As Colonial Pipeline restarted operations yesterday, resuming distribution of fuel to the East Coast, the White House announced President Biden had signed an executive order mandating improvements to the cybersecurity of the federal government.
The ransomware attack that shut down Colonial Pipeline—the most impactful cyberattack against U.S. critical infrastructure to date—is just the latest incident in a harrowing year that includes a state-sponsored supply-chain attack against SolarWinds and zero-day exploits of severe vulnerabilities in ubiquitous Microsoft Exchange deployments.
It's under this shadow that the executive order was put into effect yesterday. The order also follows a 100-day push by the Biden administration to improve electric grid cybersecurity; this effort requires extensive public-private sector cooperation given many utilities are privately owned.
Such cooperation is also a hallmark of the executive order, with the president asking private-sector companies and privately owned critical infrastructure operators to follow the government's lead with the goal of minimizing incidents.
Broadly, the executive order covers threat information sharing between government and the private sector, modernization of federal cybersecurity standards, hardening of supply-chain security, the establishment of of a cybersecurity safety review board, creation of a standard playbook for responding to cyber incidents, improved detection of incidents on federal networks, and better investigative and remediation capabilities.
Many industrial enterprises—including those in critical infrastructure, discrete manufacturing, food & beverage, and many others—should evaluate the recommendations made in the executive order because they likely also apply to their own infrastructures. Many companies are converging IT and operational technology (OT) networks, and industrial control systems once air-gapped from business networks are increasingly exposed to the internet. As a result, attackers exploiting critical vulnerabilities in IT systems may also now impact industrial processes as we saw with the Colonial Pipeline ransomware attack.
Let's look at some aspects of the executive order:
The government wants to establish baseline secure software development standards for anything sold to the government, asking for visibility into development practices and security data. While the order focuses on federal government software, many of these same products are used by businesses and consumers around the world. At present, there are limited standards to help the government, enterprises, and consumers understand the security of coding practices from their software suppliers. The order establishes a set of comprehensive standards including secure development environments, artifacts to demonstrate conformance, and automated tools and processes to ensure a secure supply chain, detection of vulnerabilities, and safe third-party libraries.
Hand-in-hand is the creation of a pilot program that is an Energy Star equivalent for labeling software products. This should create important economic incentives for secure coding. Establishing a gold standard that enterprises and consumers can recognize and trust when purchasing software products and IoT devices will provide great economic incentives for providers to implement secure coding practices.
The executive order has a significant focus on modernizing and implementing cybersecurity standards and architectures. Of note is the strong focus on Zero Trust Network Architectures (ZTNA), an approach that treats all users as untrusted unless they prove that they are trusted.
While strong authentication mechanisms such as zero trust are heavily adopted in new IT infrastructures, they are much less prevalent in operational technology (OT) environments – where industrial processes such as oil transportation and water treatment actually happen. The broad adoption of ZTNA by the federal government sets a good, high bar for enterprises to protect their industrial control systems.
Given the significant risks exposed by the water-supply attack in Oldsmar and the Colonial Pipeline ransomware attack, lessons learned from such high-profile incidents must be leveraged to make all industrial enterprises safer.
The executive order's establishment of a Cyber Safety Review Board appears to be the equivalent of the National Transportation Safety Board, which is the globally recognized gold standard to conduct retrospective analysis and share safety learnings after transportation disasters.
As the NTSB was established to build public trust in the safety of transportation, the Cyber Safety Review Board holds that same potential for cybersecurity in both the public and private sector. And just think about how valuable the learnings are from an aviation disaster – the cyber industry also needs this to avoid repeated mistakes.