Beyond Talking Points, How Will We Act on Critical Infrastructure Risk?

Various arms of the Federal government are grappling with how to best curb critical infrastructure risk despite uncertainty regarding the best path forward and knowledge barriers surrounding the underlying technology.

The Office of the Director of National Intelligence (ODNI) has flagged the issue as one of primary importance, according to Joyce Corell, assistant director for the supply chain directorate at ODNI.

“We’re beginning to develop a better understanding of how we provide threat information sharing across critical infrastructure,” she said at an Information Security and Privacy Advisory Board meeting on June 22. “About a year ago we established a critical infrastructure task force to be able to engage with critical infrastructure sectors and provide more awareness information.”

The threat to the U.S. is great, with foreign actors striking at soft targets – private providers who may not be as diligent about their security as the government itself. Federal entities have been called to action to coordinate efforts.

“We’re expanding our footprint, expanding our skills,” Corell said. “We’ve been looking at some of the foundational things: Do agencies have the resources they need? Are there impediments to communicating within an organization?”

Turns out that those impediments do in fact exist. Private sector and government leaders acknowledge a disconnect in communication between the different teams charged with cybersecurity, which makes shoring up defenses for our nation’s vital resources an even more arduous task.

“The IT and OT [operational technology] guys come from very different worlds. They didn’t get the same training. They don’t speak the same language,” said Eitan Goldstein, director of industrial cyber and digital security at Siemens, at MeriTalk’s Tenable GovEdge 2018 Conference on May 3.

Those language barriers and technical discrepancies play a huge role in why many are still failing to connect the dots about how infrastructure risk ties directly to cybersecurity and IT. Industrial control systems that help power the grid and other pivotal utilities may not be protected with present-day digital technologies, and that aging operational technology creates further security concerns that IT and OT staff must partner to monitor.

Daryl Haegley works in control systems cybersecurity at the Department of Defense (DoD) as a senior program manager assigned to the Office of the Assistant Secretary of Defense for Energy, Installations and Environment. He spoke to Goldstein at GovEdge about how DoD is fostering that collaboration and recalled recent developments at DoD that speak toward how government priorities need to change.

“The Secretary of Defense ordered that the CIO come up with scorecards that reported quarterly on IT issues,” he said. These provided much-needed visibility on risk-prone IT projects and systems, but Haegley said that more than 20 different cards for IT metrics existed before the idea of industrial control system security was addressed.

“There weren’t any for control systems for a while until we stood one up. We’re going to start populating that in the coming months,” he said. “In fact, Congress even asked for it. They put out a specific request saying this needs to have specific visibility.”

Elsewhere, the Department of Homeland Security (DHS) and Department of Energy (DoE) have authorities to direct the private sector to adopt better security and are sounding alarm bells. But at this point, the worries have been so persistent and the talking points so uninspiring that Federal discourse is starting to elicit yawns.

But it’s not a topic we can afford to sleep on. How do we get beyond the rhetoric? Have we made progress?

On August 2, Haegley will be back to address DoD’s progress in getting visibility on control system cybersecurity, as he sits on a special critical infrastructure panel at MeriTalk’s 2018 Cybersecurity Brainstorm.

He will be joined by Micah Czigan, the associate deputy CIO for cybersecurity at DoE, Paul Morris, chief information security officer at the Transportation Security Administration, and Brad Nix, senior advisor at DHS’ National Cybersecurity and Communications Integration Center.

It’s a rare opportunity to hear from top figures at the Federal agencies that lead the nation’s drive toward better cyber resiliency, discussing perhaps the most salient issue in cybersecurity today. Complimentary registration for the Cybersecurity Brainstorm is now live. Click here to save your place.

Recent