Professor Craig Miller Of Carnegie Mellon University College of Engineering On What We Must Do To Protect Critical Industrial Systems From Cyber Attacks

An Interview With David Leichner

Doubt yourself, then trust yourself. Build a strategy for continuous improvement and then criticize it. Ask for criticism and treasure the person who criticizes thoughtfully. Consider what they say, but ultimately trust yourself to make the decisions, then move forward with confidence and energy.

Ransomware attacks have sadly become commonplace and increasingly brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack? In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about what we must do to protect critical industrial systems from cyber attacks. As a part of this series, I had the pleasure of interviewing Craig Miller.

Craig Miller is a respected expert in issues related to energy supply and policy, and control and operation of the electrical grid with particular emphasis on and particularly grid cyber security. He holds a Ph.D. Energy System Engineering and has worked in the area since 1975. Computer control system have been at the core of his work throughout his career, with a focus on architecture and security from through the evolution from monolithic system to modern system that span geographic, corporate, and legal boundaries. In 1990 he joined the National Rural Electric Cooperative Association (NRECA), which embraces the more than 900 electric cooperatives that serve more than 50% of the U.S. land mass. He became the first Chief Scientist of the organization, leading about $100 million in research and development. On retiring from NRECA, he was invited to join Carnegie Mellon University as a Research Professor. There he continues his grid R&D with a focus on the problem on recovery from cyber attack.

Thank you so much for joining us in this interview series! Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I had never been hands-on with a computer when I first went to college in 1969, but computers had figured prominently in the science fiction books I devoured in my early teens, so I signed up for an introductory class right away. I took to programming very quickly and fell in love with computing. Here was a tool that could do anything. A hammer hammers, a saw saws, but a computer can be shaped for myriad purposes. I was hooked, and still am. Even at 71, I still program and am learning a new language (new to me anyway). As an undergraduate, I begged and pleaded to become the night-time operator of the school’s then-new computer. In the long night-time hours, I had access to more computer time than I could use, and I turned to what would now be called hacking. I learned to access the administrative systems. I never altered grades or bills, but I did give myself and my friends in the physics club access to the specific classes we wanted. Though I enjoyed my illicit power, I knew at the time that what I was doing was “technically” wrong, but I knew my heart was pure. I began to think, however, about what would be needed to shut down people skilled like me but with less pure motives.

Can you share the most interesting story that happened to you since you began this fascinating career?

I have been fortunate to have had many wonderful adventures and experiences in my career, but one that stands out is fairly recent. Annabelle Lee, a pioneer in grid cyber security and cyber security more broadly, was asked by the U.S. Agency for International Development to organize a meeting in Tblisi, Georgia of nations in the Black Sea region to coordinate their grid cyber security efforts and form an organization for continued cooperation. Annabelle invited me to participate. In discussion there, I commented to a group of local experts that they were the experts as they are routinely probed and attacked by Russian-based hackers, while the U.S. had much more limited direct experience with the Russians. One fellow, with a voice from Central Casting, drolly responded, “What do you mean, the Russians hacked your election.” True or not, it made me think that all of us who work on behalf of sustaining critical infrastructure have a lot in common and can learn from each other. All of us together are smarter than any of us.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

Curiosity — I have benefited from an excellent education, but at the detail level, nothing I learned in school is still relevant. I have only been able to stay relevant in a highly technical field because my teachers taught me to be relentlessly curious, and gave me the skills to learn. My father had to drop out of college during the depression as the family needed his work in his father’s grocery store. My father had to become and autodidact, and he taught me to end each day by asking myself what I learned.

Respect — I was in elementary school in the year following Sputnik. America was panicked and started pouring huge funding into education. I was in a federally funded program, surrounded by wonderfully smart kids and the best teachers. I never had the luxury of believing that I was the smartest person in the room or had a monopoly on skills or insight. All my life I have collected smart friends, learned from them, and celebrated them. I have learned that in each person there is the potential for something clever, or insightful. Listening with respect is wonderfully educational.

Doubt — I am a quick thinker and frequently find “the answer” shortly into any analysis. Most of the time I’m right, because most answers are easy and obvious, but it is vitally important to doubt yourself, to ask whether you could be wrong and why others may not see the brilliance of your insight. I cherish critics and skeptics. I doubt myself, but in the end, when I have considered and my refined my strategy, I trust myself and move forward.

Are you working on any exciting new projects now? How do you think that will help people?

The best thing in my life is to find myself in my 70s, still doing relevant work and having a project at hand that may be the most important and exciting I have ever participated in. Before coming to Carnegie Mellon, I worked on a project to detect compromise in the controls for the electrical grid very quickly so that attacks can be shot down and the damage limited. That work was successful and has been passed on to wonderfully capable hands. The team quickly showed me that I wasn’t necessary anymore so I had to ask “what’s next for me?” The answer was obvious — I had to think about what were the critical next steps in grid cyber security. We have developed powerful tools for protecting the perimeter — keeping the bad guys out — and there are several companies offering good tools. We also have technology for detecting compromise by looking for anomalies in grid operation. What’s next?

We need to develop methods and tools to restore and repair grid controls systems after they have been compromised. That is the focus of my work — building what we need to repair components and reconnect them safely to restore function and how to operate systems in reduced capacity while restoration is underway.

For the benefit of our readers, how would you define a critical industrial system? Can you please explain with some examples?

Our society depends on its technical infrastructure to provide essential services. We need energy, water, transportation, and communication to operate. The systems for providing these are no longer simple and mechanical as they were in past centuries. Delivery of just about everything we depend on is itself dependent on information systems and industrial control. When a storm (like Ian, most recently) damages a town, the water supply fails, but restoring it is not a simple matter of dipping water from a well, or even bottling water and delivering it by truck. That’s water for drinking and cooking, but what about water for sanitation? That requires the operation of reservoirs, aqueducts, pumps, and water treatment facilities, all of which are dependent on reliable electricity.

Critical infrastructure is not about one system (e.g., the grid) but about multiple, mutually dependent systems. A power plant cannot operate without water, and a water plant cannot operate without electricity. Similarly, gas and electricity are interconnected. This interdependency is a critical consideration as we move forward in our approach to societal resilience.

Can you share some examples of recent and notable attacks against critical industrial systems? Why do you think these attacks were so significant?

I’d like to tell the story of an attack that nobody ever heard of. There is a relatively small company in the electric utility space that makes engineering software that is used in well over 70% of smaller utilities (more than 1,000 companies). I cannot mention their name for legal and business reasons. Their software is best in class. They discovered that they were breached and that, possibly, some malware was introduced into their software which, following current practice, was frequently updated from a cloud server. As soon as they detected the breach, they shut down all updates and began investigating the breach. They called me to consult on the response and I advised them to report to the FBI and DHS. They did this promptly and go no response.

Why not? They weren’t a utility. To the federal officials, there did not appear to be any serious threat to the grid, but, in fact, in the worst case, this could have introduced a vulnerability to more than 1,000 utilities. The federal response dragged until the problem was resolved through the company’s own efforts. The challenge here is that the model being applied thought of companies, while software in the modern world crosses corporate boundaries.

Business systems (or, in this case, industrial control systems) use components and software from all over the world. Programs were once monolithic banks of code. All models programs are assembled from libraries and some functions draw on common services outside the organization. Calculation of sales tax, for example, is very hard for a company which operates across hundreds or thousands of jurisdictions with different rules.

This attack could have been catastrophic. It was not, because it was caught quickly and the company responsible acted aggressively. I am totally in favor of smart people and smart companies doing their jobs well. That is the starting point for any effective cyber security, but I was disappointed that the organizations to whom the problem was escalated did not understand the magnitude of the problem. To its credit, the Department of Energy got it and escalated the problem.

Why are critical industrial systems particularly vulnerable to attack?

I am a child of the 60’s and there was a saying then “What if there was war and nobody came?” Most cyber attacks are like that. Someone takes down a system or hacks a database and someone is annoyed or inconvenienced, but the broader society doesn’t notice. I receive a dozen or so phishing attempts a week and brush them aside, but this morning I found redirection software on one of my computers despite absolutely current malware protection. I searched the web and found instructions on how to remove it and did so in a few minutes. I did not mention it to anyone because there was already enough information on the web. This was a war that nobody came to.

What makes critical industrial systems such an attractive target for bad actors?

An attack on infrastructure is different. If my neighborhood’s power goes out, we are going to be mightily inconvenienced. We can imagine the bad impact if a hospital lost power, but all hospitals have some measure of backup and we can concentrate on restoration of service for them, but what about the individual who is dependent on electrically powered medical equipment or delivery of critical materials? That sort of attack is visible and impactful. The little hack on my PC this morning is an unnoticed blip, but an attack on infrastructure makes the news and gains mindshare.

Who has to be most concerned about cyber attacks? Is it primarily businesses or even private individuals?

Everyone should be concerned, but in different ways. Private individuals should have a sense that there is risk, though they cannot be expected to understand the magnitude. They can and should take measures to protect themselves against the loss of services.

Our society is amazingly resilient, with typical people stepping up to do the atypical, looking after each other and taking on new roles, unbidden. My hometown was badly flooded in the 1970s and were without power or water for many weeks. People came into town every day to work on restoration. Traffic was bad because the streets were crowded with debris and there were no functioning traffic signals. Individuals took to standing in the streets at the end of the day and directing traffic, while the drivers chose to accept their direction.

Joe Citizen cannot do much to help with the restoration of the power grid. It is too big, too dangerous, and too technical for Joe, but the Joes can be pretty good at taking care of themselves, their neighbors and in coming together to take care of their community.

The big problems — like restarting power plants and restringing conductor, takes business and government. They are unique in their ownership of the technical assets needed in restoration, like generators and bucket trucks, and in the ability to organize and deploy larger, skilled crews.

We all have a role, as individuals, as businesses, as government, and as non-governmental organizations to anticipate and appreciate the risk, to prepare, and to act when called on.

Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?

Start anywhere and keep calling to you have told everyone you know. FBI and DHS first, but don’t stop there.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

This is an easy question. Phishing is at root of most successful attacks at least so far. A script kiddy can find the code to implement a basic ransomware attack on the web. The challenge is getting it past perimeter protection and that is a simple matter of getting an insider to click on a link to download and install the script. All you need there is an address for your email and a plausible script.

The script has to be convincing. A good script has some flattery, some details to establish the authenticity of the sender, and some incentive. The incentive should not be big (thousands of dollars or Superbowl tickets) because that is not plausible. I get lost of phishing attempts. I review each one to identify the weakness and make improvements. My wife has convinced me not to send the improved version back to the hacker.

The good (bad?) thing about phishing is that it is cheap and easy. If at first you don’t succeed, it costs next to nothing to try again with a different address and/or a different script. Eventually, someone will bite.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

We need to identify and disrupt, imprison, or destroy the miscreants. Cybercrime is different from physical crime. The attacker can remain hidden or beyond the reach of law much more easily and, unlike in physical crime, state actors are involved. Governments must work together to build a common understanding that we must work to stop cyberattacks. No country should fund, enable, or tolerate mal actors within their boundaries whether in the government or outside. We try, as a world community, to live together without violence. We need, now, to think of cyber crime as a kind of violence, no less abhorrent.

What companies must do is simple — stop being such damn easy targets. There is a challenge in monetizing spending on cyber security. What is worth? If you spend very little, and make it through a year unscathed, were you a wise leader or just lucky? How much luckier are you if you spend x dollars more. I would like every C-suite to think that if they are hacked, their board and their investors should give serious thought to replacing them. The CEO can’t just blame the CSO, especially if they don’t have one.

Ok, thank you. Here is the main question of our interview. What are the “5 Things We Must Do To Protect Critical Industrial Systems From Cyber Attacks” and why?

1. Move forward. I do not believe that any organization can say “If I do A, B, and C I will be secure.” The space is too complex and too dynamic and the road to security is too long. Instead, I would favor an approach in which the organization asks itself relentlessly, “How can I become more secure?” Take a step forward, and then another, and then another. Continuous improvement has been the key to corporate success since modern, data-driven management emerged. Consider Six-sigma and similar strategies.
2. Doubt yourself, then trust yourself. Build a strategy for continuous improvement and then criticize it. Ask for criticism and treasure the person who criticizes thoughtfully. Consider what they say, but ultimately trust yourself to make the decisions, then move forward with confidence and energy.
3. Pay attention to how things are operating. We must operate under the assumption that the systems we are protecting will be breached someday. How will we know? In the infamous first hack of the Ukrainian grid, the penetration event took place nine months before the mal actors took down the grid. Could the breach have been detected sooner and, if so, could the damage have been prevented or reduced? I believe in anomaly detection, i.e., looking for system behavior that is abnormal. Anomaly detection has a bad reputation in parts of the security community but that is mostly related to its application to business systems. Business systems lack the regularity of the operations of industrial control systems. The grid, for example, operates with metronomic regularity. Any disruption should be detected in seconds.
4. Segment your systems. We should architecture our systems so that compromise of one component or subsystem does not propagate. This worked last week in Colorado. Colorado.gov, the state’s main website, was hacked. Within an hour there was a page explaining that the page was down and that users should go to the sites for individual agencies which were still up. The next morning, the new home page had links to each of the agencies. There was no art — no majestic plains, high desert, or waving fields of grain, but it worked. This was an example of a huge cyber success.
5. Plan for failure. Many cyber organizations are diligent in protecting systems but fall short when it comes to plans to deal with failure. If (when?) the systems are hacked, the team has to know what to do and who is going to do it. Colorado clearly had a plan and architected their system for resilience.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

Invest in education — in every level, in every organization, and every way. Give the smart kid (or smart adult) the tools to learn and the incentives to experience the joy of learning. Every company and every government organization and NGO should have a learning plan and learning should be recognized and celebrated.

How can our readers further follow your work online?

Write me at CraigMil@Andrew.cmu.edu

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.