PCAST report urges strengthening of nation’s cyber-physical systems, focused on building resiliency

The President’s Council of Advisors on Science and Technology (PCAST) has released a report emphasizing the need to strengthen the nation’s cyber-physical systems. Despite the progress made, there is an urgent call for more decisive action to enhance cyber-physical resilience. The report suggests key strategies such as utilizing the expertise of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and fostering collaboration with various federal and private sector partners. 

Cyber-physical systems, which encompass the intertwined digital and physical infrastructures vital to the everyday lives of Americans—ranging from the electrical grid and public water systems to internet and telecommunications, banking networks, air traffic control, and beyond—require robust protection and innovative security measures to safeguard against potential threats.

Set up last March, the PCAST announced the establishment of a working group on cyber-physical resilience to bring together consulting experts from across the public and private sectors and academia. The working group will consist of several PCAST members and other experts, who will work towards building reliance across critical infrastructures.

The PCAST report identified that cyber-physical risk is high, while protections are disproportionately low. “America’s infrastructure systems were created and operated long before they acquired cyber dependencies, with sensing, computing, and networking dependencies developing in different ways over time. There is no systemic, pervasive protection against cyber risk since our protections and defenses for each cyber element have also evolved over time,” it added.

“We must continue to ensure effective cyber defenses and, at the same time, acknowledge that we cannot make all our infrastructure impervious to every threat or hazard. Instead, we must make our cyber-physical infrastructure resilient,” according to the report. “Fortifying the resiliency of our critical infrastructure will require a substantially deeper partnership between the public and private sectors to focus attention and to unleash deeper investment.” 

The recommendations by the federal advisory committee include establishing measures of resilience and setting performance goals that set minimum delivery objectives for critical services that are integral to daily life, even in the face of adversity from natural hazards, errors, or attacks. It also calls for   bolstering and coordinating research and development to better understand the weaknesses of existing infrastructure and steps forward to introduce deep resiliency, including creating a national critical infrastructure observatory to map infrastructure, so that it can outmatch adversaries in discovering and addressing vulnerabilities and concentration risk.

It also proposed breaking down silos and strengthening government cyber-physical resilience capacity to support the resilience goals of the nation’s critical infrastructure sectors, ensuring that they can reliably deliver the services that Americans need. The Council also called for developing greater industry, board, CEO, and executive accountability to ensure that infrastructure is reliable and resilient. These recommendations aim to augment actions of the U.S. administration to reinforce security of the vital cyber-physical infrastructural resources utilized by all Americans.

The PCAST report recommends a series of actions to fortify the resilience of the nation’s critical infrastructure. These include establishing performance goals by recommending that the CISA is tasked, building off its efforts to develop both Cybersecurity Performance Goals and Physical Security Performance Goals, to work with Sector Risk Management Agencies (SRMAs) and their Sector Coordinating Councils (SCCs) to create an integrated set of Critical Infrastructure Performance Goals that define minimum viable delivery objectives for services that are integral to daily lives. 

It also focuses on bolstering and coordinating research and development. Once again the committee recommends asking the CISA, in partnership with SRMAs and SCCs, to task the National Risk Management Center to develop a National Critical Infrastructure Observatory to enable better understanding of the weaknesses and strengths of existing infrastructure, helping to outmatch adversarial attacks and prepare for accidents and catastrophes. The report further recommends tasking the National Science and Technology Council to formulate a more coordinated national research and development (R&D) agenda on cyber-physical resilience.

The PCAST report breaks down silos and strengthens government cyber-physical resilience capacity. It recommends direct cabinet secretaries of the agencies responsible for national critical infrastructure to fully resource their SRMAs with greater capabilities to support the cyber-physical resilience goals of critical infrastructure sectors, ensuring that they can reliably deliver the services that Americans need. 

It also calls for developing greater industry, board, CEO, and executive accountability and flexibility. It recommends directing CISA to work with SRMAs and SCCs to increase the expectations that boards, CEOs, and other executives, as the owners and operators of critical infrastructure, contribute more time and resources to ensure that infrastructure is reliable and resilient. 

The private sector should further augment its ‘tone at the top’ with ‘resources in the ranks’ to increase operations and activities aimed at strengthening resilience. In addition, CISA should work with local utility commissions and overseers (especially for water and electricity) to ensure that necessary investments for cyber-physical resilience are made.

The report detailed that present systems call for coping with vulnerabilities that cannot be completely identified, much less eradicated. “The current cybersecurity landscape is riddled with hidden fragility and flaws. Even with the most rigorous testing and meticulous engineering, some vulnerabilities inevitably slip through. Our approach must shift from a futile quest for absolute invulnerability to a more realistic strategy of resiliency in which we control the impacts of failures,” it added.

It also identified that future systems must be shaped by cyber-informed engineering. Much of the technology that underpins cyber and cyber-physical systems was engineered without appropriate consideration of security needs. Consequently, security and resilience elements are tacked on after systems are deployed, often imperfectly and at considerable expense. “Our approach must change to ensure that technology manufacturers are developing their systems to be secure and resilient by design to dramatically reduce the number of flaws that can fail or be exploited by threat actors,” the report added.

Improvement and proliferation of new technologies, especially Artificial Intelligence (AI) systems, will transform the landscape of cyber-physical security, amplifying capacities for both attack and defense. AI and other new technologies are advancing rapidly. Technical innovations are inherently dual-use: they benefit both attackers and defenders. The strategy must be to adopt them fast enough and well enough to benefit defenders more than attackers and to not base any defensive strategy solely on denying technologies to attackers. 

In conclusion, the report said that protecting customers, driving security and resilience in supply chains, and being able to operate in adversity are what sets apart an organization that deserves customer trust and is more likely to not only survive, but thrive. “Many of the approaches we recommend have significant commercial benefits, whether it is insurance benefits, increased agility, or a more stable base from which to innovate. In the development of this report, we heard calls from various sources to recommend the introduction of a federal cybersecurity insurance backstop. We rejected this as we believe it can create a moral hazard to disincentivize investment by companies in their own resilience.” 

Calling for further work on looking at concentration risks and the need for catastrophe risk approaches with federal government support, the PCAST report said that it does not “believe the implementation costs of the recommendations in this report targeted at government to be significant (in the context of agencies’ budgets). We believe in many respects the goals can be met by reprioritizing existing activities. If the needed authorities are obtained, by Congressional action or otherwise, then the actions in this report can have even more effect.” 

It also identified that the cost impact to the private sector to implement this report’s recommendations is higher, but dependent on their current state. “We know many private sector organizations invest extensively, commensurate with their criticality, but others do not and so should direct more resources to the challenges of cyber-physical resilience. Increased cyber-physical resilience is usually fully aligned with commercial goals and is core to the mission and commercial objectives of public and private sector organizations. We see boards and executives driving such improvement in their own self-interest,” it added. 

However, as with any aspect of society, there need to be checks and balances—laws or regulations—to create the incentives to build resiliency that may slip in the face of occasional short-term thinking.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.