Journal of Critical Infrastructure Policy
As argued here , from the standpoint of infrastructure resilience , control system cyber security should not be regarded as a domain of limited importance , or simply as an extension of existing cyber security activities . In both new equipment design and legacy retrofits , cyber threats may not be sufficiently considered . It is fundamentally important to recognize access points to and from control systems because this is where incursions may be targeted , and where anomaly detection may prove fruitful .
Across the world , attempts are being made to grapple with the cyber security requirements of control systems in a context of both increasing system interconnectedness and heightened cyber risk . It is likely that promising advances will be made in both proactive and adaptive techniques to detect and mitigate control system cyber-attacks . Strategies include but are not limited to machine learning anomaly detection , advanced moving target and deception techniques , and consequence-based resilience architectures such as Consequence Driven Cyber-informed engineering ( CCE ).
In describing the latter approach , St . Michel and Freeman ( 2019 ) note that CCE is reliant on “ the ability to merge cyber security experience and analysis with a level of engineering expertise that typically has not been included in the conversation . When assessing the technical impact , the ( engineering ) subject matter expertise is invaluable for not only determining the impact a single component level but also discovering how that exploitation will impact operations across an infrastructure or region .”
In this light , it us useful to adapt an insider threat vector approach to anticipate both internal and external threats — how a party with destructive intent and knowledge of control system capabilities , plant operations , etc . can cause disruption of safety or other processes to damage critical infrastructure . At the equipment level , there is a need to assess the design and operation of these systems . An example is a turbine system with a turbine lube-oil pump . The turbine should never be operated without the lube-oil pump activated . At the design stage , the thought that this would intentionally happen may not have been considered . Rather than try to prevent this from a cyber perspective , which introduces more complexity , a design change of installing a mechanical interlock that automatically shuts the turbine down if the lube oil pump is out-of-service can prevent a safety issue from occurring . There are many examples where relatively simple changes of this nature can prevent a cyber or physical attack from causing damage . Obviously , this requires the participation of the engineering community from the design through operational stages .
One general solution holds great promise because it has the potential to provide additional cyber security , reliability , and safer outcomes for both control and safety systems . Control system situational awareness is dependent on the validity of the process measurement sensors . If the measurements are either inac-
126