Cybersecurity is one our most critical challenges – ranging from the safety and security of personal devices to the electric grid. Keeping cyber defense at the core of infrastructure modernization programs is key to ensuring that our nation’s information remains protected from potential hackers. However, a recent audit conducted by the Defense Department Inspector General found that the DoD and Department of Homeland Security could improve their implementation of key elements of a 2018 memorandum outlining the cybersecurity partnership between the two organizations, jeopardizing our nation’s critical infrastructure. The opportunity for the DoD and DHS to establish a cyber defense implementation plan in conjunction with the Biden administration’s investment in cybersecurity initiatives through the Bipartisan Infrastructure Framework and American Jobs Plan demonstrates how technology modernization and digital transformation programs are a priority for this administration. As the Biden administration implements these programs, cyber defense must be at the core, and perimeter, of all modernization initiatives.
The White House’s National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems is a welcome call to action for critical infrastructure owners and operators to better protect the essential services that enable the American way of life. In practice, however, cybersecurity measures focus solely on information technology-0 and do not take into consideration the far reaches of operational technology (OT). OT is vast and, if not properly secured, can be the gateway into other networks and/or points of failure that can lead to disastrous results. In fact, a recent report discovered 14 vulnerabilities affecting NicheStack, a proprietary TCP/IP stack that is commonly found in OT devices across several critical infrastructure sectors. Vulnerabilities like NicheStack illustrate the importance of recognizing that IT and OT environments are converging and thus creating a need to secure these converged networks with great urgency. According to the National Security Agency’s recent cybersecurity advisory, “without direct action to harden OT networks and control systems against vulnerabilities introduced through IT and business network intrusions, OT system owners and operators will remain at indefensible levels of risk.” As a result, in order to be eligible for grants, the American Jobs Plan specifically requires state and local governments to install technology that detects and blocks malicious cyber activity on both IT and OT networks. This is a prime example of leveraging cybersecurity to protect all high-risk points of entries.
Adopting a zero-trust model is also imperative to building a comprehensive, modern cybersecurity program. When adopting a zero-trust model one assumes that all devices are untrustworthy and thereby implements mitigation actions such as dynamic network segmentation. However, a historical challenge to this approach has been the lack of a single product that can achieve network segmentation across an entire enterprise, one that includes both IT and OT assets, resulting in fragmented environments that are expensive to maintain and inefficient in delivering the security protections it requires. The American Jobs Plan and Bipartisan Infrastructure Framework must emphasize to public and private industries that a zero-trust cybersecurity model is critical to cyber defense and implement network segmentation across all environments.
Finally, with the widespread adoption of cloud-based technologies and cloud computing, cloud security has never been more important. The American Rescue Plan has allocated $1 billion for the Technology Modernization Fund to facilitate a shift to a secure cloud infrastructure. Federal agencies will need to ensure that information is protected and secure during this relocation. Integrating new tools into existing networks and workflows is complex regardless of environment, however there are similarities between the security principles and processes that are used to secure both campus and cloud environments. This means that in order to maintain cloud security, federal agencies must eliminate security management silos between campus and cloud information.
With the American Jobs Plan and the Bipartisan Infrastructure Framework, the White House is on target towards technology modernization with cybersecurity at its core. However, there is still further guidance needed to ensure that recipients of these funds are prioritizing cybersecurity when implementing modernization programs into their organizations. As cyberattacks continue to plague our nation’s most valuable information and resources it is critical that cyber defense systems remain a priority for all Americans.
Yejin Jang is director of Government Affairs at Forescout Technologies, Inc.