When it comes to the cybersecurity of critical infrastructure — things like nuclear facilities, the electrical grid, water/wastewater plants and the like — most people assume it’s the federal government’s responsibility. But the government isn’t always in control of critical infrastructure. The Colonial Pipeline hack was a perfect example of this phenomenon. That’s why it’s impossible to have the discussion about protecting critical infrastructure without bringing the private sector into the mix.
Joining Gary Cohen on this roundtable about the private sector of cybersecurity and critical infrastructure are Byran Bennett, Dave Masson and Sam May. Bennett is the vice president and practice leader of cybersecurity at ESD, Masson is the director of enterprise security at Darktrace and May is the senior compliance advisor at Steel Root.
This discussion has been edited for clarity.
ICS Pulse: How seriously are major private companies in control of critical infrastructure taking cybersecurity or the need for increased cybersecurity at this point?
Bryan Bennett: Very seriously. Dell is an (information technology) IT company and Walmart is a retailer, but they have thousands of people in their IT department. They have their own internal cybersecurity defense team or teams and focus in different areas and categories.
They don’t want the government to ever be involved, and they have no place in the corporate side when it comes to how to facilitate a business. You have to be compliant. What is the exact information that we need to comply or get close to compliance? That’s for IT. IT is going to go way faster than (operational technology) OT. There are decades-old systems out there that never had security.
When they were implemented, security wasn’t even a factor. Now, it’s the weak link in a lot of areas, and people have to do forklift replacement for the systems. In some of these eyes, they’re not broken, just vulnerable.
Sam May: I have a client that has a DOS system that runs a handful of CNC machines on the floor, or at least is the bridge between for the communication. It runs off of MS DOS, and there are some constructive security benefits to having something so old. There’s nobody writing malware for DOS systems anymore, unless it’s goofing around.
They had to make a decision between affording us and replacing systems that they had scheduled to be replaced, but they have to meet this regulatory compliance standard, most of which doesn’t apply to them. They spent a ton of money on consultants and a ton of money on cybersecurity firms to come in and put systems in place that they had no business having, and didn’t meet any regulatory compliance needs or real security needs.
In some cases, these manufacturers have to automate because they don’t have the manpower to continue running humans behind CNC. They have to automate their workforce and have to provide these workflow efficiencies. They can’t because they have to afford a regulatory compliance architecture that doesn’t make any sense to them. This is in large part scope creep that you have companies running around saying we have to meet maturity level one, two, three, etc. The vast majority of these companies never need to meet anything more than maturity level one.
The government is refusing to be honest and open about what these companies have to be doing at what level individually. There’s no contracting officer that says that we want you to be at level one; level one is all you need to be. I spend about half my time teaching the government customer what their own policies and regulations mean.
I’ve labeled everything as CUI (controlled unclassified information). My contractor has been hemorrhaging tens of thousands of dollars on protecting emails that I’ve been stamping CUI on because I believe that they were CUI. This is just a common thing. If there’s nothing more that any of the listeners of this can take away it’s that chances are your compliance, regulatory environment isn’t as complicated as you’ve been led to believe. The scope of your environment can be brought down tremendously if someone takes the time to help you understand what the requirements actually are.
This communication is not coming from the federal customer. It’s not coming from the government. It’s completely dark over there.
We’ve been demanding clarification from the federal customer up and down the supply chain, and it just hasn’t come. I advise clients the legislative requirements we have in front of us ITAR, EAR and what is currently listed in 48 CFR that’s either on the eCFR or published in the CFR.
What happens in the future will happen in the future. ITAR is the alligator closest to the boat. EAR, DFARS, that’s what we’re going to focus on.