Journal of Critical Infrastructure Policy
2020 ). Can this occur sufficiently and in time to avert the magnitude of challenges ahead ? Beyond EO 13920 , this question should be granted primary national security importance .
It is arguable that some attackers are becoming better system engineers than the defenders since they generally don ’ t have organizational charts with the resultant silos . It may prove difficult for defenders to stay ahead of attackers . Sophisticated attackers often work backwards by determining the damage they want to cause and then producing tools to achieve that goal . “ Some attackers are highly organized professional teams executing targeted and disruptive attacks with sophisticated tools for ransom , revenge , or worse . Many are well funded , especially when sponsored by nation states .” 21 “ Today , the big prize , the piece de resistance of cyber malfeasance , is the industrial sector full of systems that were not designed with security in mind ...” 22
The paradoxes of providing cyber security in most settings are well known . There is “ a complex ecosystem in a cyberphysical society . Ignorance , a limited understanding of what needs to be done , limited awareness of the issue despite its significance and urgency , have resulted in a lack of action , planning and policies ” ( Bruijn , 2017 ). This makes it essential to continuously estimate the potential costs , benefits and risks of sharing rather than concealing information that is pertinent to OT cyber security . In most instances , a deft assessment of concealing threat intelligence versus supplying the necessary facts to defenders will need to be made . However , in terms of national security , the expanding attack surface associated with control system security will increasingly require that timely determinations be made .
In this context , the CISA Unified Initiative : FY 2019-2023 needs to be broadly supported , appropriately resourced , and led . Most importantly , it needs to be vigorously evaluated in terms of the nature and scope of control system resilience built through the program . Organizations such as the US General Accountability Office ( GAO ) and the National Academies of Sciences , Engineering and Medicine have the resources to constructively evaluate progress . 23
Organizational Culture and Skills
Culture and governance issues are critical to securing control systems . However , as argued , the prevailing governance model is such that cyber security is viewed as a network , not an engineering problem . For control system security , this is a barrier that needs to change . The engineering component of organizations is generally re-
21 General Electric , 2017 , p . 21 . 22 Ibid , p . 20 .
128