Never before has a U.S. presidential administration focused so much on industrial control systems and operational technology. On July 28, 2021, the White House issued a national security memorandum on improving critical infrastructure control systems. This comes on the heels of the 100-day plan for hazardous liquid and natural gas pipelines cybersecurity, an executive order directing the federal government to secure its own operational technology, and the Transportation Security Administration (TSA) issued two security directives for pipeline owners and operators in May and June last year.
The July 28 memorandum directed the Department of Homeland Security (DHS), in consultation with the National Institute of Standards and Technology (NIST), to establish voluntary cybersecurity performance goals and a baseline of security practices. In part, the memorandum stated:
“The Secretary of Homeland Security, in coordination with the Secretary of Commerce (through the Director of the National Institute of Standards and Technology) and other agencies, as appropriate, shall develop and issue cybersecurity performance goals for critical infrastructure to further a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety.”
There are many paths forward as the DHS, which includes TSA and the Cybersecurity & Infrastructure Security Agency (CISA), pivots from a pure focus on cybersecurity to a hybrid of both compliance standards and regulations, in addition to security. Until the recent TSA mandate, the North American Electric Reliability Corp. (NERC) Critical Infrastructure Protection (CIP) Reliability Standards were the widely impactful mandatory regulation within industrial control systems (ICS) for electric utilities in the United States. Those standards have been around for over a decade, and there have been successes and challenges throughout its history. As we look ahead at what future ICS security standards could look like, it’s worthwhile to understand what has worked and, perhaps more importantly, what hasn’t worked for NERC CIP.
Most people believe that NERC CIP was part of the massive response to the 2003 Northeast Blackout, but that is only partially true. While the events after 2003 led to the Federal Energy Regulatory Commission (FERC) gaining new authority to mandate standards and the subsequent filing by NERC to become the Electric Reliability Organization, the truth is that industry developed the precursor to NERC CIP, called Urgent Action 1200, and approved it the day before the 2003 blackout occurred.
Why? What was industry facing in 2003 that spurred the development of a voluntary cybersecurity standard? Looking back at the threat of the time, the answer is relatively obvious: Untargeted, IT-specific malware that found its way into operations. Common viruses like Conficker and Slammer were avoidable with relatively simple controls.
While it is important to protect against untargeted malware, new threat activity like the Ukraine 2015 and 2016 incidents may not have been detected by the current set of requirements. Future standards, in order to adapt to threats, need to consider threat monitoring techniques along with the ability to adapt a modern cyber risk management approach to compliance efforts.
Unfortunately, the current set of cybersecurity controls being pursued in pipeline security are around today’s threats — most notably ransomware — but they also need to consider what future growth will look like for pipeline security in the coming years.
Where’s the Risk?
In early versions of NERC CIP, industry leveraged language like “best business judgement” and “risk acceptance.” Without detailed risk management approaches, FERC directed NERC to remove the language but keep the Risk-Based Assessment Methodology (RBAM) to identify Critical Assets and Critical Cyber Assets.
In 2009, Mike Assante, the then-CSO of NERC, wrote an open letter to industry identifying the lackluster identification of assets. As a response, today industry has “bright-line criteria” for what is categorized as High, Medium and Low Impact Bulk Electric System Cyber Systems used in the current version of the NERC CIP Reliability Standards.
Unfortunately, this approach is limited in terms of overall individual cyber risk. Without a standard that addresses cyber risk, mandatory standards will always be a “least common denominator” based on what stakeholders can agree upon for individual requirements and what their current budgetary, workforce and technology constraints are.
Future standards in pipeline cybersecurity should understand the crawl/walk/run approach to security and have ways to allow for growth, similar to the latest version of the U.S. Department of Energy’s Cybersecurity Capability Maturity Model (C2M2). Providing “basic requirements” complemented with a maturity model approach is something that was similarly explored in the NIST Cybersecurity Framework and should be leveraged to help ensure security is a journey of constant improvement.
The challenge with any program is usually governance, not execution. Where does one delineate the end of a compliance program and the beginning of a security program? Which one wins, the compliance program or the security program? Ideally, security equals compliance and compliance equals security — but in practice this is rarely achieved. Each manages different kinds of risks — regulatory risk vs. security risk — and deconflicting them is not always easy. Some common issues in scoping security and compliance programs involve:
- Who decides the governance controls? What is the internal guideline for applying the standard?
- Who executes on those controls? Engineers? Operators? OT security? IT security? Compliance?
- Where is the boundary for “who owns what” in the ICS? The firewall? Specific device types?
- How much do the controls impact vendors, contractors and other support teams? Who manages them?
As you can see, the list of potential issues requires strong internal partnerships. While it is not possible to mandate organizational structures for an entire industry, it is possible to provide guidance on various roles and responsibilities for pipeline security, including executive involvement.
Wins: A Legacy of Success
It’s easy to point out all the flaws in any regulation. But there are also some “easy wins” pipeline asset owners and operators can leverage with the new TSA Security Directives.
Senior Leadership Visibility
For better or worse, executive leadership is now engaged in pipeline cybersecurity more than ever. There are clear roles and responsibilities with direct input and outreach for the government. This allows for easier communication and access to leadership, paving the way for additional improvement where needed and an overall “culture of security” — but only if organizations embrace the change.
Nothing unlocks the potential security budget like “it’s required by regulation.” Various NERC CIP compliant utilities have been successful in growing their overall security program, with meaningful controls, based on those four words. No one wants to be found in noncompliance or the focus of an investigation — and certainly not because they declined a capital or operational expenditure presented to them by their OT security or compliance team.
Future of ICS Security Standards
We don’t have a crystal ball, but it’s worthwhile to outline what we see based on real-world threats and how any ICS security standard should improve.
Having visibility across both IT and OT security, for example, is imperative as organizations mature. To help manage the most common cyber risks, we recommend the following investments:
- Training and Cyber Workforce Development: Most utilities can gain immediate capabilities across both IT and OT systems by investing in utility-specific cybersecurity training. Per dollar, training provides the greatest return on investment for utilities in their earlier maturity levels. A properly trained workforce can help evaluate technologies, write policies and procedures, audit existing practices and address systems weaknesses.
- Detection Capabilities: The first step in responding to a cybersecurity incident is being able to detect one happening. This requires sufficient technologies and expanded visibility across both IT and OT systems, with an adequately trained security team that understands both environments. Moreover, an understanding of threats in the sector can help utilities better understand what detection techniques may work for their specific systems.
- Incident Response and Recovery: Detection without response is of little value for utilities. As technology requirements expand, so must the incident response team and their capabilities. Maturing incident response capabilities requires constant training and process improvements, which may benefit from the incentives outlined in the staff white paper.
The categories above follow the age-old motto in security: “Prevention is ideal, but detection is a must. And detection, without the ability to respond, is of little value.”
Understanding the threats we’re facing in critical infrastructure and adapting to the growing risks with the right combination of people, technology and processes is imperative. There are great examples of what has both worked and not worked to draw on as we further mature and improve.
Security and standardization is not only “doable,” but it is preferred to the alternatives.
Tags: March April 2022 Print Issue
Ben Miller is vice president of professional services and R&D, and Jason D. Christopher is principal cyber risk advisor at Dragos Inc., a firm that specializes in industrial cybersecurity.