Whether the Biden administration came into office with cybersecurity as one of its priorities or not, it became clear very quickly that it was going to have to be a priority, with attacks like SolarWinds, Oldsmar and the Colonial Pipeline hitting the U.S. in rapid succession, and with ransomware seemingly running rampant. On May 12, in direct response to the attack on the Colonial Pipeline, the largest supplier of oil to the East Coast, President Joe Biden signed the Executive Order on Improving the Nation’s Cybersecurity.
This far-reaching executive order strives to chart a “new course to improve the nation’s cybersecurity and protect federal government networks,” but that’s a herculean task. So what difference will the order make in reality? According to Jim Crowley, CEO of Industrial Defender, a pioneering operational technology (OT) cybersecurity company, it’s a good first step, but there’s much more that needs to be done to protect critical infrastructure from cyberattacks.
“I think the fact that it came out of the White House and it came out so quickly shows focus, and the fact that they want the federal government to lead by example and they have some pretty prescriptive language in the executive order on how the federal government is going to approach their cyber issues was an important milestone,” Crowley said. “In the past, they’ve issued orders, but [they were], ‘It doesn’t really apply to us; it applies to the industry.’ If they can actually get the government, the federal government, which has a number of weaknesses as we’re all aware in this area, to focus on cyber and really start to build programs that they can measure themselves against, that would be a big help both to the federal government but also in leading by example.”
One of the major problems with the executive order, according to Crowley, is simply that it lacks teeth — a common problem with any executive order. And this is far from the first time an administration has attempted to address cybersecurity. In 2013, there was an executive order around the National Institute of Standards and Technology (NIST) cybersecurity framework that was focused on helping companies understand what they need to do to harden critical infrastructure, and the Trump administration issued an executive order in 2017 to strengthen federal networks and critical infrastructure.
“This problem has been around a long time,” Crowley said. “So you have, in 2013, these standards coming out, people looking at them, and some companies embraced them, and some companies did something with them. But a lot of companies looked at it and said, ‘Geez, that’s not going to happen to me. We’re not going to have a problem, so I don’t really need to put a NIST type of program in place for my cyber resiliency or for my cyber risk.’”
With both the new executive order and the recent Department of Homeland Security directives around pipeline security, the question becomes: How do you fund it?
“Are there incentive tax credits that can be provided? Can there be some tariff relief?” Crowley said. “I believe that companies really want to do the right things, but most companies view security spend as insurance, and they see compliance as a tax. No one likes to spend money on either one of those things. But if there’s an economic incentive in place for people to actually spend the money on these types of programs, which I think they should because it’s important for the country, the government should not only just be prescriptive about the types of things companies should do, but give them some mechanism, some levers, for how to pay for that. I prefer the carrot over the stick, and I believe that if the funding was available, companies would step up and take advantage of that.”
Ransomware may been getting the majority of the headlines lately, but Crowley pointed out the threat goes much farther than that. Attacks on OT can have huge health and safety ramifications for the country. A perfect example is the cyberattack on the Oldsmar water treatment facility in Florida. In that instance, hackers actually went in and changed the mix of chemicals in the drinking water system. While that was caught early, a more savvy attacker could have done serious harm. The Aurora vulnerability, where the Idaho National Laboratory showed that a cyberattack can destroy physical components of an electrical grid and cause an explosion, was another example of what a bad actor can do if they gain access to an OT system.
According to Crowley, the Cybersecurity and Infrastructure Security Agency (CISA) appears to be embracing a security operations center (SOC) approach, but that doesn’t fit for many companies. Simply staffing a SOC can be prohibitively expensive. So while it may work well for large companies, midsize manufacturers will likely need to find other solutions to help manage their day-to-day risk.
“[The Biden executive order] is not a bad idea, but I think it’s kind of a boil the ocean approach,” Crowley said. “It may help the very large companies that are being attacked by nation-states. If you look at the top tier of utility infrastructure, the top tier of the refiners, they’ll be able to instrument and provide that data out. But that’s 10% of the market. What about the other 90%?
“There’s value at the high end. Certainly, for those people that have the big targets on their back, there’s nothing wrong with that program. But I don’t think it’s going to help this mid-tier of the market that, as we saw a couple weeks ago with Colonial, is just as susceptible to maybe not a nation-state attack, but they’re collateral damage. That’s what these companies should be worrying about: How do they put programs in place that can prevent them from being that collateral damage in the cyber war that’s going on.”
Keep an eye out for Part 2 of our interview with Jim Crowley, where he will discuss what private industry should be doing to help secure OT systems and protect national critical infrastructure. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.