The private sector’s utility, telecom, banking, transportation, and medical networks have become a part of physical, mental, and economic well-being in the modern world. They are also under unprecedented threat from state actors — recently underscored by the unclassified summary of the Department of Defense’s cybersecurity strategy, which stated that China “steals technology secrets and undermines the DIB [defense industrial base],” and that, in the event of conflict, China “likely intends to launch destructive cyber attacks against the U.S. Homeland.” The Director of National Intelligence’s assessment further elaborated that “China is almost certainly capable of launching cyberattacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems.”
The DIB and critical infrastructure are under clear threat from our near-peer competitors and would do well to apply select best practices from US government classified systems to protect their own crown jewels.
Understand Where and How Protected Enclaves and the Internet Intersect
Whether in the operational technology (OT) networks of utilities, the research and development enclaves of pharmaceutical networks, or the medical equipment networks of hospitals, some parts of networks need to be more secure than others. But even in utilities’ OT networks, which contain a critical mass of potentially vulnerable legacy technology, total segmentation is a myth, and for good reason: Companies increasingly require the power of big data analytics, integrations with Internet-connected financial systems, and similar services to operate an effective business.
A sound approach to risk management in connecting protected enclaves to broader IT networks can be found in a relatively obscure section of National Security Memorandum 8 (NSM-8): Cultivate visibility and rigor around the areas in which the networks overlap. By declaring that cross-domain systems — the systems responsible for connecting classified networks to unclassified networks — are “vital [national security systems] that require centralized visibility” and establishing the NSA’s Raise the Bar program to oversee them, the US government ensured a level of consistent risk evaluation and security rigor around these inherently risky junctures in the network.
By doing the same, organizations can better manage risk and ensure a consistent approach, rather than crafty and unique but often unvetted solutions to bridge protected enclaves and the broader network. As these centralized points of visibility mature within organizations, they can also unite at an industry level via information sharing and analysis centers (ISACs) or ad hoc collaborative networks to understand best practices and technologies to minimize the risks at these critical network junctures.
Protect the Critical Enterprise Along With Critical Infrastructure
As alluded to above, the crown jewels of critical infrastructure organizations may be well-protected, but they are surrounded by a critical enterprise of enabling functions — HR, customer service, finance, logistics — hosted on a less-secure IT network and sometimes one step removed from the culture of security that permeates operational parts of the organization. But the threat of lateral movement within the network, whereby an adversary could compromise an employee in the critical enterprise and eventually navigate their way to more sensitive systems, renders this an unwise approach. The risk is compounded by the fact that a joint advisory by the NSA, CISA, the FBI, and others highlights China-sponsored threat actors “living off the land” within critical infrastructure networks, using native services rather than malware to evade detection once they have established a foothold.
The intelligence community has long embraced the concept of the critical enterprise by requiring that all employees — whether working operationally or in a support role — complete a thorough suitability process and protect support networks with the same rigor as their mission networks. By doing so, they not only protect their endpoints and systems at a given classification level from technical compromise but also cultivate a culture of security that renders the organization less vulnerable to human-enabled attacks, such as phishing.
While it is untenable for private sector companies to subject their employees to the same degree of scrutiny needed for a US security clearance, they can take a page from the government by securing the entire critical enterprise through training, preventive cybersecurity architecture, and a culture of security that makes the entire critical enterprise aware of the shared risks to their organization.
Demand Security by Design
The complexity of creating a solid cybersecurity architecture is compounded by the fact that, as CISA director Jen Easterly put it, “We’ve unwittingly come to accept as normal that such technology is dangerous-by-design.” This has resulted in the need to deploy myriad security and network management solutions, some of which have proven dangerous by design in and of themselves.
The US government, in general, and its Department of Defense, in particular, have long exercised rigorous processes around technology readiness assessment and operational testing and evaluation. These processes, while costly and lengthy, are designed to ensure the security, maturity, and operational readiness of the technologies that will be deployed to conduct the most critical functions of the US government and support its war fighters. By exercising diligence in their procurement processes, including a strong eye toward security, US government agencies minimize the risk that their technology will be compromised.
It would be impractical to recommend that private sector organizations conduct the same degree of testing and evaluation of technology. But incorporating questions geared toward CISA’s joint “Security-by-Design and -Default” principles is an appealing alternative. By moving beyond reliance on regulatory certifications (many of which test a manufacturer’s processes and policies rather than the inherent security of the underlying technology), security leaders can partner with acquisition teams to increase the security of both critical infrastructure and critical enterprise. A few examples of such questions include:
Government security processes are often viewed as tedious and burdensome, but applying the lessons learned from them doesn’t need to be. Taking these three key lessons and applying them to securing not only critical infrastructure but also the broader critical enterprise is imperative for private industry to counter a nation-state threat.