In recent years, private companies and critical infrastructure alike have felt the full force of cyberattacks. This has put cybersecurity on the forefront of everyone’s mind, as people try to remain a step ahead of threat actors to ensure everything stays protected. But what can the government do to help? And what is the role of private industry?
CFE Media and Technology recently brought together several industry experts to discuss what governments can do to protect critical infrastructure from the various threat actors out there. Joining Gary Cohen, senior editor of Industrial Cybersecurity Pulse, are Bryan Bennett, Dave Masson and Sam May.
This discussion has been edited for clarity.
ICS Pulse: How are the Canadian and the U.S governments doing right now in attempting to protect critical infrastructure?
David Masson: Well, everybody is talking about it. That’s for sure. If you’re in the great North American public, you probably thought this was a whole new game that suddenly appeared out of nowhere. Although to be honest with you, protecting national infrastructure has been around since before World War II, and all of our nations in North America have been engaged in that. But let’s be honest about it: It’s the Colonial Pipeline hack that’s pretty much got everybody talking about this.
Prior to that, while there’s certainly probably more going on in both nations to protect national infrastructure, you’d have had to hunt around and be pretty dedicated to go and find out what the actual process is and who was involved, where and all the rest of that. In Canada, we’re a bit behind the curve on that kind of thing, and we’ve got lots of policy processes. We’ve even got a new organization set up. It’s our equivalent of CISA, which is for the cybersecurity part about protecting national infrastructure. But, in many ways if you’re a member of the general public, you’re probably thinking, “Hey, something new happened, and everybody’s trying to catch up and deal with it as quickly as they can.”
Bryan Bennett: From the private sector side, there have been a lot of conversations regarding IT (informational technology) security, almost nothing about OT (operational technology) security until the Colonial Pipeline. OT was only talked about in very small groups, and it never made the news. This is the first large news that came across the entire world for a shutdown. Yet, the pipeline could have still actually flowed and provided products, but because of the software being down and having been hacked, we couldn’t charge anybody.
So, of course, we’re going to stop productivity if we can’t get payment for it. That’s how everything got held up. That has started a huge discussion through OT, especially regarding health care. There have been situations where people had to leave hospitals because they couldn’t perform surgeries because they weren’t sure that the lights could stay on. And not because there wasn’t power, but because the software got hacked. Now, because of that, to David’s point, it’s gained a lot of momentum.
“Until the marketplace demands more cybersecurity and demands better and more attention being put on these policies and programs, you’re just not going to get any action.”
Sam May: It’s not going to be until it affects the average consumer that any meaningful change is going to happen. It’s an unfortunate byproduct of human nature, but if it doesn’t impact Joe on the street, then it’s not going to get any traction either nationally or even locally. It isn’t until the marketplace starts reacting that corporations start reacting. I really don’t see this as a governmental issue.
The government can set the tone. The government can provide resources. They can draw legislation and boxes around things, but it’s going to be the marketplace that drives corporate behavior. Until the marketplace demands more cybersecurity and demands better and more attention being put on these policies and programs, you’re just not going to get any action. I mean, [Google] Nest didn’t change its behaviors around its coding practices until their little boxes got pwned in people’s houses. That’s really what started driving corporate behavior and governance into changing their policies and having security involved in DevOps. That’s how it’s going to continue.
ICSP: That’s an interesting point. Much of critical infrastructure is in the hands of private industry. What is the private sector’s role in trying to assist the government and protect public safety in regard to critical infrastructure?
May: I think private industry has to drive it. The government can draw lines. The government can write legislation, and the executive office can send out executive orders, but they’re going to be vague because there’s no policy, program or even law that’s going to be applicable when it comes to cybersecurity, or any kind of security to every industry. The best they can be are these vagaries of reporting requirements, and follow NIST 800-171, or 53. Do your best. But industry and specific industries really have to drive this and push their requirements up onto the legislative body to say, “This is what our industry needs to do, and this is what our industry can do.”
Some of the failings that we’re seeing with things like CMMC right now, at least in the U.S, where the Department of Defense has tried very hard to push CMMC, this Cybersecurity Maturity Model Certification, onto the defense industrial base with all these requirements and things like that, but it doesn’t fit, and it’s really hard to implement. But at the same time, private industry has done nothing to help itself by trying to inform the federal customer as to, “This is what we should be doing to better secure ourselves.” There has to be this free-flowing, bilateral communication. It can’t be from one to the other.
Masson: There’s a role for government to maybe be a bit more open about what the actual scale and nature of the threat is, and pass a bit more information on. Because if you’re in private industry, your first question will be, “OK, what is the threat? What is the thing that I need to protect myself against? Do you know something that I don’t know? Because if you do, could you tell me please, because if you tell me, I might actually then do something about it.” And then things really do get a bit quiet and crickety right around about that point.
And to pick up on Sam’s bit there about the CMMC, at the end of the day, it’s really about protecting the DoD. The DoD is trying to protect itself through its supply chain, and saying to the suppliers, “You’ve got to protect yourselves so you can protect us.” Whereas, that’s not really the kind of, “Hey, guys, I think it’s in all our interests to protect ourselves.” The whole herd immunity against cyber threats kind of thing, but that message pretty rarely comes out.
May: In the U.S., we have Biden’s executive order that really tried to get the government to share more intel with private industry about cyber threats and things like that. When we look into the future, and we look at this system being perfected, that free flow of communication as far as the threat landscape goes between government intelligence sources and private industry is great. But right now, I would just like to see there being a well thought out baseline set by the government customer to say that if you want to do business in this space, these are the minimum baselines you’re going to have to meet. And have those minimum baselines be thoughtful and relevant to the companies at which they’re speaking.
Because, specifically, when you start looking at OT environments, if you try to take the regulations that exist right now for the defense industrial base in the FAR or DFAR world — anything involving 48 CFR or ITAR or EAR — most of the practices in there aren’t applicable to an OT environment. You can’t put two-factor authentication on a CNC machine, and then there are constructive problems like is G-code CUI (controlled unclassified information)?
And there’s no one answering these questions, so it becomes almost impossible to scope a production environment around the industrial space. You start looking at CIS SCADA, and everything else like this, where do we draw the lines? The government is putting a lot of effort and energy into saying, “Yes, protect the DoD’s data or the Ministry of Defense’s data or whoever’s data,” but they’re not helping out private industry to figure out, “Well, what is that going to be?” So what you get is private industry saying, “Well, we’re either going to ignore it because we don’t know how to translate these things, or we’re going to do our best and hopefully the government accepts that. And, oh, by the way, if they don’t accept that, you can’t play with us anymore.” So there is at its most basic level, a communication problem between the government customer and private industry about how we’re going to secure ourselves. And, yes, OK, maybe it is to secure the DoD at the end of the day, but if that helps to secure the entire defense industrial base or the entire corporate world against some form of cybersecurity or threat, that to me is a win.