Building the right collective defense against cyberattacks for critical infrastructure
As an increasing range of cyberattacks threaten to compromise industrial controls, take safety systems offline and interrupt critical services like electricity and water, the cybersecurity challenges facing critical infrastructure are too great for any one organization to solve alone. Industrial systems have become more connected and digitized, and our adversaries have learned to weaponize the very systems that support society to instead threaten human health and life at scale.
We must respond as a community, across industry and government, to defend and protect that infrastructure through true collective defense. There are important roles and responsibilities for critical infrastructure organizations, cybersecurity vendors and government bodies at federal, state and local level. But when these roles are ill defined, it leads to an ineffective or counterproductive response. We need government leaders to align across agencies with a consistent approach to fostering strong cybersecurity and empowering critical infrastructure owners and operators to address those challenges based on their knowledge of their systems.
The new National Cybersecurity Strategy hints at tackling some of these things, but the proof will be in the implementation. First, the strategy does address the overlapping cybersecurity regulatory frameworks that critical infrastructure owners and operators must follow. Now, the government must harmonize these regulations to allow organizations to focus on real security, not just compliance. Second, the strategy does highlight the importance of public-private sector collaboration. Now, we need a new model of collaboration — a model that fully utilizes private sector expertise and capabilities.
A model that works: talk to the regulated
The industrial threat landscape is changing and our adversaries are targeting the organizations, assets and systems that support and operate our most essential services and operations. That increasingly includes operational technology and industrial control systems, the specialized computers and networks that interact with the physical environment, such as a control system that opens a circuit breaker on an electric substation or a gas turbine control system that generates electricity. They are what makes critical infrastructure critical.
To defend this infrastructure, largely owned and operated by the private sector, experience shows that what works best is for the government to communicate to the private sector why cybersecurity for these systems is important and what the outcomes should be, but to leave the how to the asset owners and operators who are the best experts on their own systems. We have seen successful examples of this model. When the Federal Energy Regulatory Commission and North American Energy Reliability Corporation propose regulation, they first detail what they seek to achieve. NERC then forms a committee of members across the community to evaluate the effectiveness and feasibility of the proposed changes. This process allows for time, input, and alignment to create regulations that better meet the objectives.
In 2021 for the Industrial Control Systems Cybersecurity Initiative, or 100-Day Sprint for the electricity sub-sector, the administration, the Department of Energy, and the Cybersecurity and Infrastructure Security Agency coordinated on priorities. In turn, the industry CEO-run Electricity Subsector Coordinating Council led a group to rapidly enhance visibility across industrial networks to detect cyberthreats by deploying commercial technologies, including one developed by my company Dragos called Neighborhood Keeper. As a result, asset owners and operators, as well as the U.S. government, now have access to real-time insights from across the industrial networks of the power companies that serve over 70% of Americans for free. These were tangible outcomes with real impact.
Next generation public-private partnerships
In this example, the government played to their strengths to counter a strategic national threat. They understood and prioritized what was important (visibility, response, and detection of industrial cyberthreats) and called on private sector expertise to help achieve their goals most efficiently. This is how we bring public-private partnerships to the next level to optimize how we use the knowledge and capabilities across both government and industry. Where it already exists in the private sector, the government does not need to create its own, duplicative technology. They should instead focus their amazing talent on longer-term strategic initiatives, such as the DOE’s Cybersecurity Informed Engineering efforts to build cybersecurity resilience and principles into engineering efforts. The program operates in an area where there is not a commercial market and closes a gap most appropriately addressed by government researchers.
There are also tools developed and already deployed by the private sector that can answer key strategic questions for the government or provide agencies with the visibility they need into the vulnerabilities of critical infrastructure supply chains, including things like querying for Chinese-manufactured technologies and components in the U.S. energy sector. By using these existing capabilities, we can get answers to important questions in minutes instead of months or years.
Better together
Cyberthreats are growing but we’ve proven we are successful at defense when we work together as a community and apply existing industry expertise and capabilities to the furthest extent possible. If the government comes together with a cohesive voice to define the priorities and industry does what they do best and addresses those priorities, together we can meet the challenge. In the infrastructure community, we all live and work in the communities we serve. We want to defend our national security and keep people safe because those are our families, too.
Robert M. Lee is the CEO and co-founder of Dragos, a company that focuses on cybersecurity for industrial controls systems and operational technology environments.