CISA’s new plan to protect critical infrastructure

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

It might be critical, but infrastructure in the United States has remained stubbornly difficult to protect from cyber and physical attacks. Now the Cybersecurity and Infrastructure Security Agency has a new five-year plan for an important subset of critical infrastructure, namely industrial control systems. With details of the plan, Federal Drive with Tom Temin turned to the deputy assistant director of cybersecurity at CISA, Richard Driggers.

Interview transcript:

Tom Temin: Mr Driggers, good to have you on

Richard Driggers: Good morning. Thank you for having me.

Tom Temin: What is the fundamental challenge in protecting control systems? Earlier, 20 years ago, none of them were connected generally to the internet, and now they all are,. Is that the basic problem here?

Richard Driggers: I mean, I think that that’s the crux of it. I mean, the biggest challenge is a lot of these ICS devices that we find in our critical infrastructure, they were installed a long time ago and really used to create efficiencies internal into the facility. And so they weren’t necessarily designed for security. With the digital transformation over the past two and a half decades, these devices have become connected to the internet and part of an ever expanding attack surface exposed to a plethora of malicious actors, hacktivists, criminals and nation state actors. I think one of the other fundamental challenges is the workforce shortage across all aspects of cybersecurity is creating also a challenge to find industrial control systems, or operational technology subject matter experts that can help critical infrastructure owners and operators better secure and configure their operational technology environments.

Tom Temin: Now, the control systems for say a water distribution system are very different from the control systems in a nuclear power plant, or in electrical distribution, or you name it. Are any of the control systems sectors worse off than others in CISA’s view?

Richard Driggers: No. I think that there’s vulnerabilities across all aspects of ICS in every sector. The question iswhat is the most worthwhile target for adversaries? We’ve certainly seen Russia go after energy sectors, specifically electric facilities. We’ve been told about China’s interest in pipelines. That said, other sectors such as water critical manufacturing are also vulnerable. And I think that you’ll find that not only is it because we’ve got devices that are accessible via the internet, but we also have configuration issues where we have a business environment that’s running your payroll or other human resource activities for business is connected to the OT environment or the ICS environment. And so we work really closely with industry and owners and operators and put out best practices around configuration controls and things of that nature.

Tom Temin: So in other words, the attack vectors for industrial control systems are pretty similar to those for everything else. Phishing attacks, insider threats or mistakes by insiders, and then the old fashioned hackers in.

Richard Driggers: Yeah, I think you’ll find phishing, spearphishing, password spraying really low cost, low technique tradecraft that our adversaries are using. And of course, there’s the access issue with insider threat and that nature. What we need to do is we need to put more emphasis on ICS security, we need to put more time and energy into it so that it’s a lot harder for adversaries to exploit the vulnerabilities within ICS.

Tom Temin: Now CISA has been cooking on a lot of different burners, I think almost since the name change a couple years ago, it’s been really stepping up the game. What prompted the emphasis now on ICS?

Richard Driggers: ICS became one of our five priorities within CISA wen we stood the agency up. We’ve got five priorities, ones around soft target, crowded places, school safety, things of that nature. That’s more of obviously a physical security. We’ve got bluntly, China is a priority for us around supply chain risks, as well as the risks that are going to be the risk for the deployment of 5g technology around the globe. Federal security, federal dot gov security, we have a mandate to secure the dot gov. So the federal government and our work that we do to help departments and agencies secure their networks and systems is a priority. And then of course, election security is always a priority of ours and going to continue to be a priority going forward. And then industrial control systems or critical infrastructure protection is another one of those priorities.

Tom Temin: And just briefly outline what is the basic plan of attack here for CISA in taking on and stepping up the security for industrial control systems.

Richard Driggers: So really our vision for ICS is to achieve a collective approach with industry and government. We want to empower the ICS community to defend itself. We want to inform ICS investments and proactive risk management of our national critical functions. We want to unify capabilities and resources of the federal government and really move to a proactive ICS security and drive positive, sustainable and measurable change to the ICS risk environment.

Tom Temin: What are some of the ways you’re going to do that?

Richard Driggers: So the strategy outlined four pillars. The first pillar is to ask more of the ICS community and deliver more to them. We want to reinvigorate and deepen our existing partnerships while also expanding the scope of engagements with the broader ICS community to empower CISA’s partnerships to mitigate ICS risks. Pillar two was to develop and utilize technology to mature collective ICS cyber defense. CISA will develop and promote easily accessible deployable and inexpensive ICS tools and capabilities to help asset owners and operators secure ICS against adversaries. Pillar three is really around deep data and building capabilities to analyze and deliver information to the ICS community that can be used to disrupt the ICS cyber kill chain. And we want to diversify our data partnerships. We want to further define what the ICS data needs are and support efforts to increase the ingestion of additional data, differentiated by source, type, consequence to increase visibility into ICS threats and vulnerabilities. And then the fourth pillar is to enable informed and proactive security investments by understanding and anticipating the ICS risks. So this is really looking over the horizon at what does the risk landscape look like? How do we use that knowledge to inform investments into proactive initiatives that move the ICS community ahead of the threat curve?

Tom Temin: Now, early on in all of this, I’m talking maybe 10, 12, 15 years ago when the whole structure of Homeland Security and other agencies having their counterparts in the private sector, there was some mistrust both between industry and Homeland Security department or the corresponding federal agency, and also among the players themselves within an industry because they were competitors and they didn’t want to share information. Has that moved along do you think? Is there greater trust and willingness to share data now that were 10, 15 years into this effort?

Richard Driggers: So I do think it’s improved dramatically, I think we still have a long way to go, we still have to continue to work at it. It’s a bit like a marriage, you got to work at it every day to continue to build trust and to deepen those relationships. We take in a lot of time and effort to work with not only industry, but also to work with our partners in the interagency. And so we’ve established a couple of different groups. One of them, the most recent group that we established is called the control systems that are agency working group. And this is really an interagency working group that is focused on defining a hole of community strategic approach to control system security. The working group serves as a strategic foundation for a unified effort to improve cybersecurity control systems across the US government, as well as the private sector. We’ve got the working group broken down into four levels of effort. One of those levels of effort is supply chain, which DHS is leading that that level of effort standards. NIST, the National Institute of Standards and Technology, is leading that working group. We also have incident response which DHS is leading, and then workforce, which NIST is leading. And I think it’s important to outline that we started this group about probably a year and a half ago, and we pulled together the interagency. So we pulled together to the Department of Defense, the Department of Energy, the Environmental Protection Agency, the Transportation Security Agency, the US Coast Guard, as well as other parts of the intelligence community, the FBI, so we pulled basically every department and agency that has a relevancy with industrial control systems, as well as across all 16 sector specific agencies that deal with risk management for critical infrastructure. And we pulled this group together and started talking about what collectively do we need to do inside the federal government so that we can engage industry more effectively, more efficiently, and we’re not everybody doing their own thing. And so we met for about nine months, every couple of weeks, and came up with these lines of effort. And then we brought in about 40 to 45 industry experts from owners and operators, IT industrial control systems, device makers, IT security companies, and as well as state and local. We brought these folks in and we talked to them about establishing this working group and becoming part of it. We established these four lines of effort, the working group at large with the industry partners agreed to that and then we quickly move forward into basically breaking up into groups. So each one of these levels of effort across supply chain standards, incident response and workforce, have government and industry partners that are working to develop goals and objectives across these lines of effort to cover out on industrial control system.

Tom Temin: Sounds like you feel pretty confident that this plan is going to help in the long run?

Richard Driggers: I certainly do. There’s a lot of work that we’ve been doing in the industrial control systems world for a long time. We have the industrial control systems joint working group, the ICSJWG, which represents really a foundational hybrid public private partnership through which CISA supports information exchange, development of risk management capabilities, products and services. And it really facilitates communication among federal, state and local government, asset owners and operators, vendors and system integrators across all of the 16 critical infrastructure sector. The ICSJWG has been around for a long time, we actually just had our first virtual industrial control system joint working group meeting in June, and we had about 800 participants in that working group from over 40 different countries that participated. It’s by and large the largest ICSJWG meeting that we’ve ever had, probably because people didn’t have to travel But it was a huge success. And so we we have foundational groups like that we’re able to build on that are more operational and more tactical. And then we’ve got on top of that we’re looking for the control systems, interagency working group to focus on those strategic kind of over the horizon aspects of supply chain, different types of standards and best practices and controls, incident response and workforce.

Tom Temin: Well, sounds like you got it covered. Richard Driggers is Deputy Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency. Thanks so much for joining me.

Richard Driggers: Well thank you very much.

Check out the plan here.