December 6, 2023 at 10:01AM
CISA aims to secure the US’s cyber and physical infrastructure but grapples with precedents for effective strategies. While not setting organizational policies, questions arise about the measurability and impact of its risk reduction efforts and Cyber Performance Goals (CPGs). Critical infrastructure cybersecurity is complex, with proprietary operational technology (OT) posing unique challenges. Federal R&D lacks a complete understanding of OT and sector-specific needs. Efforts are underway to improve sector risk management and align strategies with CISA’s goals, amidst concerns over the affordability of compliance and government-provided security services for businesses.
Meeting Takeaways:
1. CISA’s Mission: CISA is tasked with understanding and reducing risks to the U.S. cyber and physical infrastructure. It does not set cybersecurity policies for individual organizations.
2. Questions Regarding Strategic Plan: While CISA’s plan strives for risk reduction, it’s questioned whether the Cyber Performance Goals (CPGs) are indeed measurably effective. The primary concern should be identifying the thresholds for impactful incidents and understanding how proposed objectives can lessen the severity of such incidents.
3. Role of Private Sector: Companies must take responsibility for their cybersecurity; they have the means to enhance their defenses and mitigate risks.
4. OT vs. IT Security: Operational Technology (OT) security in critical infrastructure presents unique challenges due to its proprietary nature and configuration contingencies, necessitating a more nuanced and case-based approach to risk management.
5. Lack of Understanding: There is an insufficient comprehension of industrial assets in critical sectors and a need for better knowledge of national critical operational components and defense strategies based on their effects.
6. Sector Risk Management: Ideally, a dedicated cybersecurity expert would be present for each critical sector; however, this isn’t currently feasible. Entire supply chains should align with CISA CPGs to ensure comprehensive cybersecurity.
7. Compliance Costs: Excessive compliance costs could make it unaffordable for small to medium-sized businesses to implement necessary cybersecurity regulations.
8. R&D Gaps in OT Security: There is a gap in federal R&D concerning the understanding of OT and industrial control systems. Metrics should focus on impact and context-specific environments.
9. Gaps Identified in White Paper: A white paper released by the Resilient Investment Planning and Development Working Group highlights key gaps and needs in OT cybersecurity research, with emphasis on integrated analysis, common definitions and metrics, and user-engagement in research.
10. CISA’s Current Focus: Baselining critical infrastructure resilience is a major goal for CISA’s 2024-2026 strategy, aiming to address threats, improve security, and achieve outcomes through mapped cybersecurity standards and controls.
11. Industry Challenges: The industry struggles with basics such as impact analysis, defensible architectures, and vulnerability management across cyber-physical systems, indicating a need for improved application of these core strategies.
Overall, the meeting underscored the necessity of a more nuanced approach to OT security, a greater synergy between CISA’s goals and industry practices, as well as addressing the gaps in research and development to strengthen the resilience of critical infrastructure against cyber threats.