Cyber protections for critical infrastructure must have a dual focus

The cyber challenges agencies face minute-by-minute, hour-by-hour and day-by-day will not decrease anytime soon.

The latest statistics say in fiscal 2017 agencies endured 35,277 cybersecurity incidents, which is a 14 percent increase over the 30,899 incidents that agencies reported in 2016.

Of those more than 35,277 incidents last year, only five reached the threshold of “major incident” due to their impact.

But as the Internet of Things or connected devices become more prominent, agencies face a greater risk of having more major incidents.

Philip Quade, the chief information security officer for Fortinet, said because of the growing use of IoT devices, agency cyber executives and other leaders should pay more attention to the ever-growing integration between information technology (IT) and operational technology (OT).

Quade, a former NSA director’s special assistant for cyber and chief of the NSA Cyber Task Force, said at one point in time, OT, which covers technology hardware and processes in the critical infrastructure sectors like valves on oil and gas pipeline or electricity as it flows through the wires, was much different than IT because the systems and networks were not connected to the public Internet.

But as those “air gap” defenses of these hardware and processes have gone away, and the government’s dependence on critical infrastructure grows, he said more and more CISOs, chief information officers and other non-IT leaders need to lead an effort to secure operational technology.

“The first step I would take in a public-private collaboration is information sharing. What is the situational awareness on the privately-operated critical infrastructure and what is the government seeing from their perspective on a threat or vulnerability side based on their own research,” said Quade on Ask the CIO Industry Insights edition. “Standards also would be part of the solution, but not the first step.”

Just recently, the Energy Department, particularly Idaho National Laboratory, which has a center of excellence performing research on vulnerabilities of OT, started to bring a greater focus to OT, releasing a multi-sector cyber strategy to protect the electric grid.

Quade said because there are 17 critical infrastructures and each federal department has a different role in supporting those sectors, the government and private sector need to work together more closely.

One solution to the integration of OT and IT is what Quade called a practical “cyber moonshot” to create a national counter-distributed denial of service (DDOS) program.

“The situation today is that each organization whether it’s the federal government or a private sector organization an entire country may pick on them and do a DDOS attack. They are left trying to set up a defense against a whole country and that’s not a fair fight, and it shouldn’t work that way,” he said. “What if the country decided to set up a national counter DDOS capability that could be used no matter who needs it. It would be some combination of public and private sector. The carriers could help with bandwidth problem. A second piece of it would be some companies who are really good about segmentation to segment off the assets or even the attacker. And lastly, it would probably involve the U.S. government. The U.S. Cyber Command might be a great place to do a mitigation upstream in foreign cyber space.”

Quade said this would benefit all organizations in terms of both reducing the cost of defense and by creating the “muscle memory” where the public and private sector learn to work together to take on cyber problems.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.