Supply chain threats to cyber/physical systems are the next great challenge. Adversaries can use cyber tools to manipulate physical functions of connected devices and systems. Hostile actors can include nation-states, terror groups or commercial rivals. In a crisis, a nation-state may seek to disable facilities on which U.S. national logistics capabilities depend. Terrorists could attack the infrastructure of our public utilities. An unscrupulous competitor could disrupt the factory of an American manufacturer.  

Such attacks may exploit vulnerabilities in networks and be directed through information systems. There are different threat vectors, however. Cyber/physical attacks are made through malicious code that subverts the command logic of cyber-active devices. Firmware may harbor corrupt elements. Hardware can be compromised in fabrication. Malicious code insertion can occur at any phase of product life cycle. Risks are present at many junctures of the supply chain. Even after microelectronic devices are shipped from their manufacturer, software updates, as routinely occur during sustainment, are a potential attack channel.

These risks, however, are not the cyber threats that now dominate the attention of federal government agencies.

The dominant consequence of cyber/physical attacks is not compromise to the confidentiality, integrity or availability of federal information or federal information systems. Rather, the impact is to the functionality of physical systems and to safety of equipment operations. The results differ from the injury of a breach of network security that results in extraction of sensitive information. Cyber/physical attacks may be directed to Supervisorial Control and Data Acquisition (SCADA) systems, industrial control systems (ICS) and factory automation systems. Critical infrastructure or defense manufacturing, for example, may be disabled immediately, require costly repairs, and take a very long time to remediate.

The cornerstone of federal cybersecurity efforts is FISMA – the Federal Information Systems Management (now Modernization) Act. FISMA requires agencies to provide information security "commensurate with the risk and the magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification or destruction of (i) information collected by or on behalf of an agency; or (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency."

FISMA's purpose is to protect agency information and information systems. NIST has developed an elaborate security regime to fulfill FISMA's requirements, e.g., FIPS 199, FIPS 200, and Special Publication 800-53. These articulate process, procedures, controls and enhancements – to protect federal information, and federal information systems. FISMA and its "progeny" are not directed to cyber/physical threats or to the impacts to functionality and safety that could degrade or deny the ability of federal agencies and their contractors to perform missions and deliver supplies and services.

The security emphasis of much of the federal government, where driven by FISMA, has been to protect information and information systems. Cyber/physical threats change the paradigm. With the internet of things (IoT), both the scale and urgency of the problem increase. The IoT implies massive interconnectivity and constant interdependence among devices, communications and control, proliferation of sensors in quantity and functions, cognitive machine processing without human intervention, and relocation of much command functionality to the periphery. The IoT expands the vulnerable surfaces for cyber/physical attacks and could multiply the consequences of attacks.

Security professionals must address the functionality and safety of physical systems crucial to the economy, to homeland security and to national defense. New measures are needed, across multiple domains. The federal government needs to find the right balance between restraint and intervention. The IoT offers enormous commercial opportunity and benefits to consumers, to industry and to governments at all levels. These positive attributes weigh in favor of regulatory restraint. Further, there is wide variation in the deployments and purposes of cyber/physical systems, indicating that the federal response should be discriminating, sector-specific and risk-driven. Federal policy should motivate and leverage private sector initiatives and encourage use of industry-developed standards and best practices.

Yet, the national interest requires protection of certain infrastructure, critical facilities, vulnerable control systems and key factories against emerging cyber/physical threats. Trust in the good intentions or sufficient accomplishments of industry will not be enough. Some in the supply chain will act of their own accord to address cyber/physical risks and respond effectively. Some will promise but not take effective actions. Many will act only if required.  For critical systems, even a few "gaps" could be disastrous. 

The federal government is using its acquisition authority to require contractors to protect sensitive federal information used in the performance of government contracts. DoD is leading this effort, with the "Network Penetration" DFARS that requires "adequate security" to protect four categories of "Covered Defense Information." Policy makers should consider similar initiatives to address the distinct domain of cyber/physical risks. NIST is working to expand the tool set it provides to help agencies and companies assess and respond these risks.

It is timely for DoD, DHS and other federal agencies to further develop policies and practices that contractors can adopt to reduce vulnerability to these threats, enhance detection and response to exploits, and mitigate consequence. Elaborate exercises in documentation should be avoided, in favor of policies that emphasize active and continuing response to the dynamic threat universe. Each agency of the federal government may benefit from risk assessment of the infrastructure and industrial capabilities essential to fulfillment of their priority missions. For such critical systems, it could prove appropriate, even necessary, to require contractors to assess for cyber/physical risks and to document system security plans.

Robert Metzger is a shareholder at law firm Rogers Joseph O'Donnell PC, where he's a member of the Government Contracts Practice Group and head of the Washington, D.C., office.