I look at the news that the White House has started a ransomware task force from two different viewpoints. One viewpoint is from that of a US citizen and the other is from an OT-cybersecurity practitioner.
As a US citizen, I am hopeful but slightly pessimistic. The hope comes from the willingness of our government administration to act, which appears to be a theme (Biden administration issues cybersecurity mandates for pipelines (msn.com), White House announces ransomware task force, initiatives | AHA News). We can argue if the actions are the correct actions, but in this case, doing something is better than doing nothing.
I must applaud the Biden Administration for taking action, but I am a little pessimistic about the effectiveness of implementing a bounty. A bounty approach works when you are dealing with individuals, but it will struggle when dealing with criminal organizations or nation-states. This just means that the task force must have different tactics depending on the adversary. I wouldn’t be surprised if the task force has many tactics that aren’t being disclosed to the public; I would imagine that secrecy is critical to their success.
As a citizen, I am also concerned that as a country we are too reactionary to cyber-events on our critical infrastructure. I would feel more comfortable with a consolidated critical infrastructure OT cybersecurity standard instead of a guideline. Ideally, such a standard would cover things like minimal compliance/governance, segmentation, encryption, supply chain, and infrastructure resiliency.
As with most security guidelines/standards I would expect this to be a risk-based approach. When looking at risk we need to use recent events to do a better job at understanding the cascade effects on that industry as well as adjacent industries and, ultimately, the quality of life for the public. Even though I am concerned about the lack of a cohesive plan, I welcome the reactionary approach over a stagnant approach of doing nothing. Again, I must applaud the government for acting, even in a reactionary manner.
From a practitioner standpoint, we can’t expect the government to reduce our critical infrastructure OT risk to something acceptable on its own. We must take action as an industry as well. I look for more emphasis on industrial control-system resiliency. You will notice I used the word resiliency, not reliability, as the two are not the same. Reliability is focused on the probability that a system will perform correctly during a specific time duration (also sometimes referred to as uptime), and industrial control systems have been reliable basically since their creation. Resiliency is knowing that you can’t avoid all collisions and must have the ability to respond appropriately. Critical infrastructure owners/operators must assume they are going to be hit by a cyber-attack, and the resiliency of the system and processes is going to be critical in these events.
As companies start trying to measure and ultimately improve control-system resiliency, we are going to see greater emphasis on OT-endpoint security. Below are some of the things I see OT-endpoint security improving as it relates to industrial control system resiliency.
- Actionable vulnerability information that enables administrators to quickly assess and reduce the most pressing risk
- Data-loss prevention to reduce recovery time and actions
- Insider-threat detection to protect against unintentional and/or malicious changes to the industrial control system
- Enterprise-endpoint management applications to improve visibility, enabling centralized staffing and analysis
- Forensic analysis to enable rapid recovery efforts
In summary, I am thankful that the US government is stepping in and taking actions to help protect our critical infrastructure. As an industry, we shouldn’t expect that the government’s actions will be enough, and we also need to take our own actions to protect our industrial-control systems. Any company with critical infrastructure must assume that the best laid plans will fail and eventually they will be hit with a cyber-attack. As a result, control system resiliency should be an emphasis for critical-infrastructure companies (actually, all companies with OT environments).
OT endpoint security is just one of the ways we ought to look at protecting—and ultimately improving—control-system resiliency.
Nick Cappi is Hexagon’s cyber vice president for portfolio strategy and enablement