Earlier this year the White House launched an ICS Cybersecurity Initiative designed to strengthen the cybersecurity of our nation’s critical infrastructure. The initiative began with a 100-Day Action Plan for the U.S. electricity subsector and has recently extended to oil and gas pipelines.
The sprint was a tall order, executed over a very short timeframe, so it’s not surprising that despite some progress, cybersecurity efforts for many utilities have stalled due to the confusion created by the recommendations.
The goal of the ICS Cybersecurity Initiative is to “advance technologies and systems that will provide cyber visibility, detection, and response capabilities for industrial control systems of electric utilities.” Let’s discuss what’s needed to get there.
The DOE’s 100-Day Action Plan for U.S. Electric Utilities
In April, the U.S. DOE launched an initiative to improve ICS cybersecurity of electric utilities and secure the energy sector supply chain. The 100-day sprint focused on quickly advancing the utility sector’s adoption of technologies and systems that provide cyber visibility, detection, and response capabilities within ICS networks.
In a recent progress report the DOE indicated that to date, some 150 utilities, serving fewer than a third of the U.S. population, have deployed or have committed to deploy cybersecurity technology to enhance the visibility, detection, and monitoring of their critical infrastructure. Many of these utilities are Nozomi Networks customers, and they are exceeding government cybersecurity recommendations. Still, with more than 3,000 electric utility companies serving more than 328 million Americans, and with efforts just starting in other sectors, there’s significant work to be done.
To that end, CESER, CISA, and the National Security Agency’s (NSA) Cyber Directorate have developed a set of considerations for evaluating ICS monitoring technology for the electricity subsector. They can be found here.
According to these agencies:
The highest priority for the Industrial Control Systems (ICS) Cybersecurity Initiative is for owners and operators to enhance their detection, mitigation, and forensic capabilities.
According to DOE guidance:
- The United States government does not and will not select, endorse, or recommend any specific technology or provider as part of this initiative. All entities are encouraged to deploy technology to improve visibility on their systems and share those outputs with government partners.
- The government intends to work with entities and other private sector stakeholders to integrate, to the maximum extent possible, information sharing with any ICS monitoring technology.
- Each entity must assess and select the technology or provider that is best for it.
- The 17 evaluative considerations are recommendations, not requirements, and each entity should determine which of the considerations are applicable to its situation and which technology best fits its needs.
Nozomi Networks solutions were built to meet the unique requirements of critical operational networks. They exceed government recommendations, delivering deep product integrations with other technologies in the ecosystem and providing highly accurate, actionable intelligence that is relevant for ICS systems.
Secure First Share Later – Keys to a Secure Future for Electric Utilities and Other Critical Infrastructure
The pros and cons of information sharing has been the subject of heated debate for years, so it’s not surprising that when the 100-day sprint kicked off, recommendations around information sharing were misunderstood and overinflated. While information sharing is a piece of the DOE recommendations, it is not mandated, and it is among a long list of recommendations.
Information sharing is only as good as the information being shared. Before organizations are ready to start sharing data with others, there are some key areas that should be addressed.
First, it’s important to stay focused on the end goal, which is improving cybersecurity… not obtaining a check in the compliance box. Regulatory compliance is usually a by-product of a mature cybersecurity program and should be a low bar, not the end-goal. A solid defense strategy will ensure decisions are made based on improving security.
Second, it’s vital to ensure the true sources of data, (usually the ICS monitoring tools), are not leaving blind spots, are accurate, and are able to provide actionable intelligence on the systems monitored. A single misconfigured tool can pollute an accurate stream of data, so maintaining data integrity at an early stage ensures it can be relied upon later. Industrial control systems pose a unique set of challenges, so confirming that the monitoring tools are up to the task is key to generating reliable data. Any mistakes made at this stage will be exacerbated if shared at scale later on.
Third, enhancing and enriching the data adds instant value, and can even help reduce the consequences of a breach. This is a key tenet in contingency/response plans that the Directive addresses and where teamplay really comes into focus. An ICS solution raising alerts in a silo is less impactful than a well-orchestrated, enterprise-wide cybersecurity response. Solutions need to integrate with and participate in a product ecosystem where different technologies add different value, like adding details to data, or orchestrating an automated response to a breach. It’s a team sport… signaling and sharing data between systems helps defenders do more with less, as well as increases the fidelity of the data to be shared later.
From the Sprint to the Finish Line – Protecting our Nation’s Energy Sector is a Team Sport
When it comes to a secure future for our nation’s electric utilities and other critical infrastructure, the entire ICS community must work together to implement effective solutions that strengthen our defenses. Success requires transparency, clarity, and teamwork. From the executive branch to the plant engineers, to the technology vendors they rely on, bringing teams together to solve problems is our best way forward.
The 100-day sprint and Security Directives are a step in the right direction, but we need to avoid putting the cart before the horse. Before information sharing can be discussed, the basics must be addressed first, or else the energies spent on sharing will bear no fruit.
References:
