Security

New Cyber-Physical Resilience Working Group Seeks Expert Advice

Members aim to reimagine how critical infrastructure is secured before making recommendations to the White House, and they’re crowdsourcing potential best practices.

Dave Nyczepir

Dave Nyczepir is a Senior Editor for Manifest.

The newest working group from the President’s Council of Advisors on Science and Technology wants experts from the public and private sectors and academia to submit ideas for advancing national cyber-physical resilience.

Focused on bolstering often fragile, yet increasingly interconnected IT and operational technology systems across critical infrastructure, the working group seeks new and existing ideas, methods, projects or alterations to existing practices that might advance its work.

The May 2021 ransomware attack on Colonial Pipeline, which halted pipeline operations until the $4.4 million ransom was paid and its system restored, was a wake-up call for federal entities overseeing critical infrastructure. Last month, nearly two years after the attack, PCAST launched the working group on cyber-physical resilience.

“The tightly coupled interdependencies among physical and digital components in systems can lead to high levels of ‘brittleness,’ when even minor disruptions lead to wide-scale and unpredictable effects,” working group members wrote in a blog announcing the group’s formation.

Click the banner below to receive featured content and security solutions by becoming an Insider.

Rethinking Cyber-Physical Resilience

Cyberattacks, software glitches, supply chain problems, mechanical failures and natural disasters can all disrupt the energy, transportation, healthcare and banking sectors.

The traditional response to such disruptions is to improve the reliability, security and regulation of specific components, rather than address the system as a whole, according to the working group. In the case of a patched cyber vulnerability, subsequent attacks might simply shift focus to a weaker component.

PCAST’s working group, mirroring the federal zero-trust strategy released in 2022, will operate on the assumption that system breaches and component failures are inevitable. That way, critical infrastructure will not only be prepared for attacks but also positioned to recover when they occur, and the same will be true when things break.

The working group intends to reimagine cyber-physical resilience within this context by identifying experts in the space who can help develop new approaches. But, the open call for submissions is an acknowledgment that the task is daunting.

The Road to Recommendations

Without limiting the scope of suggestions, the working group members expressed specific interest in actionable recommendations on the following topics:

Recovery and survivability in the face of attacks or events
Approaches to ensure continuity of operations in degraded states
Mechanisms to measure and assess modularity and limitations of scope or costliness of failures
Incentives to balance efficiency, which can reduce resilience, versus the investment needed to maintain sufficient resilience
Out-of-band or system-independent means of ensuring physical control in the event of digital failures
Methodologies and standards to encourage resilient systems design and adoption

Eric Horvitz, chief scientific officer at Microsoft, and Phil Venables, CISO at Google Cloud, serve as co-leaders of the working group, which includes experts from academia and government. The group has six months to make recommendations to the White House in collaboration with the National Institute of Standards and Technology, the Defense Advanced Research Projects Agency and the Department of Homeland Security.

The working group asks that outside submissions be concise, open to public disclosure and sent to pcast@ostp.eop.gov with “Cyber-Physical Resilience” in the subject line, adding: “Unfortunately, we cannot commit to corresponding on all submissions, but we may invite contributors to present their ideas to the working group as part of our evolving process to develop recommendations.”

Olemedia/Getty Images