At a glance.
- Plugging into electric vehicle cybersecurity.
- Biden administration announces Chemical Action Plan.
- CISA releases cross-sector cybersecurity performance goals.
Plugging into electric vehicle cybersecurity.
The US Office of the National Cyber Director (ONCD) on Tuesday gathered with government and industry leaders to discuss cybersecurity issues in the electric vehicle (EV) and electric vehicle supply equipment (EVSE) ecosystem. As the official readout explains, the forum was the latest in a series of meetings focused on strengthening the country’s critical infrastructure across various industries. EV and EVSE industry experts shared their individual organizations’ views on cybersecurity practices, as well as blindspots and recommendations for improvement. The EV industry plays an important role in reaching climate policy goals, and government officials discussed how they are supporting companies through investments of over $7.5 billion in Bipartisan Infrastructure Law (BIL) funds and, as part of the Inflation Reduction Act, adding billions more in tax credits and direct investments. The main takeaways were that attendees would identify opportunities for harmonization across sectors, pinpoint the cybersecurity attributes essential for the emerging EV and EVSE ecosystem, and find opportunities for further research and development.
Biden administration announces Chemical Action Plan.
The White House yesterday released a fact sheet outlining the Biden-Harris administration’s Chemical Action Plan, a strategy for improving cybersecurity in the chemical sector. “The nation’s leading chemical companies and the government’s lead agency for the chemical sector – the Cybersecurity and Infrastructure Agency (CISA) – have agreed on a plan to promote a higher standard of cybersecurity across the sector, including capabilities that enable visibility and threat detection for industrial control systems,” the fact sheet reads. Building on best practices learned from similar plans focused on the electric, pipeline, and water sectors, the plan will start with a 100-day sprint urging companies to share threat info with the federal government and build relationships between sector owners and operators.
As the risk management agency for the chemical sector, CISA will collaborate with the Chemical Sector Coordinating Council to set up a new task force to oversee the sprint. The Record by Recorded Future notes that plan elements will include the creation of a coordinating council consisting of fifteen chemical industry groups focused on gathering feedback on how best to bolster the sector’s digital defenses. As CyberScoop explains, these cybersecurity sprints were first introduced in April 2021, codified by Biden’s memorandum on improving critical infrastructure control systems.
Chris Gray, AVP of cybersecurity for Deepwatch, points out that the chemical sector underlies many other industries
"The Chemical Sector is a significant component of both the critical infrastructure and manufacturing industries. As part of the interoperability of critical infrastructure chains, the Chemical Sector heavily influences and enables areas such as agriculture, water, nuclear, defense, and transportation. Damages to chemical manufacturing, storage, transportation, and use are not self contained; they have significant effects upon a much broader ecosystem, including economic markets.
"The big security concerns in this sector include safety, including physical and potential for downstream environmental damages. The interoperability and reliance that exist between the Chemical Sector and other industries is another major consideration. If the production and delivery of chemicals is stopped or impeded, massive effects will be felt by manufacturing, healthcare, fuel, and many other areas. A third concern is system and platform vulnerability. The last major security framework requirements that have governance over this area predate 2010. This sector is likely underserved, highly remote and unattended, old technologies, and outdated security standards and expectations."
Jerry Caponera, General Manager, Cyber Risk at ThreatConnect also noted the centrality of the chemical industry to the things we take for granted in everyday life:
"There are a couple of things that worry me concerning the chemical sector. The first is that the chemical sector produces items that we may not necessarily think about but can't survive without in modern society. Imagine a world without plastics to store our food or chemicals to make electronics.
"The second is the real risk. We saw three ransomware attacks in 2019, including 2 in the US (a bigger one was Norsk Hydro). They mitigated the impact because the hit was on IT, not OT systems. But it could have been worse.
"Third, there's a massive risk with the materials in question. Chemicals produce much of what we need, but a chemical material in raw form can be dangerous. A cyber attack on a chemical system where the IT and OT systems are linked could cause a consequential loss of life.
"I’m glad the chemical industry is high on the list of sectors to watch. The ransomware attack on the colonial pipeline caused a minor blip in the supply of gas. Suppose a significant ransomware attack on chemical plants would destroy plastic packaging. That would be devastating."
Cyber Saint Security's Padraic O'Reilly, Co-Founder and Chief Product Officer, reminds us that one challenge in securing any critical infrastructure is that it's privately held:
"The biggest issue is that almost all infrastructure is privately held. Analogous to the pipeline: large cyber-to-physical systems with extensive OT. Complex segregation issues and legacy protocols and infrastructure. Malicious attacks and control of SCADA systems and PLCs are real vulnerabilities. Internet-connected devices and cloud migration are an issue, too. On the upside, the chemical sector has been under CFATS through DHS for over a decade. That will oil the gears. Likely that sophisticated monitoring and detection lag behind the most mature industries. Likely, too, that cyber risk management needs to be done at the executive level to ensure proper resourcing."
CISA releases cross-sector cybersecurity performance goals.
From these initiatives we move to a cross-sector initiative just promulgated this morning. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued voluntary cybersecurity performance goals. CISA explains, "The CPGs [Cybersecurity Performance Goals] are a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques. The goals were informed by existing cybersecurity frameworks and guidance," especially those developed by the National Institute of Standards and Technology (NIST), "as well as the real-world threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners. By implementing these goals, owners and operators will not only reduce risks to critical infrastructure operations, but also to the American people."
Described as voluntary and not comprehensive, the goals were formulated to be:
- "A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.
- "A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.
- "A combination of recommended practices for IT and OT owners, including a prioritized set of security practices.
- "Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation."
CISA said that it developed the CPGs with extensive input from industry, and that the development and application of standards was a cooperative effort. What’s different about these CPGs? CISA says they’re different in three ways from similar standards.
“First, the CPGs provide a succinct set of high-priority security outcomes and recommended actions applicable to IT and OT environments. In this way, the CPGs enable organizations to undertake prioritized and targeted investment to address the most significant cybersecurity risks. Second, the CPGs are accompanied by Checklist that allow organizations to prioritize their utilization of each goal based upon cost, complexity, and impact, making the CPGs uniquely useful for organizations with limited resources. Finally, the CPGs will be regularly refreshed and updated, allowing them to be used as a continuously effective resource to drive prioritized investments against the most significant threats and critical risks.” So they’re designed to be easily actionable across the different critical infrastructure sectors, and they’re also designed to be adaptable to organizations of varying sizes and resources.
We received a great deal of comment from industrial cybersecurity experts on the new CPGs. Robert M. Lee, CEO and Co-Founder of Dragos, applauded CISA's commitment to government-industry cooperation:
“CISA has shown their commitment to working alongside the industrial cybersecurity community with the release of the common baseline Cross-Sector Cybersecurity Performance Goals (CPGs). CISA took extensive input and feedback from industry stakeholders and this updated guidance reflects that they were listening closely, providing actionable but not overly prescriptive guidance - exactly the type of support the community has been requesting. It allows asset owners and operators to work towards shared goals while giving them the flexibility and expertise to implement them in ways best suited to their organizations and risks. Most of the CPGs map closely to the critical controls needed for strong OT cybersecurity—namely, having an incident response plan, a defensible architecture, visibility and monitoring, secure remote access, and key vulnerability management. This guidance can help lift industrial cybersecurity standards across the board to better protect our nation’s critical infrastructure. CISA’s continued focus on OT cybersecurity as foundational to national security, and distinct from IT cybersecurity, is an important contribution to the community's advancement.”
Security firm Claroty this afternoon blogged about the implications of the CPGs. Claroty sees five aspects of the Goals as particularly striking, and likely to have positive effects. First, they provide an entry point into implementation of NIST CSF. Second, they empower the "target-rich and cyber-poor." Third, they highlight the too-often overlooked vulnerabilities in operational technology. Fourth, they'll probably serve as a starting point for future standards and regulations. And, finally, the Goals show CISA's commitment to meeting the distinctive goals of divergent infrastructure sectors.
Ron Fabela, CTO & Co-Founder of SynSaber, highlighted some of the challenges such guidelines are likely to face:
"The updated cross-sector performance goals released are general provisions for critical infrastructure covering both IT (enterprise) and OT (industrial control systems) environments. These CPGs are tied directly to NIST Cybersecurity Framework (CSF) controls, which are considered a subset of the overall CSF. The CPGs are also entirely voluntary as stated in the report, to be used as a guide for all organizations to improve their cybersecurity posture.
"This does not come without some challenges specific to OT systems. Top down guidance from CISA or other agencies are often hard to apply and measure across such large and diverse critical infrastructure sectors. Difficult to measure criteria for success are left to those doing the measurement. There's also the tension between performance based goals that are not overly prescriptive (as they should be) and guidance that is non-applicable to the audience. Even within this report and checklist asset owners are left analyzing what is applicable and feasible. Many of the goals have unique callouts for "OT" and plenty of caveats such as "where technically feasible", a phrase that has been the bane of effective cybersecurity governance of ICS.
"Overall asset owners need not fret over renewed guidance from CISA. The goals in the CPG report should not come as a surprise to anyone operating cybersecurity programs. ICS applicability and action have always been a challenge when it comes to top down policy, but asset owners, SOC managers, CISOs and technicians should see the CISA CPGs as an opportunity to implement real security projects within their organization even if the CPGs lack regulatory teeth.
Derek McCarthy, Director, Field Engineering at NetRise, gives the document good grades, but sees some room for work:
"Overall I think the document is useful in that it is making the NIST CSF (and other similar frameworks) more digestible and actionable/user friendly, and providing more well-defined guidance on specific actions to take to reduce risk across the enterprise (on both the IT/OT side).
"With that said, there are still areas that are left fairly ambiguous - one very important example under the 'Supply Chain / Third Party' section is in: '6.1 - Reduce risk by buying more secure products and services from more secure suppliers, where the recommended action reads: "Organizations’ procurement documents include cybersecurity requirements and questions, which are evaluated in vendor selection such that, given two offerings of roughly similar cost and function, the more secure offering and/or supplier is preferred.'
"What is the criterion for "more secure offering/supplier"? - Something that we talk about a lot is if you are doing research on two different vendors - you probably will look up the vendors/devices in the National Vulnerability Database (NVD) . . . very often you will find that one vendor may have dozens, or even hundreds of known vulnerabilities published for a specific product or product line. Another vendor may have zero vulnerabilities published for a specific device, or in many cases none of their devices have any known vulnerabilities published in the NVD. At the surface level, it may seem that the vendor with less vulnerabilities is more secure. Somewhat counter-intuitively, we often find that the exact opposite is true. The vendor or product with more published vulnerabilities is often indicative that there is a more mature product security incident response team (PSIRT), which will undoubtedly lead to more secure devices, both upon purchase as well as through the lifecycle of the device. This is especially true when looking at vendors that have no published vulnerabilities - no one on Earth makes perfectly secure software, and this is almost always indicative of a vendor that lacks fundamental product security capabilities.
"This ambiguity is not a fault of the CPG document, but rather highlights the complex problems people face related to supply chain security when they lack the ability to gain visibility into the software components of their devices, and rely on the vendor for this information."
Padraic O'Reilly, DoD cyber risk advisor and Co-Founder of CyberSaint, gives the Goals a good initial review, and then suggests resolution of some possible confusions:
"My first reaction is that CISA is saying all the right things. Easterly stresses that small to mid-sized organizations are struggling with cyber risk management. I see this every day in my work as the founder of a risk management software concern. Many want to improve but do not know where to start or where to direct resources. The stated purpose of the CPG...to help identify and prioritize the most important cybersecurity practices along with support in making a compelling argument to ensure adequate resources for driving down risk...is the central problem in cyber at this moment in time.
"Additionally, CISA is right, while the Cybersecurity Framework has made great progress toward standardizing the approach to risk management across the CI sectors, many companies have been left behind. One can think of this publication as offering a more targeted approach to risk reduction through an optimal set of practices that should align to the CSF, at least in theory.
"The goal of all cyber risk management should be the discovery of an optimal set of remediations that can then be resourced and tracked. This is a large part of what our customers do in our software, but lower maturity customers struggle with the complexity of this task. CISA has access to the most extensive threat data, as well, which is absolutely necessary to find the top areas for immediate remediation. They have also tied their guidance to MITRE and the TTPs, which is best practice and an approach we use, as well.
"They do tie this to the CSF directly, so lower maturity CI firms can mature their program over time. CISA stresses that this is not a program, not a set of regulations, and that it is not a maturity model. It is, rather, a targeted set of OT and IT practices based on what they are seeing in the wild.
"I think some of the initial confusion around the announcement that CISA would be providing guidance alongside the guidance of NIST, that they are somehow competing with NIST or muddying the waters--this is unfounded, I think, after reading the document. NIST offers standards and does not look at the problem the same way that CISA does. CISA is more data driven in a day to day way given that they work closely with CI firms. NIST is longer term and more standards driven. CISA's unique and data driven view of CI brings significant authority to this document and the performance goals therein.
Yotam Segev, Cyera co-founder and CEO, sees signs of a new age dawning:
"The guidance from Homeland Security related to new cybersecurity performance goals and metrics for the private sector is the latest indication that executives responsible for cyber security are entering the age of evidence: discovery, classification, and control over the assets you are responsible for is imperative, whether they are applications, data or devices. You must know what you have, on-prem and across any cloud environment. While these goals should be straightforward to implement, the CISOs I speak with highlight that data is not straightforward to discover, classify or control, despite it being the ultimate payload security architectures are designed to protect."