Industrial control systems (ICS) and critical infrastructure will be a main focus for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) this year – especially as ransomware looms as a main threat to the sector going forward.
That’s according to Christopher Krebs, director of CISA, speaking at RSA Conference 2020 this week.
“My agency has only been around for a year and a half, but we want to take a new approach to cyber,” he said from the Sandbox stage at the show. “Our top three priorities are cybersecurity for the federal government, election security and ICS. The first two we’ve been addressing for some time.”
CISA’s role in ICS security is a strategic one — Krebs stressed that its mandate is not “to get in there and make tools to deploy and start monitoring.” Rather, he said, “The industry owns the risk – we want to be the nation’s risk advisor.”
To that end, CISA has worked with the National Security Council, various federal agencies, industry stakeholders and organizations like the ICS Village to develop a set of core initiatives for 2020.
“We got everyone around the table, including industry partners and the people who actually own the assets and infrastructure,” Krebs said. “We asked, what do you need the federal government to do to help you better secure your systems and take better risk management approaches?”
Four tenets came out of that process, all of which are in the process of being operationalized. First, CISA plans to align with the international standards process – both in approach and in terms of incentives. Secondly, achieving supply-chain visibility will be a focus when it comes to information-sharing. Third, addressing the workforce shortage is of paramount importance. And four, CISA will have a focus on developing detection and incident-response training blueprints.
One of the ways CISA will be tackling these core goals is via training – an enterprise that will help both with uncovering cyber-talent as well as facilitating information-sharing.
“This community is not always cash-flush,” he said. “When you’re talking about 30,000 local water systems around the country, finding affordable cyber-talent becomes a big job.”
Bryson Bort, co-founder of the ICS Village, pointed out the niche aspect of critical infrastructure, which makes it more difficult for interested cyber researchers to get involved.
“People don’t realize it, but we’re surrounded by operational technology – lights, water, HVAC,” he said. “Even so, it’s difficult to teach yourself how to work on this stuff – it’s not like you can buy it and set it up at home. So, one of our goals is to develop an on-ramp to develop a better workforce via training, with packages from executive level to the people running the infrastructure.”
Thus, working with ICS Village, CISA has developed a control environment simulator.
“We can put people’s hands on keyboards in simulated environments,” Krebs said. “We offer that in Idaho Falls already – but especially in the winter, it’s hard to get to. So now we’re going mobile. We’re literally putting this on a truck and will drive it around to reach resource-constrained people. About 90 percent of utilities are resource-constrained.”
Sean Plankey, principal deputy assistant secretary at the Office of Cybersecurity, Energy Security and Emergency Response at the Department of Energy, said that federal agencies will also benefit from CISA’s efforts.
“We know we have to grow our cyber-capacity by a factor of 10X,” he said. “We need training and we need to grow our understanding of where the threats are.”
Within the federal government, CISA serves an integration function and acts as a core support element for other departments, Krebs said: “We work with the Department of Energy, we work with the TSA on pipelines, and so on. We’re risk advisors not managers – we try to understand what’s wrong and make recommendations as to how to address them. We facilitate knowledge transfer. We want to provide a picture that draws from the classified data world, combined with industry knowledge, so we all have a common operating picture.”
Including asset owners is key to success, according to stakeholders – but it’s been difficult to include the right people into the process. For instance, Joe Weiss, managing director of the ISA-99 Automation and Control Systems Security standards body, weighed in during the session about the importance of including those on the front lines of operations in the discussions.
“There are almost no cybersecurity policy organizations that have VPs of power production, power delivery, and so on involved,” he said. “You won’t find many from the actual engineering side of the world, and that means things are totally broken. There is zero cyber or authentication focus when it comes to anything that we measure – voltage, water pressure, and so on. Actual control systems devices that people build – pumps, motors, valves, relays and so on – thus have persistent design vulnerabilities.”
Krebs acknowledged the issue. “I don’t have all the answers and I’m not even sure I have all the questions,” he said. “We are focusing on making strategic alliances and shifting to a customer-centric view of the world, which is a bizarre concept for federal agencies. It’s also a lifecycle challenge. We have to look at how long equipment lasts.”
Bug-hunting will be a continuing part of CISA’s ICS efforts this year as well. Last year, 20,000 vulnerabilities were responsibly disclosed last year via CISA across all sectors – the agency expects to ramp that up in 2020.
“We’re working with manufacturers and asset-owners to provide an opportunity for hackers to come and bang on equipment,” Bort said. “Instead of the typical gamification, capture-the-flag exercise, we’re going to be doing under the egis of coordinated vulnerability disclosure with the federal government.”
And finally, CISA plans to continue with its ongoing alerts, particularly when it comes to ransomware.
“I think we’re on the verge of a national crisis when it comes to ransomware,” Krebs said. “If we exclusively focus on nation-state attacks all of our work will be for naught. We need to raise awareness with executives and the business units. Awareness can lead into investment, which can lead to building defense capabilities.”
For Threatpost’s complete RSA Conference 2020 reporting, please visit our special coverage section, available here.