Fortifying the Resilience of our Critical Infrastructure

February 28, 2024  |  Eric Horvitz - Chief Scientific Officer, Microsoft

 

 

ince the days of Franklin D. Roosevelt, U.S. presidents have created scientific advisory committees. The committees have served to provide scientific guidance to the president and the nation. It’s been an absolute pleasure and honor to serve on the President’s Council of Advisors on Science and Technology (PCAST) over the past several years.

PCAST just released a report on recommendations aimed at bolstering the resilience of our nation’s cyber-physical systems. It has been both challenging and rewarding leading this study alongside my co-chair, Phil Venables, and a group of dedicated PCAST members and external experts who served on the Cyber-Physical Resilience Working Group,

During the year and a half of intensive study, we garnered valuable insights from deep dives into the current state of affairs and potential advancements in this field. Our learnings were significantly enriched through extensive consultations with experts from academia, industry, and government agencies, which not only broadened our understanding but also critically shaped our recommendations.

Cyber-physical systems, integral to our critical infrastructure, intertwine computing technologies with physical processes. These hybrids of digital and physical components are ubiquitous: our water, electricity, communications, healthcare, transportation, manufacturing, and defense are now predominantly cyber-physical in nature.

The digitalization of our infrastructure has provided new efficiencies and capabilities, such as fine-grained controls and adaptation, monitoring and tracking, and coordination among multiple components of systems. However, it also introduces vulnerabilities due to system complexity and interdependencies. Understanding all potential failure modes is challenging, and a single point of failure can trigger cascading effects.  Furthermore, these systems are prime targets for cyber-attacks, where digital assaults can cause tangible, widespread damage.

The brittleness of our cyber-physical systems is highlighted by recent incidents, including the Texas power outage after an atypical cold snap, the Colonial Pipeline shutdown following a ransomware attack, and nationwide delays of thousands of flights caused by the updating of a single computer file by the FAA. These events underscore the unpredictable outcomes following system failures, errors, or attacks.

Our premise is that failures in complex cyber-physical systems are inevitable.  Thus, our focus shifts to enhancing resilience, ensuring that these systems continue functioning, albeit possibly at a reduced capacity, despite cyberattacks, human errors, natural disasters, and component failures. For example, a water treatment facility must maintain minimal acceptable service levels even under cyber-attack or sensor failure. Resilience can be achieved through proactive strategies like backup systems, fail-over plans, and availability of fully manual operations.

Among other recommendations in the report, we advocate for:

·     Setting performance goals for utilities and service providers, ensuring a guaranteed minimum service level even during digital functionality losses due to cyber-attacks, natural hazards, or errors.

·     Developing measurable, reportable leading indicators of resilience to track and improve system robustness.

·     Creating a National Critical Infrastructure Observatory for mapping vulnerabilities within and across sectors and strategizing against potential threats.

·     Enhancing R&D and coordinating efforts in cyber-physical resilience, including preparing defenses against AI-assisted attacks—such as using AI to formulate and execute multi-faceted and sequential attacks across various sectors.

·     Breaking down silos to facilitate inter-agency and private sector collaboration for comprehensive resilience planning.

·     Promoting accountability at the industry, board, and executive levels, focusing on resilient infrastructure.

For more details on our recommendations and their underpinnings, please refer to the full report.