While regulatory efforts for critical infrastructure cybersecurity are on the rise, these measures will not be effective in actually reducing risk if they merely serve as a compliance checklist for operational technology (OT) systems, said panelists during a session at Hack the Capitol 6.0 on Wednesday.
Cybersecurity for critical infrastructure is still somewhat new from a regulatory standpoint, with the Colonial Pipeline ransomware attack spurring a tangle of new regulations in this space, spearheaded by the Biden administration’s 2021 Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure executive order. However, are cyber regulations actually helping critical infrastructure operators reduce cyber risk? Panelists on Wednesday said it is largely contingent on how risk-informed and outcome-focused the regulations are.
“It really depends on how cybersecurity regulations are developed and implemented,” said Katherine Ledesma, head of public policy and government affairs at Dragos. “If they are thoughtfully developed and implemented, in coordination with experts from the affected sectors or industry, they certainly can raise the bar on cybersecurity maturity for that sector and also reduce aggregate risk to the nation. As we continue this conversation about cybersecurity regulation we need to keep focus on true risk reduction and security and not focus as much on simple compliance.”
Technology changes so rapidly that oftentimes regulations are outdated as soon as they’re written, said Ledesma. At the same time, regulatory efforts that are too prescriptive or that use poorly written language become a distraction and don’t do much to actually reduce risk - and in a worst case scenario may actually distract risk managers.
As we continue this conversation about cybersecurity regulation we need to keep focus on true risk reduction and security and not focus as much on simple compliance.”
A big challenge is that a misconception exists that OT systems work the same way as IT systems, and therefore existing IT regulations can also be applied to these environments. That’s not true at all, as critical infrastructure operators need to deal with a number of factors like critical downtime and the complexity of legacy systems, which can both complicate security measures that are standard for IT like patch management processes.
Here, working with critical infrastructure asset owners, operators and other stakeholders with knowledge of the domain is key to better understanding how to keep these systems safe and what actually helps. When the Transportation Security Administration (TSA) publicized an updated Security Directive in July 2021, for instance, it was met with criticism by pipeline operators, who said that the directive pushed security practices for IT systems rather than OT systems. After working with the impacted oil and natural gas pipeline owners to get their feedback, the TSA last year released a new directive that gave more flexibility in how the measures could be applied and that relied on performance-based indicators rather than prescription-based.
“For a long time we assumed systems were architected similarly if not the same,” said Robert Morgus, senior advisor of risk and resilience at Berkshire Hathaway Energy. “However, in most operational environments at this point, you have legacy systems, you have new systems, everyone’s architecting and building differently… when you have such diverse environments, the owners and operators understand those environments better than anyone else, they understand what needs to go in to protect those environments better than anyone else and if a regulator is not engaged with those owners and operators, you can have some pretty bad outcomes.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has aimed to bring parties together and better understand critical infrastructure priorities, nomenclature and challenges by creating the Joint Cyber Defense Collaborative (JCDC), an agency effort to develop cyber defense plans with both public and private sector entities.
“We need to acknowledge that we are not going to require the risk away.”
At the same time, effective regulations need to be adaptable and focus on risk reduction regardless of organizations’ size, sector or maturity. Two efforts that are voluntary for organizations across the 16 designated critical infrastructure sectors - NIST’s cybersecurity framework and CISA’s performance goals released last year - do not force critical infrastructure operators to apply specific security procedures, for instance, but instead aim to give them a “common lexicon” to discuss these issues that didn’t exist before.
“We’re trying to get people to coalesce around these ideas, where we’re giving you a way to do this, but it’s not necessarily the way,” said Peter Colombo, senior advisory for the cybersecurity division at CISA.
While risk reduction is the goal, Morgus said that regulators need to understand that risk can be mitigated but not completely stopped. Instead, there needs to be a more focused approach on the companies that regulations apply to and a more rigorous approach to what is being required.
“We need to acknowledge that we are not going to require the risk away,” said Morgus. “The goal when you set out should not be to eliminate the risks. It should be to identify the risks that you can actually address it.”