The last 18 months have been nothing short of historic for critical infrastructure companies. First, came a series of dramatic developments that highlighted the risks to industrial environments:
• Digital transformation accelerated. Connectivity – from Operational Technology (OT) to IT and up to the cloud – for business efficiency and profitability has taken off. But this hyperconnectivity has created a much larger attack surface and exposes vulnerabilities that are a boon for threat actors.
• Ransomware went corporate. No longer satisfied with locking-up someone’s personal data and laptop, threat actors shifted their focus to locking-up a factory or pipeline. The lack of a highly visible response from the U.S. government emboldened hackers to continue to move the line they are willing to cross in a bad direction.
• Craftiness of nation-states grew. A flurry of supply chain attacks against companies such as SolarWinds, Accellion, and Kaseya to name a few, impacted millions of users downstream. The scope and stealthy nature of these attacks demonstrated the advanced capabilities and backdoors in use and woke us up to our own cyber insecurities in the world.
In response to this confluence of factors, the U.S. federal government has issued an unprecedented wave of legislation focused on better securing critical infrastructure. We’ve seen a White House Executive Order followed by national security memorandums and industry-specific directives that have set the stage for the formation of a Cyber Incident Review Office. If you’re a CISO or security leader, here are three questions to ask yourself as you consider this legislation and look to improve the security posture of your OT environment.
1. Section 2 of the executive order focuses on removing barriers to sharing threat information. Over time we have learned that cybersecurity is a team sport. What any one entity sees has the potential to help others. However, all too often there is a hunger to receive threat information, but a reluctance to share. Adding to the hesitance, historically, critical infrastructure organizations have operated in an island because of the sensitivity of their environments. For information sharing to become a two-way street, barriers need to be removed. By deploying proper anonymization mechanisms, companies can keep their information secure. And new legislation that includes assurances for companies that information shared will be kept confidential and that they will receive liability protection from being sued for revealing they were attacked, will help move information sharing in the right direction.
The question for CISOs: Are you using information provided from a specific Information Sharing and Analysis Center (ISAC) or from your cyber security provider to gain visibility into incidents that others see? And are you sharing high-value information back out?
2. Section 4 of the executive order focuses on enhancing software supply chain security. The National Institute of Standards and Technology (NIST) has been directed to publish a definition of “critical software” that has minimum standards for least privileged access, configuration, and inventory, as well as developer criteria to ensure secure coding practices. While this definition is initially focused on ensuring that software procured by the federal government functions securely, it will have the effect of securing software used by both the public and private sector because the same software is used everywhere. The clear intent it to raise the bar of security and integrity across the entire software sector.
The question for CISOs: Have you considered leveraging some of these new standards and criteria as part of your software procurement practices?
3. Section 5 of the executive order focuses on establishing a cyber safety review board. Just as the National Transportation Safety Board (NSTB) has become the gold standard for understanding transportation incidents and continuous learning to reduce accidents, a cyber safety review board holds the same promise for cyber activities. Just three weeks prior to the attack on the Oldsmar, Florida water treatment facility, a California water treatment facility was breached using the same attack technique. Had a review board been in place at that time, there would have been an opportunity to learn from and prevent the attack in the Oldsmar district. Having a clearing house such as the Cybersecurity and Infrastructure Security Agency (CISA), as recommended in a recent bipartisan proposal, to review details in the wake of significant cyber incidents will help reduce the number of cyber incidents across U.S. critical infrastructure.
The question for CISOs: Do you have a culture of continuous improvement in risk and cyber security that drives learnings from your own failures and those of others?
A surge in cyberattacks impacting critical infrastructure and the delivery of services vital to the public well-being has spurred much needed legislation to better protect against these threats. And more proposals are likely to come. For CISOs of critical infrastructure organizations and those of us who work on their behalf, the writing is on the wall. The government needs better visibility into OT networks vital to the country’s economic and national security, regardless of ownership. Together, we can and must take action to improve the security posture of the industrial domain.