Cybersecurity threats to critical infrastructure continue to rise as threat actors take advantage of the acceleration of digital transformation initiatives spurred by the pandemic, rapid growth in several sectors and geographies, and the work from home paradigm shift. While the cost benefits and competitive advantages of connecting are great for business, they have also introduced additional cyber risk. With the rise of the Extended Internet of Things (XIoT), cyber-physical systems and underlying connected assets that were not necessarily designed to co-exist seamlessly in a connected environment are now subject to an expanded attack surface. This includes IT and Operational Technology (OT) assets, the rise of various IoT technologies, and the processes and pathways that connect them.
To help organizations drive toward a baseline of defense more rapidly, the Cybersecurity Infrastructure & Security Agency (CISA) recently released its new Cross-Sector Cybersecurity Performance Goals (CPGs). Organizations should consider the guidelines a less complicated and more straightforward starting point to implement best practices in the NIST Cybersecurity Framework (CSF) which, while more comprehensive than the CPGs, can also be overwhelming. CISA describes the seven CPGs as “a prioritized subset of IT and OT cybersecurity practices aimed at meaningfully reducing risks to both critical infrastructure operations and to the American people.”
In this blog, we’ll take a closer look at key areas put forth in Section 4 of the CPG core document around cybersecurity leadership and governance in today’s highly interconnected environments. We’ve supplemented the recommended actions with some of Claroty’s key learnings and best practices based on years of experience working with critical infrastructure organizations of all sizes and within various sectors.
CISA recommends a named role/position/title is identified as responsible and accountable for planning, resourcing, and execution of cybersecurity activities. This may include activities such as managing cybersecurity operations at the senior level, requesting and securing budget resources, and leading strategy development.
We have observed that many organizations begin down the path of creating an OT governance process and Security Operations Center (SOC) separate from IT. Recreating processes and doubling coordination wastes time and effort and isn’t effective. Instead, what’s needed is to establish an XIoT SOC that cohesively addresses IT and OT cybersecurity concerns within the broader scope of XIoT cybersecurity. As such, we agree that the most effective approach is to centralize organizational cybersecurity leadership and governance under one person. This could be the CISO or someone who reports to the CISO and has a great deal of strategic experience and management expertise. We find that, ideally, the Organizational Cybersecurity Leader should be appointed internally. This helps ensure they have institutional knowledge and established working relationships that will help overcome challenges involved with consolidating governance and maintaining continuity of monitoring and reporting.
CISA recommends a named role/position/title is identified as responsible and accountable for planning, resourcing, and execution of OT-specific cybersecurity activities. In some organizations CISA suggests this might be the same person as the Organizational Cybersecurity Leader.
The OT Cybersecurity Leader must be able to serve as a point person in the event of an incident and be knowledgeable about SOC procedures, requirements, and objectives or be willing to undergo training on these subject matters. Additionally, Claroty recommends a Cybersecurity Site Leader (CSL) at each of an organization’s physical OT sites that can speak the language of the plant stakeholders and understand their roles well enough to work with them effectively in order to resolve critical issues. During a security incident, the CSL must be prepared to lead rapid response, coordinating with SOC and site-specific OT personnel. The CSL must be able to accurately gauge the severity of the event and weigh the tradeoff between the risk at hand and the potential operational disruptions that mitigation actions could cause.
Strong working relationships are essential for overcoming challenges involved with bringing together IT and OT personnel to work toward common objectives. CISA recommends that organizations sponsor at least one social gathering a year that is focused on strengthening working relationships between IT and OT security personnel.
In our experience, one of the foundational challenges of bringing together IT and OT teams to work toward the common goal of strengthening an organization’s overall security posture is that the teams typically have different priorities. Social gatherings provide an opportunity to build IT and OT alignment and, if possible, should be done more frequently. Misalignment stems from the fact that IT and OT teams prioritize the three principles of confidentiality, integrity, and availability differently. The teams that manage information security typically prioritize confidentiality of data over integrity and availability, whereas the teams that run OT networks prioritize availability (or uptime), over integrity and confidentiality. To make headway in bridging the IT-OT security gap, we must respect those priorities. The risk of disruption and downtime to implement a new security control, a patch or a system upgrade is a non-starter for OT teams. Not to mention that making changes to the multimillion-dollar systems that run production environments usually voids warranties. Strategies to help build strong working relationships and mutual understanding will foster an environment where teams can find middle ground.
While adherence to the CPGs is not mandatory, the need to improve the cybersecurity of our nation’s critical infrastructure is urgent amid unprecedented cyber threats. CISA’s CPG guidelines are a great way to get started quickly on a subset of practices prioritized for risk reduction, or to benchmark existing programs, validate that critical areas are covered, and close any gaps. Effective cybersecurity leadership and governance is foundational to building a strong cybersecurity posture, so we suggest starting here first.