The mission of the Cybersecurity and Infrastructure Security Agency (CISA) is to lead the national effort to understand, manage, and reduce risk to U.S. cyber and physical infrastructure. While it is a broad and noble undertaking, the industry unfortunately lacks historical data and abundant precedent for what actually works best.
Dale Peterson recently reflected on the CISA 2024-2026 strategic plan, asking which risk reduction efforts are measurable and impactful and wondering if implementing the Cyber Performance Goals (CPGs) reduce cyber risk to critical infrastructure. Given CISA’s core mission, however, we should be wondering: if we can reduce these risks, what is the threshold for “confirmed impactful incidents,” and which of the proposed measurable objectives reduce the severity of impacts, why and how?
There are many schools of thought leading awareness, activity and investment in industrial cybersecurity. As the federal government continues to build momentum in defending and security critical services the nation depends on, it may seem easy to identify priorities across critical sectors. However, leaders risk recreating false dichotomies where gap analysis still needs to be done. This blog covers where our collective understanding is today and where research and development can enhance cybersecurity awareness and action.
Where Does That Leave OT?
The OT security community seems to agree that addressing risk across critical infrastructure requires a more granular and purposeful model than the current approaches deliver. If the underlying effort from ONCD national cybersecurity strategy is the development of shared services to reduce costs, especially for ‘target rich, resource poor’ organizations, OT should be a primary focus, not considered out of scope for the ongoing federal regulation harmonization effort.
Critical infrastructure cybersecurity presents a massive needle in a haystack problem. There is a lack of understanding of the census of industrial assets and technologies in use across critical sectors today, their configuration contingencies for risk management, and holistic awareness of realistic cascading impacts and fallout analysis for entities with varying characteristics and demographics.
We need to better understand the national inventory of operational critical components, how to defend them based on an effects-based, rather than a means-based approach to protecting critical infrastructure, and take proactive measures to reduce the severity of supply chain attacks and impacts.
Sector Risk Management Agency Capacity Building
When CISA’s CTA slogan became “Shield’s Up!,” industry widely responded with a desperate plea to help get corporate leaders’ heads off of swivels, not knowing where to sink costs to comply with existing standards, frameworks, and best practices. Where sector risk management agencies (SRMAs) could not fill the gaps in federal harmonization amongst themselves, they have stepped in with capacity building efforts across the 16 critical sectors.
In a perfect world there would be a dedicated cybersecurity subject matter expert at the federal level for each critical infrastructure sector, either within each SRMA or at CISA as a main technical liaison. In lieu of this reality, cybersecurity research and development should capture the entire OT/ICS supply chain – security management of suppliers, enterprise content management, development environment, products and services, upstream supply chain, operational OT, and downstream supply chain – aligned to the CISA CPGs as a baseline.
If there is no contextualization for the complex problem of critical infrastructure cybersecurity, we risk two poor outcomes. First, increasing the cost of compliance-based cybersecurity to the extent that small to medium sized businesses cannot afford to meet expensive and prescriptive cybersecurity regulations. Second, that the government finds itself responsible for providing managed cybersecurity services to designated concentrations of risk across multiple sectors – an imprudent, wildly expensive, and unsustainable outcome.
CISA and all of the SRMAs need to identify what level of cybersecurity and risk management asset owners can afford to own vs. what government can reasonably subsidize and augment. As the SRMAs designate required capabilities and risk reduction measures at the asset owner level, they should continue and enhance vendor-neutral evaluations of designated and required tools.
CISA Cyber-Physical R&D Gaps
Federal cybersecurity research and development lacks a holistic and national understanding of OT and ICS. Metrics should be driven by impact and consequence evaluations, providing assessment and environment-specific context. This is where CISA’s Resilient Investment Planning and Development Working Group comes in. Their white paper on RD&I Needs and Strategic Actions for Resilience of Critical Infrastructure has been largely ignored in the broader federal regulatory conversation, despite its release in March 2023.
The paper details how “the outcomes of federal research efforts on critical infrastructure resilience are often sector-specific or fragmented by discipline, making it difficult to develop a full picture of how those efforts may mitigate cross-cutting and systemic risks.” Of the action items in the report, there are 3 major gaps identified with many specific needs and action items outlined. For OT cybersecurity regulation in the short term, the most important gaps and needs are as follows:
Gap 1: An integrated analysis of consequences and risk reduction decision factors for critical services that depend on cyber-physical infrastructure systems.
- Need: A systemic understanding of interconnected cyber-physical infrastructure risk to critical services from the local to national scales.
- Need: Common definitions, standards, and metrics for measuring effectiveness of infrastructure resilience interventions.
Gap 2: User-engagement in cyber-physical infrastructure research to translate resilience knowledge into effective action at the local and regional level.
- Empirical investigation of how the regulatory system may constrain or enable enhancements to the resilience of cyber-physical infrastructure.
- Identify the institutional conditions for effective infrastructure governance and adaptive capacity.
Onward and Upward
In the meantime, baselining critical infrastructure resilience remains one of CISA’s major goals for their 2024-2026 strategy. The umbrella national cybersecurity strategy has three focus areas: addressing immediate threats, hardening the terrain, and driving security at scale. And a synergistic goal of the CPGs is to map cybersecurity standards and controls to cybersecurity outcomes. Given all of these goals and perspectives, these R&D priorities cannot be ignored or left on a shelf to collect dust.
The reality is more confusing than conflicting, leaving industry experts to harken back to the basics of attack surface management for cyber-physical systems: crown jewel impact analysis to address and harden most critical systems, building defensible architectures with adequate segmentation, and vulnerability management controlling for systems that can’t be hardened. Despite a focus on the future, there’s no real indication of how well industry is applying these basics across the board today. Of course, if you don't know where you are, then you don't know where you're going.