I work a lot with microprocessor-based protective relaying, and in my experience, cybersecurity has always been a consideration when designing these products. However, there is certainly a cost-benefit analysis in terms of both user experience and economics that becomes part of the decision-making process when designing relays. Protective relay designers ask: How secure is secure enough? How would we know? How would we know when we have reached the point of diminishing returns? What dictates these limits? What are the cybersecurity fundamentals that need to be considered when designing a protective relay? Are there first principles that govern the concept of security?
The consequences of ignoring these questions seem obvious. There are countless examples of how protective relays, or other industrial control system devices, are compromised, leading to results that range from unfortunate to truly terrifying . At present, my perception is that the most talked about methods to address these issues advocate for using additional technology. To me, this only seems to compound the problem and make it more intractable. How can the solution be more technology when this very technology enabled these problems in the first place?
When I first started to think about this problem, I got very concerned. How is it that an entire industry started and progressed to such an advanced stage without understanding the first principles behind the problems that have manifested? My concern only demonstrated my ignorance and lack of critical thinking toward the issue. This was made plainly obvious after I read an article by Carl E. Landwehr , where he pointed out that it is not unheard of for technological revolutions to begin well before first principles are discovered. Landwehr uses the example of the Duomo cathedral in Florence, Italy, which was built 350 years before Isaac Newton—at a time when the science of mechanics had not been formalized. Yet, the cathedral is still standing to this day. Is technology outpacing our ability to secure it in the cyber world? Yes. Is this to be expected? Using history as our guide, yes. That said, I would feel far better about our future if we can solve this challenge in less than 350 years.
SEL's Cybersecurity Center is dedicated to the pursuit of understanding these challenges at a level where we don’t tend to see very much discussion. Instead of highlighting current events and dissecting the cyber tragedies that claim one company after another, we are turning our attention to the thinkers who are attempting to dive deeper to understand the true nature of the cybersecurity problem. Some of these original thoughts are ours—to the extent one can have original thoughts—though many of these posts will highlight the works of others that we find particularly compelling. These will range from highly technical to highly philosophical, as we find that engaging both sides of the brain helps us appreciate the full scope of any given problem  .
We aim to spur debate and discussion because this is a challenge we need to conquer, and we need as many good thinkers and diverse backgrounds as possible to have any chance of prevailing.
- K. E. Hemsley and R. E. Fisher, “History of Industrial Control System Cyber Incidents,” Idaho National Laboratory, . Available: https://www.osti.gov/servlets/purl/1505628.
- N. Perlroth and C. Krauss, “A Cyberattack in Saudi Arabia Had a Deadly Goal. Experts Fear Another Try,” The New York Times, . Available: https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html.
- A. Greenberg, “A Hacker Tried to Poison a Florida City’s Water Supply, Officials Say,” WIRED, . Available: https://www.wired.com/story/oldsmar-florida-water-utility-hack/.
- K. Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid,” WIRED, . Available: https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/.
- C. E. Landwehr, “Cybersecurity: From Engineering to Science,” The Next Wave, Vol. 19, No. 2, , pp. 2–5.
- I. McGilchrist, “The Master and His Emissary: The Divided Brain and the Making of the Western World,” Yale University Press, New Haven, . doi: 10.12987/9780300247459.
- I. McGilchrist, “The Matter With Things: Our Brains, Our Delusions, and the Unmaking of the World,” Perspectiva Press, .
Contribute to the conversation
We want to hear from you. Send us your questions, thoughts on ICS and OT cybersecurity, and ideas for what we should discuss next.
Read about the importance of cybersecurity fundamentals and understanding adversaries.
Read about the persuasive techniques phishing emails use to trap readers.
Discover why it’s critical to understand the cybersecurity context that industrial control system (ICS) devices exist within.