Strategy, Harmony & Research: Triaging Priorities for OT Cybersecurity
Despite a focus on the future, there's no indication of how well the cybersecurity basics needed to stay safe are being applied.
The mission of the Cybersecurity and Infrastructure Security Agency (CISA) is to lead the national effort to understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day. It is a broad and noble undertaking, unfortunately lacking in historical data and abundant precedent for what actually works best. CISA, however, is not responsible for setting and articulating your organization's cybersecurity policies, controls, and mitigations.
Experts recently reflected on the CISA 2024-2026 strategic plan, asking if intended risk reduction efforts are measurable and impactful, and if implementing the plan's Cyber Performance Goals (CPGs) reduce cyber-risk to critical infrastructure. Given CISA's core mission, however, this is the wrong question — a causation versus correlation discrepancy. The real question is, If they are reduced, what is the threshold for "confirmed impactful incidents," and which of the proposed measurable objectives reduce the severity of impacts, why, and how?
If we collectively accept that we cannot regulate ourselves out of cyber-risks, we must also accept the fact that only companies can make themselves less attractive targets. At DEF CON 2023, Kemba Walden, acting national cyber director for the US Office of the National Cyber Director (ONCD), reiterated that even the least capable threat actors can have an outsized impact in cyberspace (and critical infrastructure, by extension). She also articulated that the private sector has the most capable defense capacities, and the ability to buy down risk.
Where Does That Leave OT?
Critical infrastructure cybersecurity presents a massive needle-in-a-haystack problem. Where IT sees many vulnerabilities likely to be exploited in similar ways across mainstream and ubiquitous systems, OT security is often a proprietary case-by-case distinction. The oversimplification of their differences leads to a contextual gap when translating roles and responsibilities into tasks and capabilities for government, and business continuity and disaster recovery for industry.
There is a lack of understanding of the penetration of industrial assets and technologies in use across critical sectors today, their configuration contingencies for risk management, as well as awareness of realistic cascading impacts and fallout analysis for entities with varying characteristics and demographics. We need to better understand the national inventory of operational critical components and how to defend them based on an effects-based, rather than a means-based, approach to protecting critical infrastructure.
Threading the tapestry of risk across critical infrastructure requires a more granular and purposeful model than current approaches deliver. If the underlying effort from ONCD's national cybersecurity strategy is the development of shared services to reduce costs, especially for target rich, resource poor organizations, operational technology (OT) should be a primary focus, not considered out of scope for the ongoing regulation harmonization efforts.
Sector Risk Management Agency Capacity Building
In a perfect world, there would be a dedicated cybersecurity subject matter expert at the federal level for each critical infrastructure sector, either within the SRMAs or at CISA. In lieu of this reality, cybersecurity research and development encapsulates the entire supply chain — management of suppliers, enterprise incident management, the development environment, products and services, upstream supply chain, operational technology, and downstream supply chain — aligned to the CISA CPGs as a baseline.
Without contextualizing the broad problem set that is critical infrastructure cybersecurity, we risk two poor outcomes. First, increasing the cost of compliance-based cybersecurity to the extent that small to medium-sized businesses cannot afford to meet expensive and prescriptive cybersecurity regulations. Second, that the government finds itself responsible for providing managed cybersecurity services to designated concentrations of risk across multiple sectors — an imprudent, wildly expensive, and unsustainable outcome.
CISA Cyber-Physical R&D Gaps
Federal cybersecurity research and development has a blind spot when it comes to holistic and national understanding of operational technology and industrial control systems. Metrics should be driven by impact and consequence evaluations, providing assessment with environment-specific context. CISA's Resilient Investment Planning and Development Working Group has entered the chat. Its white paper on RD&I Needs and Strategic Actions for Resilience of Critical Infrastructure has been largely ignored in the broader federal regulatory conversation, despite its release in March 2023.
The paper details how "the outcomes of federal research efforts on critical infrastructure resilience are often sector-specific or fragmented by discipline, making it difficult to develop a full picture of how those efforts may mitigate cross-cutting and systemic risks." Of the action items in the report, there are three major gaps identified with many specific needs and action items outlined. For OT cybersecurity regulation in the short term, the most important gaps and needs today can be condensed to the following:
Gap 1: An integrated analysis of consequences and risk reduction decision factors for critical services that depend on cyber-physical infrastructure systems.
Need: A systemic understanding of interconnected cyber-physical infrastructure risk to critical services from the local to national scales.
Need: Common definitions, standards, and metrics for measuring effectiveness of infrastructure resilience interventions.
Gap 2: User-engagement in cyber-physical infrastructure research to translate resilience knowledge into effective action at the local and regional level.
Need: Empirical investigation of how the regulatory system may constrain or enable enhancements to the resilience of cyber-physical infrastructure.
Need: Identify the institutional conditions for effective infrastructure governance and adaptive capacity.
CISA and all of the SRMAs need to identify what level of cybersecurity and risk management asset owners can afford to own versus what the government can reasonably subsidize and augment given these identified gaps and needs.
Onward and Upward
In the meantime, baselining critical infrastructure resilience remains one of CISA's major goals for its 2024–2026 strategy. The broader national cybersecurity strategy has three umbrella focus areas: addressing immediate threats, hardening the terrain, and driving security at scale. And a synergistic goal of the CISA CPGs is to map cybersecurity standards and controls to cybersecurity outcomes. Given all of these goals and perspectives, these OT gaps and needs cannot be ignored.
The reality is more confusing than conflicting regulations, leaving industry to reiterate the basics of attack surface management for cyber-physical systems: crown jewel impact analysis to address and harden most critical systems, building defensible architectures with adequate segmentation, and vulnerability management controlling for systems that can't be hardened. Despite a focus on the future, there's no real indication of how well the industry is applying these basics across the board today.
About the Author
You May Also Like