CISA, FEMA, and Shields Ready.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA) on Tuesday launched Shields Ready, “a sustained national campaign to increase the security and resilience of America’s critical infrastructure.” Shields Ready complements CISA’s “Shields Up” campaign; according to FEMA, “Shields Ready focuses more broadly and strategically on how to prepare critical infrastructure for a potential disruption and how to build more resilience into systems, facilities and processes by taking action before a crisis or incident even occurs.”

Four steps to increasing infrastructure resilience.

The approach encourages critical infrastructure operators to focus on the following steps:

• “Identify Critical Assets and Map Dependencies: Determine the systems that are critical for ongoing business operations and map out their key dependencies on technology, vendors, and supply chains. 
• “Assess Risks: Consider the full range of threats that could disrupt these critical systems and the specific impacts such threats could pose to continuity of operations. 
• “Plan and Exercise: Develop incident response and recovery plans to reduce the impact of these threats to critical systems and conduct regular exercises under realistic conditions to ensure the ability to rapidly restore operations with minimal downtime. 
• “Adapt and Improve: Periodically evaluate and update response and recovery plans based on the results of exercises real-world incidents and an ongoing assessment of the threat environment.”

A call for risk-reduction metrics.

Danielle Jablanski, OT Cybersecurity Strategist at Nozomi Networks, argued that risk reduction metrics shouldn’t be overlooked.

“The steps included for resolve to be resilient are a great first step, as all critical infrastructure entities are responsible for building defensible architectures and defending those architectures. I would further emphasize the need to test the actionable plans suggested by DHS, CISA and FEMA, and to test to failure where components of your plan may fail or falter.

“In terms of measuring progress to continuously improve, this can best be showcased in risk reduction metrics, or enhanced security outcomes, rather than in relation to incident response plans. As long as this holistic awareness is kept in mind, ‘Shields Ready’ is a useful reminder that security is constant and dynamic and contingencies matter.”

She would also have liked to see more emphasis on the role stakeholders will (or should) play in the process. “I would have liked to see a bit more emphasis on stakeholders an entity should involve in the Shields Ready process beyond immediate security teams – similar to the responsibilities outlined in the NIST 800-82 revision 3 document recently updated, but also to include local, state, and federal resources in line with similar FEMA emergency preparedness tips.”

An emphasis on comprehensive risk assessment.

Stephen Gates, Principal Security SME at Horizon3.ai, wrote to draw attention the way the campaign’s emphasis on resilience explicitly depends on risk assessment. “In the context of the US government launching a new campaign to encourage critical national infrastructure (CNI) operators to enhance their cyber-resilience, one of the four key messages stands out as a considerable challenge: Conduct comprehensive risk assessments. This is more difficult than most people believe when organizations solely rely on humans to perform risk assessments. In fact, there are simply not enough qualified and certified risk assessment professionals available today.”

Gates thinks operators need to understand that the world is changing, and that risk assessment by humans will have to supplemented by assessments from autonomous systems. “Therefore, a paradigm shift in the mindset of CNI operators needs to happen. This shift includes augmenting their human-based risk assessments (often in the form of periodic penetration tests and regular scheduled vulnerability scans) with autonomous systems designed to discover where CNI operators are truly at risk. These systems operate autonomously, peruse network environments on their own, discover truly exploitable vulnerabilities, safely exploit what they discover, provide proof of compromise, and deliver expert guidance on how to remediate these risks - preemptively.”

And such autonomous assessment should be continuous. “The first step to using these autonomous systems is assuming defenses have already been breached. Once that happens, these systems will help CNI operators find, fix, and verify that their exploitable vulnerabilities are drastically reduced, help measure progress, and drive continuous security improvement. This is not a one-and-done thing performed on an annual or periodic basis. Instead, it becomes part of everyday, good cyber-hygiene due care.”

Increasing resilience, becoming a harder target.

Mike Barker, CCO at HYAS, wrote, “The imperative nature of this initiative cannot be overstated. Investing in cyber-resilience now is an investment in safeguarding the continuity and security of our critical infrastructure in the face of evolving threats. ‘Shields Ready’ serves as a beacon for organizations to fortify their defenses, enabling a more resilient and secure future for critical infrastructure and the communities they serve.”

His colleague at HYAS, CEO Dave Ratner, added, “Improving processes and hardening systems is critical for any CNI organization but must be paired with the right solutions for resiliency in the face of continual onslaughts of threats and attacks; that's why it makes complete sense to pair the Shields Up initiative with Shields Ready. Only through a complete security-in-layers approach will critical infrastructure really be properly prepared for and resilient against cyber intrusions.”