A New Hope for Critical Infrastructure

Critical infrastructure has been impacted by cyberattacks and cybercrime at an alarming rate in 2021. At varying points this year, the nation’s meat supply, ~20% of its oil production, a small city in Florida, and almost half of the country’s electric utilities have been under cyberattack.

Given these, and the increase in overall volume and complexity of attacks, the Biden Administration took a much needed step this week to protect critical infrastructure by issuing a National Security Memorandum (NSM). It consists of three main points:

  1. Setting a policy goal.
  2. The creation of an Industrial Control Systems Cybersecurity Initiative.
  3. The eventual expansion of threat sharing activities to all critical infrastructure.

The policy goal is simple and direct. Critical infrastructure is just that, critical. It needs to be protected against all threats, including digital ones.

Formalizing an initiative to help address cybersecurity issues for critical infrastructure is really just laying the foundation required to make future efforts easier. This Industrial Control Systems Cybersecurity Initiative puts a flag in the ground around which others can rally.

It’s the final area, the immediate and future expansion of threat sharing activities, that holds the most promise.

But before we dive into that, let’s step back and define “critical.”

Define Critical

The Cybersecurity & Infrastructure Security Agency (CISA) lays out sixteen sectors labeled as critical. From critical manufacturing to financial services to communications to transportation, these sectors are required to maintain a healthy country. Each sector has a designated “Sector Risk Management Agency”. This agency is responsible for collaboration within the sector and with the Federal government.

This memorandum is a call-to-action for those agencies to expand to help with cybersecurity within their sectors.

Visibility

As stated in the memorandum, we “cannot address threats we cannot see.”

Visibility within the realm of cybersecurity requires three key components:

  1. Security controls that gather telemetry from systems.
  2. Data gathered from the telemetry.
  3. A way of identifying issues.

The Industrial Control Systems (ISC) space is particularly challenging when it comes to rolling out security controls. ICS are designed as a closed system.

They, and other operational technology, are treated more like equipment, not the computer systems they have evolved into.

The primary concern with these technologies is usually workplace safety as traditionally designed. The safeguards are designed around physical concerns, not digital ones. This means typical security controls (e.g., just install this) won’t work in these scenarios. That leaves controls that monitor activity around the ICS are the norm.

Once a control is in place, data can be gathered. Then it can be analyzed and modeled for normal behaviors. Unusual or anomalous activities would then generate alerts.

The other approach is to compare the data to a list of known issues.

At Lacework, we’re strong believers in modeling behaviors, but that work is driven by the significant amount of data available in the cloud.

With operational technologies, the lower volume of data makes this approach extremely challenging. Therefore, a list-based approach is more efficient.

But where does an organization in one of these critical sectors get the data required to maintain a list of what to look for?

US-CERT

The US-CERT has been shining a light on cybersecurity threats since 2003. In 2010, they started to track issues associated with ICS.

In that time, they have issued over 1,700 advisories and over 100 alerts linked to these technologies.

While that’s a significant amount, it’s only the tip of the iceberg. Cybersecurity researchers are now starting focusing more efforts on ICS. The popular Pwn2Own competition added ICS to their target list in 2020, which put some much needed attention on this area.

This memorandum explicitly states the Federal government will work to share threat information with these sectors throughout the country. That will boost the available data to defenders and make it much easier to detect known issues for ICS.

Hopeful Steps

What I’m hopeful for is the wording in this executive memo will be broadly interpreted. The memorandum states, “The Federal Government will work with industry to share threat information for priority control system critical infrastructure throughout the country.” What I hope the sectors interpret that to mean is that a threat exchange is required for ICS in general.

There are many different implementations of threat exchanges around the world but the idea is a simple one. You don’t just get information from the source but also contribute when you can.

Cybersecurity practitioners already do this informally in most cases. What I’m hoping this push from the government does is reduce the barriers that some practitioners feel prevent them from contributing back to organizations like US-CERT.

As much as company A might compete with company B in the food and agriculture or healthcare sectors, cybercriminals will attack them both.

Cybersecurity practitioners already do this informally in most cases. What I’m hoping this push from the government does is reduce the barriers that some practitioners feel prevent them from contributing back to organizations like US-CERT.

As much as Company A might compete with Company B in the food and agriculture or healthcare sectors, cybercriminals will attack them both.

Hoarding information is not a competitive advantage nor does disclosing responsibly put your organization at further risk.

What’s Still Needed

Putting an emphasis on visibility is a smart move. ICS has long been neglected on the research and practice side of cybersecurity with that only just starting to change.

Making matters worse, these systems literally bridge the physical and digital worlds. They open up critical infrastructure to risks that haven’t been properly assessed.

There’s a reason these sectors are labeled as critical. This memorandum is a good first step, but it’s only one step on a path that we need to continue to push forward on.