The Cybersecurity Infrastructure & Security Agency (CISA) has released its new Cross-Sector Cybersecurity Performance Goals (CPGs), a foundational set of IT and operational technology (OT) practices and recommendations that can help smaller, lesser-resourced organizations better prioritize cybersecurity efforts and reduce risk.
As organizations embrace cyber-physical systems (CPS) and advancements of digital transformation, CISA’s CPGs will become an invaluable cybersecurity guide and checklist for critical infrastructure owners — many of whom are considered small or medium-sized private-sector entities. While some of these critical infrastructure entities serve relatively small communities with their critical services such as water and electricity, others may represent linchpins to economic security and public safety such as pipelines.
While this is a very complex topic for policy makers and cyber security professionals, CISA and many others have acknowledged that the reality on the ground today is that there is a resource gap hindering the efforts of many of these companies. While the CPGs alone will not solve this problem, a set of cost-effective, outcome-orientated, actionable practices will help bridge the gap.
We’d like to focus on the following five observations that we believe are most important regarding CISA’s CPGs.
The NIST Cybersecurity Framework has been the “go-to” recommendation for organizations looking to implement and follow a common set of standards and best practices in order to better manage risk. However, what’s become apparent during the past few years of escalating cyber attacks is that smaller, less-resourced critical infrastructure entities struggle with knowing where to start. For organizations whose core business is not cybersecurity, deciphering which goals are actionable out of 400 pages of guidance can be overwhelming.
The publication of CISA’s CPGs has been an invaluable first step in making NIST CSF implementation less arduous. And, according to CISA, they should be viewed as a “quick-start guide” to identifying and implementing basic cybersecurity practices. Each of the seven CPGs includes a visual model that describes a desired outcome, risks that are addressed, mitigations, and recommended actions. Each CPG is also mapped to corresponding subcategories within the NIST framework, at a much more digestible level than the set of controls described within the CSF.
Organizations can use the resources within the CPGs to not only prioritize which controls they should consider implementing, but also to communicate to business and technical leaders the cost and impact of implementing those controls.
Much of the designated critical infrastructure is privately owned in the United States — and is primarily made up of small utilities that are often geographically dispersed and lack awareness of the cyber implications related to increasingly connected IT and OT infrastructure. Even if these organizations do understand the risks they face, their lack of funding and focus on keeping critical services afloat keeps cybersecurity from becoming a priority.
Such utilities are low-hanging fruit for opportunistic attackers and emblemize our target-rich, cyber-poor analogy. The results of a 2021 Water Sector Coordinating Council cybersecurity state of the industry survey, for example, painted a gloomy picture of where owners were struggling, particularly around identifying networked IT and OT assets, the infrequency of risk assessments, and the lack of cybersecurity training and funding sector-wide.
CISA’s CPGs clearly define impactful wins that senior business and technology leaders can understand and attain. More importantly, the goals and accompanying checklists can help them mitigate risk from opportunistic attackers feasting on low-hanging fruit such as default credentials to gain access to critical systems.
Asset owners and operators of critical infrastructure entities are particularly in the crosshairs of criminal and state-sponsored threat actors. Both types of hackers have demonstrated a willingness to increasingly push the boundaries and use cyberattacks to cause impact in the physical world in order to obtain financial or geo-political objectives. As recently as 2022, the Russian government was planning to use the Incontroller toolkit to cause disruption to Ukrainian critical infrastructure.
Despite the risk posed by attacks on cyber-physical systems, which may impact the physical world and public safety, aging OT assets are frequently exposed and vulnerable. CISA has recognized this shortcoming and has created OT-specific goals and actions within the CPGs. Without this specificity, asset owners may either conclude that OT assets are not at risk, or that the practices don’t apply to them. We highlight a few points in the CPGs that are particularly important:
OT Cybersecurity Leadership: CISA is recommending organizations establish a single leader responsible for OT asset cybersecurity. This goal leaves sufficient latitude for an organization to establish a single leader — such as a CISO — for IT and OT security leadership, or to establish separate leaders for each. We believe that within the organizational hierarchy, it’s important to assign a named role and title that forces ownership and accountability of OT cybersecurity.
OT Cybersecurity Training: CISA also recognizes the unique role engineers may have in defending OT networks and devices from threats, and recommends annual specialized OT-focused cybersecurity training. While organizations may have a security operations team, we believe enabling and empowering the OT engineers as the first line of defense to spot and mitigate cyber risk is critically important. Establishing a training objective for OT cybersecurity can serve to spot and mitigate risks before they are realized, and is akin to training IT users not to click on suspicious links or open attachments.
Vulnerability Mitigation: Vulnerability management is another area within the CPGs that CISA has made OT-specific recommendations. We applaud the recognition that OT networks cannot always be patched in a timely manner given organizations’ aversion to downtime or the fact that some field devices and control systems simply cannot be patched. In these cases, CISA recommends compensating controls such as network segmentation and access controls as mitigations until software patches and firmware updates may be applied.
Access and Authentication: Several goals point to the need to remove default passwords, establish multi factor authentication, and implement unique credentials for assets. While some OT assets may have shared passwords and hard-coded credentials, there are controls available to mitigate many of these inherent risks within OT assets by providing an abstraction layer that enables fine-grained role-based access on top of inherent identity-based risks to OT assets. Technology that enables secure access may enable cyber security teams to address several goals simultaneously with these approaches.
One other note is that in addition to mapping the goals to the NIST CSF, the CPGs are also aligned closely with IEC 62443. IEC 62443 is a set of standards, technical specifications, and reports tightly followed by asset operators in order to secure industrial automation and control systems. The OT recommendations within the CPGs are closely aligned to this series of standards, and demonstrates an appreciation of the differences between IT and OT security, and will create more acceptance from industrial engineers.
While CPGs are not mandatory, there is increasing evidence and conviction that free market forces alone will not change behavior to better protect critical infrastructure from cyber threats. CISA’s CPGs are not only a quick-start guide for smaller and less-resourced organizations, but they may also be a jumping off point for upcoming regulations coming from the White House and Congress. Regulators now have a CISA-approved, pre-built checklist of critical areas to focus on that address key practices such as account security, data and device integrity, supply chain and third-party risk, and response and recovery.
The same may apply to cyber insurance providers. We predict that underwriters may also use the CPGs as a minimal baseline of best practices and standards that users must have in place before policies are issued and claims paid out.
In the meantime, it’s important to recognize today’s release as the first iteration of the CPGs.
Sector-specific CPGs will likely follow that will address the particular needs of each of the 16 CI sectors as identified by the federal government.
V1 of the CPGs cuts across all sectors and can help guide strategy and investment decisions, it’s important to continue to iterate and address specific needs relevant to each sector.
For today, the target-rich/cyber-poor operators in critical sectors have a means by which technical and non-technical leaders may begin to address the growing cyber risks to their businesses.
In addition to the 5 things you need to know about CISA’s CPGs listed above, our team of experts conducted a webinar sharing their forward-looking predictions on how the CPGs will impact critical infrastructure industries in the next 12 to 24 months. As organizations embrace cyber-physical systems and digital transformation, they must evolve their cybersecurity strategies to mitigate the risk posed by an expanded attack surface. CISA’s CPGs will serve as an actionable set of best practices that are applicable across all critical sectors, and will help them overcome this challenge, ensuring cyber and operational resilience. Check out our webinar to gain insight into more of our predictions for CISA’s CPGs and how our Claroty experts can help.
Interested in learning about Claroty's Cybersecurity Solutions?