The State of XIoT Security Report: 1H 2022
Download the Report
Claroty Logo

Blog

5 Things You Need to Know About CISA’s New CPGs

Grant Geyer
/ October 27th, 2022

The Cybersecurity Infrastructure & Security Agency (CISA) today released its new Cross-Sector Cybersecurity Performance Goals (CPGs), a foundational set of IT and operational technology (OT) practices and recommendations that can help smaller, lesser-resourced organizations better prioritize cybersecurity efforts and reduce risk. 

The CPGs could become an invaluable cybersecurity guide and checklist for critical infrastructure owners, many of whom are considered small- or medium-sized private-sector entities. While some of these critical infrastructure entities serve relatively small communities with critical services such as water and electricity, others may represent linchpins to economic security and public safety such as pipelines.

While this is a very complex topic for policy makers and cyber security professionals, CISA and many others have acknowledged that the reality on the ground today is that there is a resource gap hindering the efforts of many of these companies. While the CPGs alone will not solve this problem, a set of cost-effective, outcome-orientated, actionable practices will help bridge the gap. 

We’d like to focus on the following five observations we believe are important about the CPGs. 

5 Things You Need to Know About CISA’s New CPGs

1. An Entry Point to NIST CSF Implementations 

The NIST Cybersecurity Framework has been the “go-to” recommendation for organizations looking to implement and follow a common set of standards and best practices in order to better manage risk. However, what’s become abundantly clear over the past couple of years of cyber attacks is that smaller, less-resourced critical infrastructure entities struggle with knowing where to start. For those whose core business is not cybersecurity, making something actionable out of 400 pages of guidance can be overwhelming. 

Today’s publication of the CPGs is an invaluable first step in what can be an arduous NIST CSF implementation. The CPGs should be viewed as a “quick-start guide” to identifying and implementing basic cybersecurity practices, according to CISA. Each of the seven CPGs includes a visual model that describes the desired outcome, risks that are addressed, mitigations and recommended actions. Each CPG is mapped to corresponding subcategories within the NIST framework, but at a much more digestible level than the entire set of controls described within the CSF. 

Organizations can use the resources within the CPG to not only prioritize which controls they should consider implementing, but also to communicate to business and technical leaders the cost and impact of implementing those controls. 

2. Empowering the Target-Rich, Yet Cyber-Poor

Much of the designated critical infrastructure is privately owned in the United States—and much of it is made up of small utilities that are often geographically dispersed and lack the awareness of the cyber implications of an increasingly connected IT and OT infrastructure. Even if these organizations understand the risks they face, a lack of funding and a focus on keeping critical services afloat keeps cybersecurity from being prioritized. 

Such utilities are low-hanging fruit for opportunistic attackers and emblemize our target-rich, cyber-poor analogy. For example, the results of a 2021 Water Sector Coordinating Council cybersecurity state of the industry survey painted a gloomy picture of where owners were struggling, particularly around identifying networked IT and OT assets, the infrequency of risk assessments, and the lack of cybersecurity training and funding sector-wide. 

The February 2021 incident at a water treatment facility in Oldsmar, Fla., also shed light on systemic problems undermining critical infrastructure in the U.S., including problematic legacy software and insecure remote access. 

CISA’s CPGs clearly define impactful wins that senior business and technology leaders can understand and attain. More importantly, the goals and accompanying checklists can help them mitigate risk from opportunistic attackers feasting on low-hanging fruit such as default credentials to gain access to critical systems.

3. Signaling a Mindset Shift on OT Cybersecurity 

Asset owners and operators of critical infrastructure entities are particularly in the crosshairs of criminal and state-sponsored threat actors. Both types of hackers have demonstrated a willingness to increasingly push the boundaries and use cyberattacks to cause impact in the physical world in order to obtain financial or geo-political objectives. As recently as 2022, the Russian government was planning to use the Incontroller toolkit to cause disruption to Ukrainian critical infrastructure.

Despite the risk posed by attacks on cyber-physical systems, which may impact the physical world and public safety, aging OT assets are frequently exposed and vulnerable. CISA has recognized this shortcoming and has created OT-specific goals and actions within the CPGs. Without this specificity, asset owners may either conclude that OT assets are not at risk, or that the practices don’t apply to them. We highlight a few points in the CPGs that are particularly important: 

  • OT Cybersecurity Leadership: CISA is recommending organizations establish a single leader responsible for OT asset cybersecurity. This goal leaves sufficient latitude for an organization to establish a single leader—such as a CISO—for IT and OT security leadership, or establish separate leaders for each. We believe that within the organizational hierarchy, it’s important to assign a named role and title that forces ownership and accountability of OT cybersecurity. 

  • OT Cybersecurity Training: CISA also recognizes the unique role engineers may have in defending OT networks and devices from threats, and recommends annual specialized OT-focused cybersecurity training. While organizations may have a security operations team, we believe enabling and empowering the OT engineers as the first line of defense to spot and mitigate cyber risk is critically important. Establishing a training objective for OT cybersecurity can serve to spot and mitigate risks before they are realized, and is akin to training IT users not to click on suspicious links or open attachments.

  • Vulnerability Mitigation: Vulnerability management is another area within the CPGs that CISA has made OT-specific recommendations. We applaud the recognition that OT networks cannot always be patched in a timely manner given organizations’ aversion to downtime or the fact that some field devices and control systems simply cannot be patched. In these cases, CISA recommends compensating controls such as network segmentation and access controls as mitigations until software patches and firmware updates may be applied. 

  • Access and Authentication: Several goals point to the need to remove default passwords, establish multi factor authentication, and implement unique credentials for assets. While some OT assets may have shared passwords and hard-coded credentials, there are controls available to mitigate many of these inherent risks within OT assets by providing an abstraction layer that enables fine-grained role-based access on top of inherent identity-based risks to OT assets. Technology that enables secure remote access may enable cyber security teams to address several goals simultaneously with these approaches. 

One other note is that in addition to mapping the goals to the NIST CSF, the CPGs are also aligned closely with IEC 62443. IEC 62443 is a set of standards, technical specifications, and reports tightly followed by asset operators in order to secure industrial automation and control systems. The OT recommendations within the CPGs are closely aligned to this series of standards, and demonstrates an appreciation of the differences between IT and OT security, and will create more acceptance from industrial engineers. 

4. Future Impact on Regulatory Action, Cyber Insurance   

While the CPGs are not mandatory, there is increasing evidence and conviction that free market forces alone will not change behavior to better protect critical infrastructure from cyber threats. CISA’s CPGs are not only a quick-start guide for smaller and less-resourced organizations, but they may also be a jumping off point for upcoming regulations coming from the White House and Congress. Regulators now have a CISA-approved, pre-built checklist of critical areas to focus on that address key practices such as account security, data and device integrity, supply chain and third-party risk, and response and recovery. 

The same may apply to cyber insurance providers. We predict that underwriters may also use the CPGs as a minimal baseline of best practices and standards that users must have in place before policies are issued and claims paid out. 

5. CISA Committed to Input and Addressing Sectors’ Unique Needs

In the meantime, it’s important to recognize today’s release as the first iteration of the CPGs. 

Sector-specific CPGs will likely follow that will address the particular needs of each of the 16 CI sectors as identified by the federal government. 

V1 of the CPGs cuts across all sectors and can help guide strategy and investment decisions, it’s important to continue to iterate and address specific needs relevant to each sector. 

For today, the target-rich/cyber-poor operators in critical sectors have a means by which technical and non-technical leaders may begin to address the growing cyber risks to their businesses.

Share:
best practices CISA ot security NIST
Share:

Featured Articles

Interested in learning about Claroty's Cybersecurity Solutions?

Claroty Logo
LinkedIn Twitter Facebook