The U.S. government has focused on trying to strengthen cybersecurity across all critical infrastructure sectors in recent years with actions such as the 100-day sprint and the executive order. But are these actions from the Biden administration helping, or have they made it harder for cybersecurity professionals?
CFE recently put together a group of leading experts in the industrial cybersecurity field for an open conversation about some of the prevailing trends in regards to government regulations and critical infrastructure. Joining Gary Cohen, senior editor of Industrial Cybersecurity Pulse, are Jim Crowley, CEO of Industrial Defender; Ryan Heidorn, co-founder and managing director of Steel Root; Pranav Patel, founder and CEO of MediTechSafe and Resiliant; and Tyler Whitaker, CTO at Leading2Lean.
The discussion has been edited for clarity.
ICS Pulse: Has compliance been complicated or improved by some of the government actions that have taken place lately, like the 100-day sprint and the executive order? Has it been made clearer, or is it getting murkier for companies?
Ryan Heidorn: That is a big question. I suppose the specifics there depend on exactly which industry niches you may be playing in and which compliance frameworks are governing your business. For many of our customers, manufacturers and other companies in the defense industrial base, the major compliance focus over the last couple of years has been the Cybersecurity Maturity Model Certification, or CMMC, not dissimilar from other compliance frameworks.
In that, you have to be assessed under this regime. You would be certified at a particular level, and the idea is, before you can win new business from the Department of Defense, you have to have a certification in place. Where this model may go off the rails for some is that the model as it’s currently written is really a model for IT (information technology), not OT (operational technology). So you have to ask yourself, can I get MFA (multifactor authentication) on my CNC machines? Maybe not. Do these machines have embedded Windows 7 systems that you can upgrade?
These are problematic under compliance frameworks that primarily contemplate IT. So, really, any compliance framework that’s trying to impose itself upon the industry in this way based on IT security measures is going to have some sort of OT security overlay or segmentation guidance if they’re going to be effective. In general, I do think that compliance regimes, such as those that are in effect today and being developed, are a useful way to move the ball down the field in terms of ensuring the positive trends that we want to see in security among private industry.
I saw a highly scientific LinkedIn poll the other day that got a lot of responses based on looking around the world: How do we start to improve our security posture? I was somewhat surprised to see that people overwhelmingly replied that they do feel ensuring security compliance is a good way to do that, and I do share that sentiment.
Jim Crowley: I’ll add to Ryan’s comment around specific industries. We’re pretty heavily involved in the energy space. We’ve been following the TSA pipeline directives and information that’s coming out of the government, largely driven by the big event at Colonial Pipeline. I have a couple of comments on that directive.
First off, they only released it to the pipeline operators and not to the broader ecosystem initially. So we didn’t even know what was in it even though we have clients in that space. So we’re trying to help and inform these folks as to what they should be doing, but we’re not part of the ecosystem. They’re just going after the people that they’re regulating. Secondly, when they did finally release the directive, it didn’t conform to any sort of the prior regulations that had been put out there.
So, for example, the NIST (National Institute of Standards and Technology) cybersecurity framework was something that they’d been referencing for years, but it was very limited about the NIST cybersecurity framework for OT in that document. It was almost a stream of consciousness of things that they needed to do, like a long list of tasks that they should be doing, but it wasn’t very structured. I think it was really poorly thought out. Also, that document was heavily redacted. So even though it was released to the broader industry, we still don’t know a lot of what’s in there.
It’s not particularly helpful. I think they need to be more transparent and not worry so much about what the adversaries are going to get if they get ahold of these types of documents. If you have a soft target on your back, you have a soft target on your back. It doesn’t matter whether the government is redacting this information or not. They should be more transparent about it.
ICSP: It seems that the idea of speed, in trying to roll these things out to stop another SolarWinds or Colonial from happening, can complicate things. It should be more regimented, more controlled and more easily understood rather than what you said, Jim, a stream of consciousness list of things that need to get done.
Crowley: I think going back to some level of standards and saying, the government’s been pushing these NIST standards and other standards. We’ve been involved in a NIST set of utilities for years, and that’s been proven to be a pretty effective standard to get the basic hygiene in place. And, to sort of stick to that, “Hey, we’ve been recommending this for years. Now’s the time to do it.” For example, the hot button in Washington right now is on information sharing, which is a good thing. But it’s not going to solve the foundational problems that, for example, Colonial had around their systems and their assets that they had running, or didn’t know what was in the environment, for example.
In an earlier cybersecurity roundtable, Crowley, Heidorn, Patel and Whitaker discuss how to secure a cybersecurity budget from the C-suite.