Countering the cyber threat to critical infrastructure.
A breakout session on September 7, 2017, dealt with "Countering the Cyber Threat to Critical Infrastructure." For all the complexity that's been introduced into the category "critical infrastructure," there are clearly three sectors that are more critical than others: power generation and distribution, communications, and finance.
Moderated by Suzanne Spaulding (former Under Secretary for NPPD, DHS), the panel consisted of a mix of leaders from the Federal Government and the private sector: Scott Smith (Assistant Director, Cyber Division, FBI), Chris Boyer (Assistant Vice President for Global Public Policy, AT&T), Thomas Minton III (Manager, Security Governance, Risk, and Intelligence, Exelon Corporation), John Felker (Director, National Cybersecurity Communications and Integration Center, DHS), and Fred Hintermister (Manager, Electricity Information Sharing and Analysis Center).
Assessing cyber risk.
Felker characterized the Government's biggest concern as being industrial control systems (ICS) connected to business systems. "There are a plethora of threats that can wheedle their way into those networks through their vulnerabilities. In 2014 we had forty-one examples of potential reconnaissance and exploitation of ICS networks. So far in 2017 we're up to 46." He cited interruption of power distribution in Ukraine as a cautionary tale: those attacks were abetted by too much connectivity between business and operational systems.
Asked about threat actors, the FBI's Smith demurred: there are no easy solutions. Our infrastructure faces significant threats from state actors. There are emerging threats from criminals and terrorists, and cyber attack is attractive to these because "cyber they can do from over there." Different sectors, of course, are exposed to different threat vectors.
As a tier-1 communications provider, Boyer said that AT&T has seen a lot of activity from hacktivists and criminals engaged in distributing ransomware. There's also this general cyber industry that's grown up in the dark web, among gamers and in other communities. He's become concerned about attacks leveraging IoT devices—they've seen a 3,000% increase in such attacks over last two years.
Cyber risk assessment and mitigation.
Minton was asked about threats to the electric grid, in particular DragonFly, a.k.a. Energetic Bear, and he used it to introduce a discussion of risk assessment and mitigation. "We try to make risk as mathematical as we can, the sum total of threat x vulnerability x impact. The threat is really the intelligence piece. We have to know our own systems—the vulnerability piece. The impact is our respond and recover mission."
Intelligence and cyber threat information sharing.
Hintermeister characterized information sharing as reaching a collaborative understanding of risk. "We now manage and accept risk, as opposed to avoiding it. Our tools aren't all hard tech tools. Some tools are soft policy and procedure tools... We work to add meaning to information, as we turn data into knowledge," he said. Sharing data can serve to build trust and consensus.
The electrical power sector has a distinctive approach to the intelligence function, according to Minton. Philosophically, their view is that "everyone's a collector." The sector does speak with the Intelligence Community, but there's a very big divide between learning about something in the classified world and doing something about it. When the power industry talks about "our intelligence," they mean their own collection, their own awareness, their own forensics.
Felker agreed that the private sector has been doing a very good job collecting, because so much of the useful, actionable intelligence they need is open source. He thinks it's important to stop treating intelligence as a competitive advantage. He thinks the electrical sector gets this, and others should, too.
The communications industry looks at data that transits the network, Boyer said, and it identifies traffic anomalies that might indicate a compromise or an attack. They've been sharing this information with the Government going back to the days of the NCC in the mid-2000s. There's also a great deal of very valuable peer-to-peer sharing going on.
Priorities for protection.
Spaulding asked about priorities. The cybersecurity Executive Order placed a great deal of emphasis on Section 9 entities—those against whom an attack could have catastrophic consequences, and these are single entities, single points of failure, not cascades. "Should that be our focus?" she asked. And the NIAC report suggested a focus on strategic infrastructure: electricity, finance, and communications. What were the panelists views on the matter?
Boyer thought Section 9 as good a starting place as any. "We need to drill down, however, to a more granular level." Minton and Felker agreed strongly that exercises were vitally important, and Hintermister noted that exercises also surfaced interdependencies as opposed to just single points of failure.
Supply chain security.
The audience was particularly interested in the supply chain. How concerned, they wanted to know, were the panelists that the supply chain could undermine critical infrastructure? And what is the Government doing about this issue? Boyer answered that most in industry now impose requirements on suppliers to ensure some level of security. Smith observed that "a significant number of major compromises originated in the supply chain." Minton expected the next version of the NIST cyber framework to introduce vendor security considerations. "We want vendors we do business with to be on a par with us in security."
Asked whether enterprises shared information about vendors, Boyer said, "Yes we do, at least within the telecoms sector. I think those conversations do happen today, but certainly more could be done. But there's no black list per se." Hintermister thought that the marketplace was very good at clearing up these issues. He advocates market-based opportunities and options in the supply chain. Government should not only think about setting standards, "but it should set the example, and it could do more here."