in order to continue talking to it.... The redundancy is more costly than in like a server farm. (C14)
This suggests that they were familiar with how typical security measures like updates might disrupt operations.
4.4.4 Security by Design.
Four participants (2 OT, 2 Cyber) recommended that OT systems be initially designed with computer security in mind, rather than focusing primarily on the operational functionality and addressing security flaws later on. C3 recommended bringing cyber SMEs into the development process at the software or board level, as security consultants, saying that some problems may be “a lot easier to fix in the beginning than to try and go back and patch it.” E16 suggested that software developers “clean up the code” while considering risks and “abuse cases” when developing a product:
There’s a whole concept of product secure development cycle, and if developers were just to understand and follow the principles within the secure product development lifecycle, then 99% of the issues that we have today would go away because the developers weren’t just trying to make things work. They were trying to make them work securely, using good coding practices, looking at risks. (E16)
E10 made the design recommendation for equipment companies to make “the right choices at the very beginning of their design process” such as putting in “hardware protection that protects their software.”
C14 expressed skepticism about revising design processes, suggesting that both expert groups might stick to old habits or mental models, saying, “We would hope to do a better job of it, but... we’re going to go back to what we know also when we redesign it.” They also noted that some OT systems are “obsolete” and difficult to understand even for energy OT SMEs, and yet that “trying to set up the infrastructure from scratch” would be very costly.
4.4.5 Educating SMEs.
Participants made suggestions for things to teach cyber SMEs (4 OT, 5 Cyber) and energy OT SMEs (1 OT, 3 Cyber). Topics suggested for cyber SMEs include: context, energy infrastructure, functional purpose, intended use, configuration, what it controls and is connected to, system requirements, energy OT need for access, maintenance and operation, that some devices are not practically exploitable in OT contexts, what is being targeted, what to prioritize (avoid rabbit holes), and impact on controls. Topics suggested for energy OT SMEs include: hardware and software vulnerabilities, risks and attack vectors, system capabilities, how to monitor what’s happening and detect anomalous behavior, and what red teams or attackers are looking for.
Some participants specified that even within their expert group, certain skills were needed. C14 suggested that curiosity and willingness to learn were prerequisites for vulnerability researchers. C12 also said that even among cyber SMEs, it was rare to find people who were exceptional at finding meaningful exploits, saying, “Being able to find exploits is a skill, and not everyone has it.... And I would probably put myself in that category.” C13 suggested that a “good cyber security person” should have experience exploiting vulnerabilities.” E4 said energy OT SMEs should be familiar with things like technology misuse, vulnerabilities and historical exploits for OT equipment.