In response to a string of high-profile cyberattacks on businesses and critical infrastructure, President Joe Biden signed an executive order in May to help harden the nation’s cybersecurity and protect federal government networks. The Executive Order on Improving the Nation’s Cybersecurity aims to remove barriers to threat information sharing, modernize and implement stronger national cybersecurity standards, improve software supply chain security, establish a cybersecurity safety review board, create a standard playbook for responding to cyber incidents, improve detection of cybersecurity incidents on federal networks and improve investigative and remediation capabilities.
While the executive order does aim to set a national cybersecurity standard, there is a one big problem: Most cyberattacks happen on private companies. So while the government setting a good example is important, the private sector needs to be doing its part, as well. The executive order talks about the federal government modeling good behavior and hoping that trickles down, but that’s obviously not enough, said Jim Crowley, CEO of Industrial Defender, a pioneering operational technology (OT) cybersecurity company.
“Like a lot of executive orders, it’s sort of a plan to make plans” Crowley said. “We’ve seen a number of these: The Trump administration had one, Obama administration had one. But without anything prescriptive about it or some meat behind it, it’s very easy for the pain of these most recent hacks to go away and to get off the front burner and go to the back burner. So I believe that they need to have something more prescriptive in place and maybe take some of their own recommendations from the NIST (National Institute of Standards and Technology) framework that they put in place a bunch of years ago.”
The need for a national cybersecurity standard has become clear in recent years, as the number or cyberattacks, and specifically ransomware attacks on critical infrastructure, has spiked. Part of that, Crowley said, is a byproduct of criminals going where the money is. If bad actors can shut down a plant’s operations, they have tremendous leverage that can lead to a big payout. But there are also more resources available to hackers than ever before.
“If you were going to rob a bank, you want to target the bank that doesn’t have any security guards, right?” Crowley said. “There are a lot of companies out there like that, and you can comb public information and review, ‘Are there security people on staff? What kind of technologies do they have in place? Is there a CISO there? Are they attending security events?’ There’s a lot of public information that a criminal can pick up and profile a target and then go after them.”
One way to impel private companies to invest in and prioritize cybersecurity is to follow the example of many other industries, like utilities, and take a fine-based approach. If companies do not implement certain practices or are not compliant, government agencies would have the authority to levy a fine or other penalty. Crowley said that approach is not ideal.
“I would prefer more of a carrot approach to a stick, providing some sort of in-depth investment tax credit so that any sort of spend that they’re doing on cyber-hardening could be written off,” Crowley said. “Provide some sort of incentives that allow the companies to do the right thing, but give them some funding mechanisms to make that happen.”
Implementing and staffing a strong cybersecurity operation is expensive, and many companies — even companies that realize the need for heightened cyber protection — are hesitant to invest those resources in the event something might happen. That’s why Crowley recommends the government find some financial means of encouraging companies to get on board, whether that’s tariff relief, subsidies or another option.
“The government should really be thinking about how to enable these critical infrastructure companies to find some funding to actually execute on these programs because it’s not inexpensive,” Crowley said. “It’s a lot less expensive than if you get hit, as recent events have illustrated. But at the same time, there’s still a bit of a mindset out there of, ‘Well, it’s not going to happen to me. I’ll roll the dice.’ Or, ‘I don’t have time for that. It’s not core to the business.’ But it’s becoming core to the business, and it’s core to the country, as well. We should really be thinking about this as a national security issue and not just a Colonial Pipeline issue or a midstream issue or an oil and gas issue or an energy issue. It’s really a national security issue, as we saw when the when the gas pumps ran dry in the South.”
Another way to get private industry to invest in cyber-hardening, according to Crowley, is to frame it as more of a safety issue than an operations issue. The majority of recent attacks, such as those on the Colonial Pipeline and JBS, have targeted information technology (IT) systems, but networks are so intermingled today those attacks have spilled over onto the operational technology (OT) side, bringing pipelines and plants to a halt. Energy and food and agriculture are both considered critical infrastructure sectors by the Cybersecurity and Information Security Agency (CISA). Shutting down the Colonial Pipeline for just a few days caused panic buying from consumers and rising gas prices. The real danger to national security was perhaps best exemplified by the attack on a water treatment plant in Oldsmar, Florida, where hackers dramatically raised the levels of lye in the area’s drinking water.
“We have some business partners that have taken a unique approach when they go in to do the security assessments,” Crowley said. “They bring their toolkit to the executives to say, ‘Don’t think about cyber necessarily as cyber, but think about it as a safety problem.’ They frame it in terms of that idea, and that is pretty sticky inside of these industrial companies because they can get their head around, ‘OK, this is a safety issue. It’s not necessarily a security issue or IT issue or OT issue. It’s really about the safety of my business and the risk to the business, and that drives these behaviors around choosing standards and starting to harden things.”
Simply setting those standards and measuring against them can go a long way toward improving an organization’s cyber hygiene. There are many standards to choose from, whether they come from NIST or North American Electric Reliability Corporation-Critical Infrastructure Protection (NERC-CIP) or somewhere else.
“Choose a standard and then build a program and measure yourself against that standard,” Crowley said. “Just like anything else in your business, if you don’t measure it, there’s no way to tell whether you’re being successful or not. So choose a standard and then bring in the tools or bring in the technology or the services folks or hire the people that you need to run that program.”
Check out Part 1 of our interview with Jim Crowley, where he dives into the Biden cybersecurity executive order and breaks down what will likely work and where improvements can still be made to set a national cybersecurity standard. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.