Sharpening 'Shields Up': CISA Delivers Critical Infrastructure Cyber Performance Goals to Prioritize Decisions, Spending, and Action

Sharpening 'Shields Up': CISA Delivers Critical Infrastructure Cyber Performance Goals to Prioritize Decisions, Spending, and Action

This month in honor of National Cybersecurity Awareness Month, President Biden announced new and lasting efforts to strengthen U.S. cybersecurity across the federal government and nation as a whole. Recognizing the need to build resilience within connected technologies and across technology-dependent critical infrastructure sectors, President Biden warned that “by destroying, corrupting, or stealing information from our computer systems and networks, they [threat actors] can impact electric grids and fuel pipelines, hospitals and police departments, businesses and schools, and many other critical services that Americans trust and rely on every day.”

As part of that effort, the Cybersecurity and Infrastructure Security Agency (CISA) has released non-compulsory benchmark guidance for critical infrastructure operators to measure and improve their cybersecurity maturity. The cross-sector cyber performance goals (CPGs), with special reference to operational technology and industrial control systems, serve as a minimum set of baseline cybersecurity practices that are applicable across critical infrastructure with known risk-reduction value.

As CISA explains, “These voluntary cross-sector Cybersecurity Performance Goals (CPGs) are intended to help establish a common set of fundamental cybersecurity practices for critical infrastructure, and especially help small- and medium-sized organizations kickstart their cybersecurity efforts.” Baselines are meant to be achievable, sustainable, and inexhaustive. In this blog we’ll provide an overview of the guidelines, the problems they solve, and advice on how to use them effectively in your organization.

Strengthening Critical Infrastructure Cybersecurity

Individuals, teams, businesses, and sectors struggle with competing priorities; Connectivity of critical assets to the internet or accessible networks, insecure remote connections, complex and just in time supply chains to name a few. Should they focus on data security? Network security? Devices and endpoints? Does security come before, during, or after cloud adoption and increased automation projects? Despite shared goals and recognized dependence on technology in all aspects of daily life, challenges and constraints sometimes hamper the use of existing security frameworks, recommendations, and best practices.

As a starting place, the CISA CPGs offer a way to demonstrably implement the NIST Cybersecurity Framework (CSF). The CPGs supplement the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF), enabling owners and operators of critical infrastructure to measure and improve their cybersecurity maturity. They provide a standardized evaluation of an organization’s activities to reduce the likelihood and impact of known risks and adversary techniques.

The CPGs are organized by controls and practices, with an associated checklist enabling asset owners and end users in critical infrastructure to tackle and evaluate the CPGs in a few different ways that resonate across C-Suites, IT and OT teams: by scope, cost, impact, and complexity. Scope includes IT protections, OT assets, all employees, policies and subsets of teams and leaders. Cost, while subjective, can be ranked across controls. Controls organized by business impact can be prioritized from low to medium to high. Complexity, in terms of difficulty applying and fine-tuning controls, can also be organized and prioritized from low to medium to high.

Controls covered by CISA’s CPGs:

Account SecurityDevice Security
Data SecurityGovernance & Training
Vulnerability ManagementSupply Chain/Third Party
Response and RecoveryOther

The CPGs recognize the vast differentiation in resources, expertise, and starting points across critical sectors that are responsible for the delivery and maintenance of precious resources, services, and products. They align with top priorities outlined in the 2023-2025 CISA Strategic Plan: Driving toward a future where software and hardware are designed and built with security as a top priority, a future in which technology products must be designed and developed in a manner that prioritizes security, ensures strong controls by default, and reduces the prevalence of exploitable vulnerabilities.

CISA’s broader strategic plan outlines 4 main goals and 19 collective objectives for the agency, including the roll out of sector-specific standards and recommendations to guide security decisions. The plan notes that “operational technology (OT) and industrial control systems (ICS) pose unique risks that demand particular focus due to the heightened consequences of disruption and challenges related to deploying certain security controls at scale.” Nozomi Networks applauds efforts from the U.S. government to coordinate a complex and dynamic security environment across 16 divergent sectors.

As all sectors continue to reveal cybersecurity gaps, reorient change management, and drive holistic cybersecurity coverage as investments in industrial cybersecurity grow. Focused investments that cover the controls outlined in CISA’s CPGs fall into four main categories:

  • Category 1 – Network Visibility: If network activity is not monitored in real time, the status of assets is largely unknown, and whether they have vulnerabilities or not, these assets cannot be protected without the necessary visibility into their day-to-day functionality.
  • Category 2 – Vulnerability Management: Vulnerabilities are not all the same, the degree to which vulnerabilities impact integrity and availability of systems varies by technology, deployment, configuration, and environment.
  • Category 3 – Cyber Threat Intelligence: Threat actors targeting OT and ICS seek to craft the perfect concoction of capabilities and vulnerabilities that will cause disruption or damage to their target. They can be both opportunistic, highly tailored, or a mixture of both.
  • Category 4 – Lack of Situational Awareness: Components and connections continue to increase with multiple vendor systems and integrations. Simply having and storing reams of data is not useful for any risk mitigation strategy.

These four categories reveal weak spots to consider for evaluating the ability to reduce the severity of impacts from cyber incidents for critical infrastructure asset owners. The top 5 CPG practices and associated goals that speak directly to reducing the severity of impacts to operational technology include:

  • 2.3 Asset Inventory: Better identify known, unknown (shadow), and unmanaged assets, and more rapidly detect and respond to new vulnerabilities.
  • 2.5 Document Device Configurations: More efficiently and effectively manage, respond to, and recover from cyberattacks against the organization and maintain service continuity.
  • 4.2 OT Cybersecurity Leadership: A single leader is responsible and accountable for OT-specific cybersecurity within an organization with OT assets.
  • 5.5 Limit OT Connections to Public Internet: Reduce the risk of adversaries exploiting or interrupting OT assets connected to the public internet.
  • 8.1 Network Segmentation: Reduce the likelihood of adversaries accessing the OT network after compromising the IT network.

Cybersecurity is a delicate balance. Mature cybersecurity programs invest in people, tools, and processes to enforce security policy, review security information, and build more resilient digital targets. The CGPs represent a starting place to help asset owners and organizations reflect on and prioritize cybersecurity policies, practices, and maturity.