Digging into regulatory compliance issues.

Dave Bittner: It's June 5th, 2024 and you're listening to "Control Loop" in today's "OT Cybersecurity Briefing." The UK will propose a law to ban ransom payments for critical infrastructure entities. The EPA outlines enforcement measures to protect water utilities against cyberattacks. Rockwell advises customers to disconnect ICS devices from the internet. Senator Vance asks CISA for information on Volt Typhoon. Our guest is Dragos' Vice-President of Product Management, Kimberly Graham. Kim and I discuss regulatory compliance issues. [ Music ] The United Kingdom will propose a law that would ban critical infrastructure entities from making ransomware payments, the record reports. The UK hopes this will remove incentives for ransomware gangs to target these entities. The law would also require all ransomware victims to report attacks and noncritical infrastructure entities will need to obtain licenses before paying a ransom. The proposed legislation is still in very early stages and likely won't move forward until after the next general election later this year. The record notes, however, that even if the proposals are not immediately implemented, they mark a dramatic development in how governments around the world are responding to the ransomware crisis. The U.S. Environmental Protection Agency last week, outlined enforcement measures to help water utilities defend against cyberattacks. The EPA says it's issuing the alert, because threats to and attacks on the nation's water system, have increased in frequency and severity to a point where additional action is needed. The agency added, "Recent EPA inspections have revealed that the majority of water systems inspected, over 70%, do not fully comply with requirements in the Safe Drinking Water Act and that some of those systems have critical cybersecurity vulnerabilities, such as default passwords that have not been updated and single logins that can easily be compromised. Rockwell Automation has issued an advisory urging customers to ensure that ICS devices that aren't specifically designed for Internet connectivity, are disconnected from the web. The company stated, "Due to heightened geopolitical tensions and adversarial cyber activity globally, Rockwell Automation is issuing this notice urging all customers to take immediate action to assess whether they have devices facing the public Internet and, if so, urgently remove that connectivity for devices not specifically designed for public Internet connectivity." Rockwell adds, "Removing that connectivity as a proactive step reduces attack surface and can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors." U.S. Senator, J.D. Vance, a Republican from Ohio, wrote a letter to CISA Director, Jen Easterly requesting information on CISA's, understanding of and response to, the Chinese threat actor, Volt Typhoon's targeting of U.S. critical infrastructure entities. Vance inquired about how Volt Typhoon gained access to the infrastructure entities, how many entities were affected, and I additional infrastructure sectors were targeted beyond those disclosed by CISA. Vance also asked, which ISACs are aware of Volt Typhoon's activities and how many Volt Typhoon-related calls were received by CISA's 24/7 Operation Center since the beginning of 2023. [ Music ] Kimberly Graham is Dragos' Vice-President of Product Management. I recently caught up with her for insights on regulatory compliance issues.

Kimberly Graham: There is already of investing regulatory compliance in various industries and what we've been noticing lately is kind of an alignment of some of these different forms of compliance. So, different industries are in different places depending on where they are and what information or system they have to protect. So, if you look at like the TSA's Security Directive, that's focused on building and building network security monitoring, but building it around the zone-to-zone communication with communications between trusted zones; very similar to regulations that exist inside of NERC CIP already as well, which has been in place longer than the TSA Security Directive. And then when you look at some newer regulations like NERC CIP-15 which is called INSM, Internal Network Security Monitoring; the focus there internal, so moving beyond just monitoring your communications and traffic between security zones, you need to monitor within a security zone like in the language of NERC CIP, your electronic security perimeter.

Dave Bittner: Well, before we dig into INSM, can you give your insights on like where organizations stand right now in terms of being able to comply with what's being demanded of them.

Kimberly Graham: It depends on the organization and the industry, and the very highly regulated industries. Most folks are keeping up, because they have to for the regulations; there are audits that are in place that enforce that they have these types of features. And in the case of industries like the electric sector where we have INSM, they're given a lot of time to prepare. So, we're looking at implementation within the next three to five years for INSM, meaning that there is time to prepare to make sure that you are ready for the enforcement of regulations.

Dave Bittner: I see. Well, let's dig into INSM. I mean, for folks who might not be familiar with it, how do you describe it?

Kimberly Graham: It's basically an extension of the existing regulations that are in place. So, it is its own standard now, so it's a new standard called CIP-15. It ensures that there is monitoring of network traffic and anomalous activity within the trusted zones. So, that can be the electronic security perimeter. Basically, within these networks, instead of just monitoring one network talking to another network or just the perimeter itself of your ESP, you're looking at what is the traffic? What is going on inside this network?

Dave Bittner: And where-what is the timeline in terms of implementation here?

Kimberly Graham: So, in terms of the timeline, the ratification should take place in July of this year, so very soon. And then in terms of the implementation of when it actually goes into effect, it depends on the responsible entity. So, in 36 months it goes into effect for all high and medium control centers have to compliant, and then in basically 60 months, so 5 years, then everyone else has to be compliant. So, all medium BES cyber systems have to be compliant.

Dave Bittner: Can you give us some perspective on those timelines? I mean, for someone outside of this world who are just dealing with regular cybersecurity things, you know, 3 years, 5 years, sounds like an awfully longtime, the pace and cadence of things that happen in the cyber world, but is this a reasonable timescale given this particular world?

Kimberly Graham: This is-this is fairly typical, because in these types of environments, you don't want to be introducing a lot of change without time to do testing and preparation. So, we typically like to see longer timeframes, because while things are needed if you try to force something too soon, and obviously it could be introducing too much change to an environment that really needs to stay stable and that's what's very important about these about critical infrastructure, is that it needs to stay stable.

Dave Bittner: Right, right. So, it's a matter of setting priorities. So, where do you suppose we're headed here? I mean, when you're looking towards the horizon at regulatory compliance and these entities, what is the future look like? Is it possible to look into a crystal ball and see where we're headed?

Kimberly Graham: So, I think we can look at where different industries are moving and then apply that to other industries. So, it's not always going to be exactly one-to-one, but if you look at major themes like with NERC CIP requiring monitoring of, you know, the perimeter of different security boundaries and then the TSA Pipeline Security Directive saying, okay you have to monitor the perimeter of these different security zones and trust boundaries. And now with INSM saying okay, it makes sense now to monitor not just those security boundaries, but also within those perimeters, what is the traffic that's flowing, what kind of behaviors do we see? That's now going to be included inside of NERC CIP. You know, you can look at that and say that that may be an indicator that other industries may follow suit, and say okay it does make sense to start monitoring inside this perimeter. So, it's kind of a natural progression. So, you know, we don't have any-there's not been any published statements saying that's the direction that everyone is going, but I would expect that to be how we see the future of regulatory compliance when it comes to network monitoring.

Dave Bittner: I see. From your position at Dragos, you know, the level of expertise that you have, I'm curious, are there common elements that you see with the organizations who are being successful here, who have a successful compliance programs, who have all the things in place? Are there commonalities there?

Kimberly Graham: So, I would say that working with different customers and, you know, I come from the product side. I'm not an expert on NERC CIP or TSA or so on, but I do work with a lot of people who are. We have a lot of experts here at Dragos. We have a lot of customers that we can talk to and compliance teams that we work with. So, I would say that there are some general themes that we gear around the different programs and alignment, and that happens because there's a lot of sharing that goes on. So, while these different groups may be unrelated other than that they're in the same industry, they are related in the fact that they are regulated in the same way. So, they form industry groups and they form these information sharing communities that allow them to talk about who, you know, what are you doing to implement the specific, regulation with a specific control? And then we try to enforce-we try to empower that as well. We have some different groups that are our user groups that aren't necessarily focused on regulatory compliance but that's often a major discussion within the group is, we're trying to comply with a specific regulation, what is everyone else doing? So, you see a lot of sharing and that leads to a lot of-a lot more consistency, but there's always-there's always different needs, everyone will interpret a little bit different and that's fine, there is some flexibility that is there in the standards and some of it will be up to interpretation, but I'd say overall, the more that folks talk and collaborate and work together, the more alignment we see.

Dave Bittner: Does the regulatory regime here tend to be collaborative, or I guess, I'm trying to understand if you have collaborative on one side and adversarial on the other, you know, and imagine a needle you know between the two of those. Where do we stand these days?

Kimberly Graham: It's highly collaborative. So, there is a whole process that I'm not enough of an expert to dive into the whole review process, but it is pushed out to the general community and they're able to make comments on it before anything is ratified, because these regulations do impact everyone, so it makes sense for there to be comment periods and for people to give their give their feedback to say this meets my needs; this doesn't meet my need to make sure that everything is working the way that it should.

Dave Bittner: That's Kimberly Graham, Vice-President of Product Management at Dragos. [ Music ] And that's "Control Loop," brought to you by N2K CyberWire and powered by Dragos. A programming note for you, "Control Loop" is going on a temporary hiatus. Thank you for being a loyal listener. N2K CyberWire will be back soon with more ICS OT news and analysis that you rely on. Please stay tuned for more updates. For links to all of today's stories, checkout our show notes at the CyberWire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you liked the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes, or send an email to cyberwire@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people who make you smarter about your teams while making your team smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Eiben. Our Dragos producers are Joanne Rasch, Mark Urban, and Montserrat Thomason. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]