While President Joe Biden’s July 28 executive order establishing his industrial control system (ICS) cybersecurity initiative was focused primarily on the electricity subsector, it did say that an action plan for natural gas pipelines was underway and that initiatives for other sectors would follow later this year. The recent White House CEO summit, in which Biden solicited cross-industry cooperation in fighting cybercrime, showed some positive steps in that direction.
A key plank of the ICS cybersecurity initiative was promotion of the National Institute of Standards and Technology (NIST) cybersecurity guidelines. These lay out the zero trust architecture NIST describes as “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets and resources.” In other words, moving the fight to the operational technology (OT) realm.
Electric adopts ICS cybersecurity initiative
The electric sector has already begun implementing the ICS cybersecurity initiative. In his opening remarks to the CEOs, Biden said the initiative has involved more than 150 utilities that serve 90 million Americans. Indeed, the energy sector had the greatest representation at the Biden meeting. In attendance were Duke Energy CEO Lynn Good, PG&E CEO Patti Poppe and Southern Company CEO Tom Fanning.
“The meeting was an essential recognition of the need to improve our nation’s defenses against existential cyber threats. A strong national cyber defense — whether against ransomware or other malicious cyber activity — requires effective public-private collaboration to ensure the federal government and the private sector are working hand-in-glove in our collective cyber defense,” said Fanning in a news release issued after the meeting.
Protecting the pipelines
Representing the oil and gas pipeline industry at the meeting were ConocoPhillips CEO Ryan Lance and Williams CEO Alan Armstrong. Not represented was Colonial Pipeline, although their example was cited as one of the reasons such cooperation is needed. “We spent quite a bit of time with our partners in the federal government over the course of our response and welcome others having a similar opportunity today,” Colonial spokesperson Kevin Feeney told the Washington Post.
Keeping water flowing
There were also indications the government ICS emphasis would extend to the water industry, as well. Representing the water industry was SJW Group CEO Eric Thornburg and American Water CEO Walter Lynch. In a statement following the meeting, Lynch pledged to work closely with NIST to develop a new framework to improve the security and integrity of the technology supply chain and guide public and private entities to build secure technology and assess the security of that technology, including open-source software. American Water has already voluntarily adopted the current NIST cybersecurity framework.
The technology sector weighs in
In addition to CEOs from the power, pipeline and water industries, which have the most at stake in securing industrial control systems, the White House summit also included the CEOs of Microsoft, Google and IBM, as well as financial and insurance industry leaders. The companies pledged billions of dollars in support for fighting cybercrime and all pledged to support the NIST framework development, as well as to apply significant resources to cybersecurity improvements and workforce development, including the following examples:
- Will work with suppliers, including 9,000 in the U.S., on supply chain improvement, including driving the mass adoption of multifactor authentication, security training, vulnerability remediation, event logging and incident response.
- Will invest $10 billion over the next five years to expand zero trust programs, help secure the software supply chain and enhance open-source security.
- Will help 100,000 Americans earn industry-recognized digital skills certificates.
- Will train 150,000 people in cybersecurity skills over the next three years.
- Will partner with more than 20 Historically Black Colleges and Universities (HBCUs) to establish cybersecurity leadership centers.
- Will invest $20 billion over the next five years to accelerate efforts to integrate cybersecurity by design and deliver advanced security solutions.
- Will make available $150 million in technical services to help federal, state and local governments with upgrading security protection.
- Will expand partnerships with community colleges and nonprofits for cybersecurity training.
- Will offer to the public at no charge the same security awareness training it offers its employees.
- Will offer all web services account holders a free multifactor authentication device to protect against cybersecurity threats like phishing and password theft.
The financial attendees got involved, too. Resilience, a cyber insurance provider, will require policy holders to meet a threshold of cybersecurity best practices as a condition of receiving coverage. Coalition, another cyber insurance provider, announced it will make its cybersecurity risk assessment and continuous monitoring platform available for free to any organization.
ICS cybersecurity by default
How such pledges will impact ICS security remains to be seen, but the fact that ICS security is increasingly present in the public discourse is certainly a good thing. It brings us one step closer to what the senior White House official who briefed the media called “baked in security.”
“We need to transition to where technology is built securely by default. … You know, we don’t buy a car and then buy the airbag separately.”
We couldn’t agree more.
– Bedrock Automation is a CFE Media content partner.