Energy Department employees must understand that the hackers trying to breach their networks are not the your stereotypical 20-something in the basement.
They are the nation states. And those adversaries are in their networks already.
This is why Energy is developing an enterprise cyber risk management framework that is integrated across every office in the department.
Micah Czigan, the director of integrated joint cybersecurity operations at the Energy Department, said the key to this effort is getting non-IT folks to help develop and implement the cyber risk framework.
“We’ve created eight work streams and have leads for each of these work streams. None of the leads are from the CIO’s office,” Czigan said in an interview after a speech at a recent conference sponsored by 1105 Government Information Group. “We have tasked out members from throughout the department to lead each of those work streams. So they are not just buying into what we are doing, but they are actually part of it and they are contributing to it and leading those efforts.”
The work streams include areas like mobile security.
Czigan said the working groups will look at the risks of mobile devices, what are the technologies and policies needed to ensure DoE is managing smartphones and tablets appropriately and not putting too much burden on the national laboratories and other agency offices.
“We are trying to focus more on the business operations and not specific technologies,” he said on Ask the CIO. “Within each of the work streams, we’ve identified gaps and prioritized those gaps. I think we ended up with 24 and there is no way we can accomplish all of that. So the teams are focusing on the top four risk gaps and developing the framework for each of those gaps.”
Then, the working groups will present those frameworks to the governance board, which includes the deputy secretary, to get approval to ensure broad acceptance.
Czigan said once those frameworks earn approval and support, then that’s where his office, the integrated joint cybersecurity operations center, comes in.
“We are really one of the recipients of the framework where we are getting the benefit as the framework is being built and implemented, we are trying to look at the data and say, ‘Hey, as we leverage the framework, here is how it has changed our cyber risk.’ So we are tracking risk and, hopefully, able to see fluctuations as we implement different things throughout the risk framework. We are trying to use data as a way to inform whether or not it’s effective,” he said.
A key piece of this agencywide cyber risk effort is understanding more broadly and clearly that accepting or increasing the risk tolerance at one part of the agency matters to other parts just as much.
Czigan said many of the national laboratories and other Energy offices share a network backbone so the risk effort helps executives make decisions not just about the risk acceptance of their office or lab, but consider mitigation factors as well.
“We do it partially through the governance structure. We are open about our decisions. We are trying to make our authorities to operate (ATOs) more open so everyone understands what’s in there so when a particular authorizing official approves one, the end goal would be that everyone sees it and if they have a problem they can talk about the potential risk,” he said. “I believe the labs understand what we are doing. They are providing feedback. They are helping us write policy so we are getting good feedback from them.”
The risk management framework is just one focus areas of the integrated joint cyber operations center. Czigan said his organization is undertaking several other priorities, including upgrading and standardizing cyber sensors.
He said the current suite of sensors is old so it’s more like a technical refresh. Energy is doing some pilots with some of the technologies to better understand where the sensors should go and what data they should collect. Czigan said Energy doesn’t have an acquisition strategy quite yet.
“The big thing that we are doing much different is we will take all this data to a central location, do combined analytics for the department, and then push the data back out in a non-attributable format,” Czigan said. “These are corporations [the national labs are usually contractor run] and there is a little bit of competition between them, and so we understand that and nobody wants everybody else know what’s underneath the rug. This way you can see what’s going on elsewhere.”
Energy also is looking at how they store all of this data and are considering the cloud as an option as well as what data analytical tools can run on top of that cloud.
He said his office also is working with the labs to name liaison officers. The integrated joint cyber operations center will train them about how the security operations center works, its procedures and practices, and then they will be the touch point back at the site.
“We’ve also just instituted an east-west model for our SOC. We have two large SOCs, one for the National Nuclear Security Administration and one for the CIO’s office. We’ve collaborated together and divided functions between the two, but they are operating at one single SOC,” he said.