By Grant Geyer | June 7, 2021

The United States government has taken unprecedented steps since the start of 2021 to drive critical infrastructure owners and operators to demonstrably improve the cyber-resilience of their networks and systems. Cybersecurity, the government has acknowledged, is a top national security and economic priority, and prominent diplomatic and military policy discussions moving forward are likely to focus on cybersecurity.

It’s no wonder we’ve arrived at such a pivotal juncture. This year has been dominated by the dizzying pace of impactful attacks exploiting technology supply chain and critical system vulnerabilities, to landmark incidents at industrial enterprises punctuated by the Colonial Pipeline and JBS Foods ransomware attacks. All of which have prompted the Biden administration to act—via an executive order, a 100-day plan to enhance the cybersecurity of electric utilities’ industrial control systems, and a TSA directive—in order to improve critical infrastructure security, as well as national and economic security.

The 100-day plan, coordinated by the Department of Energy (DOE), utilities, and CISA, is the pilot program for similar initiatives to come in other industries. It’s an opportunity for the security industry to demonstrate how it can work alongside stakeholders in the government, electric utilities, and academia to lock down operational technology (OT) networks, deny attackers access to these critical systems, and maintain the reliability and safety of industrial processes.

Today, Claroty announces its participation in the initiative by contributing to a Request for Information (RFI) to help inform future recommendations around the DOE’s long-term cybersecurity strategy, in particular to help combat foreign threats to the U.S. energy supply chain. Our position as a leading industrial cybersecurity vendor, with technology that has been validated by the world’s leading automation vendors, balanced by the invaluable work of our elite research team, gives us a well-rounded perspective to participate in this initiative, and be the influential voice in the industrial cybersecurity space.

Read Claroty’s Submission to the DOE here.

The DOE’s request is meant to inform not only the federal government, but also states, Indian Tribes, and local governments with guidance relevant to technology, funding, and also criteria for evaluating foreign ownership and influence as it relates to risks related to the electric supply chain. The RFI also seeks input to best inform procurement policies and standards to mitigate risk.

Key points from our submission:

  1. States, Tribes, and local governments are being asked to secure electric grids within an environment adverse to change, hampered by limited cybersecurity expertise, and aging technology that cannot be adequately updated to combat threat actors growing in number and sophistication. Escalating costs, a lack of standards and testing, and legacy systems are creating significant stress for utility owners and operators. Claroty asks the government to establish federal funding for OT cybersecurity programs to support electric utilities in their efforts to hire cybersecurity staff and acquire necessary controls. We also ask the government to work with bodies such as NIST and consider developing guidance for electricity providers around zero trust implementations where access controls are shifted from network perimeters to users and devices in order to significantly lower the risk utilities face from threat actors remotely accessing critical systems.
  2. As States, Tribes, and local governments seek out controls for industrial networks, purchases of OT security solutions will often introduce new technology and significant costs to organizations. Standards need to be developed that encourage the adoption of OT cybersecurity technology, as do tools to help utilities evaluate solutions to keep costs in check. Claroty advocates for a collaborative approach between DOE and NIST to develop product testing, grading, and labeling to help organizations assess products and keep from investing in deficient systems. To complement and encourage the adoption of emerging technology to protect critical infrastructure, asset owners and technology providers should be afforded liability protection if established standards are met; such a measure would nudge the vendor ecosystem to meet benchmarks that will protect electric utilities intent on improving the resiliency of networks and systems. Claroty further urges that decision makers model this effort around or expand the SAFETY Act to encourage broader adoption, which provides liability protections from terrorist attacks if they purchase certified counter-terrorism technology such as Claroty Continuous Threat Detection (CTD) or Secure Remote Access (SRA). The act mandates a rigorous review of products and those that meet such a standard would provide liability protection to the purchaser. These protections would provide an additional incentive and protection for system operators in adopting a technology as well as encourage the adoption of proven technologies that, like Claroty’s, submitted themselves for a thorough government review to demonstrate operational effectiveness.
  3. Foreign ownership, control, and influence (FOCI) risk management must be carefully implemented by the DOE in assessing supply chain risks. Broadly limiting foreign ownership and manufactured technology can put strain on friendly relationships with many of the leading automation technology providers based in allied countries, including non-NATO countries such as Japan and Israel. Siemens, Schneider Electric, Yokogawa, and many others are major cogs in the industrial economy, providing trusted technology that secures the sector’s OT networks and industrial control systems. Without careful consideration of this dynamic, the government runs the risk of putting allies and adversaries on equal footing and clogging an overburdened review process for systems built outside U.S. borders. By doing so, the U.S. would run the risk of limiting key technologies and services available to secure our grid, and exacerbate the FOCI mitigation process. Claroty encourages the government to to efficiently promote trade relationships with allied partners, and purposefully set restrictions and approvals for adversaries under the umbrella of national security and risk mitigation. Limit companies required to meet FOCI processes for foreign ownership to those neither based in NATO or a non-NATO major ally.

Claroty’s RFI submission includes other recommendations that we urge you to review.

Commitment to Industrial Cybersecurity

Claroty is an established presence among some of the world’s largest manufacturers, food and beverage companies, and critical infrastructure operators, all of whom trust our technology and expertise to keep their organizations safe from threat actors.

CTD is deployed in many of these locations, bringing asset discovery and visibility hand-in-hand with threat detection and vulnerability mitigation. Our Secure Remote Access (SRA) solution, a purpose-built remote access product for industrial enterprises, complements CTD by ensuring that remote workers, partners, and authorized third parties safely access critical field devices and manage processes from anywhere.

As COVID-19 forced the creation of remote workforces, OT was not excluded and SRA operators had a massive edge in monitoring for malicious remote activity, logging access from outside the network, and closing down remote connections in the event malicious activity is detected.

Meanwhile, the uptick in threat actor activity so far in 2021 has put industrial enterprises on notice that attackers are seeking access to OT networks, whether through opportunistic attacks, or targeted. We’re encouraged by the government’s increased focus on ICS and OT security and are committed to our continued contributions to the security of the industrial world.