Cybersecurity of Our Infrastructure: Part Three
The critical manufacturing, dams, transportation systems, and water and wastewater sectors are some of the most influential in our everyday lives. Everyday people rely on public transportation to get to and from work, rail and aviation for important packages, clean water to cook, clean, and consume, the countless products being created for everyday life, and the comfort of electricity (while also never fearing rivers overcoming your home) dams across the country provide. This is why Crest covered these four sectors specifically in this third edition of the Cybersecurity of Our Critical Infrastructure series; we are dedicated to giving you the past and present reality of our most cherished infrastructures and how they go about planning and mitigating their operational and informational technologies.
To read the previous articles in this series visit CrestBlog!
Now let's begin our journey into the….
Critical Manufacturing Sector
Following EO 13636 “Improving Critical Infrastructure Cybersecurity” the critical manufacturing sector worked closely with the Office of Cybersecurity and Communications to support the Critical Infrastructure Cyber Community Voluntary Program (the coordination point within the Federal Government for critical infrastructure owners and operators interested in improving their cyber risk management processes). The program supported critical manufacturers in increasing the sector’s cyber resilience and the sector’s awareness and use of the NIST Framework for Improving Infrastructure Cybersecurity. The Critical Manufacturing Sector leveraged these programs to manage cybersecurity as part of an all-hazards approach to enterprise risk management.
In regards to the cybersecurity of the critical manufacturing sector today, their focus is on internal risks, outlining their plans and abilities to prevent and mitigate either negligence or maliciousness, which personnel within the company hold over their critical systems. In “Insider Threat Programs for the Critical Manufacturing Sector” published in 2019, the use of User Activity Monitoring is introduced. This is the technical capability to observe and record the actions and activities of an individual operating on your computer networks to detect potential risk indicators and support mitigation responses. Logging, monitoring, and auditing, of information system activities, can lead to early discovery and mitigation of behavior indicative of insider threats. UAM also plays a key role in preventing, assisting, and responding to acts of violence. As such UAM development should include consideration of potential acts of violence against organizational resources, including suicidal ideation. How does this sector establish an understanding of malicious intent without knowing what the usual behaviors of users are? They answer this question by establishing baseline user behaviors that make deviations or anomalies stand out from normal activities.
Dams Sector
Even in with EO 13636, the dams sector has been looking forward in their cybersecurity efforts, they specifically outlined their motivations to:
Update the Roadmap to Secure Control Systems in the Dams Sector by 2015– With the original roadmap being released in 2010, the updated roadmap provided a strategic vision and recommended strategies to advance the sector-wide security and resilience of industrial control systems. It set milestones designed to drive and coordinate public and private cybersecurity R&D and information sharing. The roadmap also helped owners and operators understand cyber risks, identify practical risk mitigation solutions, and improve sector-wide awareness of cybersecurity concerns.
Develop the Dams Sector Cybersecurity Guidelines by 2015– The Cybersecurity Working Group developed guidance for owners and operators that promotes industry best practices and identifies voluntary standards and guidelines most applicable to Dams Sector cyber infrastructure.
Promote the National Institute of Standards and Technology (NIST) Cybersecurity Framework and participate in the Critical Infrastructure Voluntary Program– The 2014 NIST Framework for Improving Critical Infrastructure Cybersecurity provided a voluntary, flexible approach to managing cyber risks. Rather than prescriptive steps, it offered a repeatable framework to assess cybersecurity risk and prioritize cost-effective solutions. To promote sector-wide implementation, the Cybersecurity Working Group developed a Dams Sector Cybersecurity Framework Implementation Guidance that tailors the Cybersecurity Framework approach to Dams Sector assets and operations
Develop the Dams Sector Cybersecurity Capability Maturity Model– The CMC2 is a voluntary tool that owners and operators can use to assess their cybersecurity practices, and identify and prioritize the most effective cybersecurity enhancements for each facility’s risk profile and cyber infrastructure design.
In addition, Federal partners planned to conduct an integrated cyber and physical risk assessment of Dams Sector Infrastructure. While facilities typically manage risks on an individual basis or with a few key patterns, a sector-wide risk assessment can identify shared risks and inform collaborative mitigation strategies. Cyber risks in particular, when taken collectively, may require mitigation approaches or coordinated efforts that extended beyond the capabilities of individual industries and government organizations.
They continued on the path of cybersecurity evolution with the update and implementation of the “Dams Sector Cybersecurity Framework.” With its release, the Dams Sector has covered multiple vulnerabilities and cyber threats potentially plaguing various systems in the sector. Here’s what the framework concerns are:
Passwords: Factory-set passwords should not be used and should instead be immediately made unique. Passwords are best when they possess a high level of complexity and are changed periodically. They should also be further protected through multi-factor authentication.
Configuration Management Programs: Software should be protected through validated patches and by routinely applying updates. Any unused ports should be locked down and secured.
Cyber Hygiene: An organization should host mandatory cybersecurity training, create lockout policies, revoke ex-employees’ login information, and whitelist software to promote a secure level of cyber hygiene.
Their goals with this framework are as followed:
More attractive cybersecurity insurance coverage: as cyber risk grows, insurance agencies are developing new and refined approaches to evaluate clients’ premiums based on their use of sound cybersecurity practices. Framework implementation provides an additional, widely accepted means for an organization to measure its cybersecurity posture and demonstrate continuous improvement.
Availability of technical assistance: the federal government provides several hands-on tools and technical support that will help an organization assess its current state of cybersecurity practices and identify areas to grow its cybersecurity resilience. In particular, Cybersecurity Advisors (CSAs) offer assistance to help prepare state, local tribal, and territorial governments and private sector entities for cybersecurity threats.
Demonstration of commitment to cybersecurity: the Framework does not protect any organization from liability in the event of a cyber incident. However, implementation of the Framework provides an organization with a mechanism to demonstrate its proven track record of implementing and continuously evaluating cyber risk management practices appropriate for its risks.
Government recognition: for interested organizations, DHS seeks to recognize those organizations and sectors– regardless of size and maturity level– that use the Framework to enhance their risk management practices.
Workforce development: Organizations that use the Framework will have a better understanding of the technical capabilities their organization requires and, therefore, the skills required of their cyber workforces such as recruiting, workforce design, and training of existing personnel.
They planned to implement and continue this framework by
Communicating cybersecurity requirements with stakeholders: the framework provides a common language to communicate requirements among interdependent stakeholders responsible for the delivery of essential stakeholders up and down supply chains. Supply chains begin with the sourcing of products and services and extend from the design, development, manufacturing, processing, handling, and delivery of products and services to the end user. Given these complex and interconnected relationships, supply chain risk management (SCRM), is a critical organizational function.
Cyber SCRM is the set of activities necessary to manage cybersecurity risk associated with external parties. A primary objective of cyber SCRM is to identify, assess, and mitigate cyber supply chain risks associated with “products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices” within the cyber supply chain.
Buying Decisions: Since a Framework Target Profile is a prioritized list of organizational cybersecurity requirements, Target Profiles can be used to inform decisions about buying products and services. This transaction varies from Communicating Cybersecurity requirements to Stakeholders in that it may not be possible to impose a set of cybersecurity requirements on the supplier. The objective should be to make the best buying decision among multiple suppliers, given a carefully determined list of cybersecurity requirements. Once a product or service is purchased, the Profile also can be used to track and address residual cybersecurity risk.
Identifying Opportunities for New or Revised Informative References: The Framework can be used to identify opportunities for new or revised standards, guidelines, or practices where additional Information References would help organizations address emerging needs. An organization implementing a given Subcategory, or developing a new Subcategory, might discover that there are few Informative References, if any, for a related activity.
There is vastly more information regarding the specifics of this framework including, prioritizing and understanding the scope of current systems vulnerabilities to create a comprehensive assessment, monitorization, and mitigation of identified risks. Creating a current profile encompassing the existing practices and protections set in place for critical frameworks. Conducting a risk assessment on the overall management of current risk assessment activities incorporating emerging risk, threat, and vulnerability data to understand the total impact and probability of a cybersecurity event on the sector. Creating a target profile; determining, analyzing, and prioritizing gaps in critical technologies, and implementing an action plan for those determined gaps.
Needless to say, the Dams sector takes their cybersecurity as an urgent organization and national security measure, setting the standards for ICS security and overall cybersecurity frameworks throughout all critical infrastructure sectors.
Transportation Systems Sector
The implementation of EO 13636 pushed the transportation systems sector to take a deeper look into the vulnerability of their infrastructure, the outcome? Establishment of the Transportation Systems Sector Framework Implementation Guidance by the Transportation Systems Sector Cybersecurity Working Group (TSSCWG) in partnership with the FBI and DHS. This Guidance document provided information on
Tactics most commonly employed to gain illicit access to networks and systems
Vulnerabilities in targeted systems and networks most frequently exploited
Indicators of illicit cyber activities most often noted in post-incident analyses that were missed or disregarded
Protective measures most often found lacking or absent that could have made a difference, aligned with the tactics these measures either defeat or mitigate
Furthermore, in accordance with implementing the NIST cybersecurity framework, they also participated in the use of The Cyber Security Evaluation Program and Cyber Resilience Review, Cyber Infrastructure Survey Tool, and Cyber Security Evaluation Tool.
As of late, these cybersecurity measures have not been updated but, the Department of Homeland Security has called for the enhancements of multiple subsectors’ cybersecurity within the Transportation Systems sector. This includes the rail, public transportation and passenger railroad, pipeline security, surface transportation, and aviation. The announcements of the new requirements for each of these subsectors will result in more comprehensive and intentional cybersecurity practices within each sector, making this sector first on our radar for updates in cybersecurity practices. Crest Security Assurance will keep our readers updated on the eventual release of new cybersecurity frameworks anticipated in the near future.
Water and Wastewater Sector
In 2015 the water and wastewater sector used the EO 13636 to take a look at their technologies most vulnerable to cyber threats. SCADA, process systems and operational controls, and enterprise systems were among these identifications but a comprehensive cybersecurity plan does not seem to be established until 2019 with the release of Cybersecurity Risk & Responsibility in the Water Sector by the American Water Works Association. In this document, the introduction of
the AWWA Process Control System Security Guidance for the Water Sector and supporting Use-Case Tool that helps establish and improve cybersecurity systems specific to operations technology but can also inform enterprise security practices.
The Process Control System Security Guidance for the Water Sector identifies 12 cybersecurity “practice categories,” and recommends specific, critical practices under each category that direct map water-specific applications to the NIST framework
The Use-Case Tool generates a prioritized list of recommended controls based on specific characteristics of the utility. The user selects from a series of pre-defined use cases that represents the type of functions their process control system may perform. The Use-Case Tool emphasizes the actionable recommendations with the highest priority assigned to those that will have the most impact in the short term.
The imperative implementation of cyber insurance for both public and private entities based on a rigorous assessment of risk and evaluation of specific coverage and policies
Planning to implement and maintain 10 cybersecurity functions to reduce exploitable weaknesses and defend against avoidable data breaches and cyber-attacks. This list was created in partnership with the DHS Industrial Control Systems Cyber Emergency Response Team, the FBI, the Information Technology ISAC, and the WaterISAC:
Maintain an accurate inventory of control system devices and eliminate any exposure of this equipment to external networks
Implement network segmentation and apply firewalls
Use secure remote access methods
Establish role-based access controls and implement system logging
Use only strong passwords, change default passwords, and consider other access controls
Maintain awareness of vulnerabilities and implement necessary patches and updates
Develop and enforce policies on mobile devices
Implement an employee cybersecurity training program
Involve executives in cybersecurity
Implement measures for detecting compromises and develop a cybersecurity incident response plan
More recently, in 2022 to be exact, the White House issued the Industrial Control Systems Cybersecurity Initiative- Water and Wastewater Sector Action Plan. This plan was developed collectively by the Water Sector Coordinating Council (WSCC), Environmental Protection Agency (EPA), and the Cybersecurity and Infrastructure Security Agency (CISA) outlining surge actions that will take place over the next 100 days to improve the cybersecurity of the public and private sector. Like with the Transportation Systems Sector, the Waste Water Plan will be highly anticipated and reported on with its release.
Conclusion
All of these sectors are expected to have new and improved cybersecurity frameworks in the next few years with the EO 14028 “Improving the Nation’s Cybersecurity,” and as you can see many have already been called to action.
Stay tuned for the Final article in this series, and if you’re interested in the functions of each of these sectors and more, take a look at the overview of our critical infrastructure.
As always make sure to visit Crest Security Assurance’s website to learn more about our company and subscribe to our newly established newsletter to keep updated on our business, blog, and cybersecurity events throughout the globe.
Sources:
https://www.cisa.gov/sites/default/files/publications/nipp-ssp-critical-manufacturing-2015-508.pdf
https://www.cisa.gov/sites/default/files/publications/nipp-ssp-water-2015-508.pdf
https://www.cisa.gov/sites/default/files/publications/nipp-ssp-transportation-systems-2015-508.pdf
https://www.cisa.gov/sites/default/files/publications/nipp-ssp-dams-2015-508.pdf
https://www.schneiderdowns.com/our-thoughts-on/white-house-announces-water-sector-action-plan/pdf
https://www.awwa.org/Portals/0/AWWA/Government/AWWACybersecurityRiskandResponsibility.pdf
