Imagine working at the intersection of threat analysis and response, and cybersecurity service delivery, and you’ll get a good idea of what Rick Driggers has been doing for the last decade-plus, and what he’s bringing to his new position as critical infrastructure cyber lead at Accenture Federal Services.
On the one hand, he helped run the Cybersecurity and Infrastructure Security Agency’s (CISA) National Cybersecurity and Communications Integration Center (NCCIC), CISA’s national hub for cyber data, technical expertise, and 24/7 analysis and incident response. And on the other, he was Assistant Director for CISA’s Integrated Operations Division, which delivers CISA services to state and local governments and the critical infrastructure community. In the current climate of expanding cyber and ransomware attacks against the 16 United States critical infrastructure sectors, that’s the kind of background that seems made for this moment.
We spoke with Rick a couple weeks into his new job to talk about critical infrastructure security, what’s needed to improve it, and how recent Federal cybersecurity policy directives are pushing government and industry in the right direction to make real progress.
MeriTalk: You’ve got a great perspective from the earliest days of the Homeland Security Department and the NPPD forerunner organization to CISA, and the founding of the NCCIC in 2008. Tell us a few thoughts about President Biden’s cybersecurity order issued in May, and how we can expect it to improve security?
Driggers: Obviously the EO is focused on the Federal government, but what we do in the Federal government sends a pretty loud signal to industry partners and also to our state and local government partners.
These types of policies – and providing guidance to Federal agencies – is incredibly important for several reasons. It causes focused action inside the Federal government itself and assigns accountable responsibilities. And it sends signals and communications out to our partners that this is what we’re doing, this is the direction that we’re going, and by the way if you want to work with us and be part of our ecosystem, then you know we’re going to expect certain things of you, certainly down the road.
A couple of key action items in the order are modernizing Federal government cybersecurity, which really focuses on building out zero trust architectures. It requires CISA to modernize cybersecurity capabilities to help departments and agencies in the civilian executive branch defend their environments as agencies are moving towards cloud environments, and with consideration to zero trust architecture practices.
I think it’s important that government agencies have guidance and a center point to focus on with regard to building out those capabilities for cloud environments or future types of computing infrastructure that we may not be thinking about right now.
There are other parts of the EO that are also important, including developing response playbooks to mitigate and respond to cyber security vulnerabilities and incidents. Obviously, those playbooks are going to have to be customized because agencies have different types of networks and systems and data elements configured in different ways. And quite frankly, departments and agencies also have differing organic capabilities to be able to respond to vulnerabilities.
Network and asset visibility is critical – this is particularly true of the operational technology environments – if you can’t see it, you can’t protect it. So having those capabilities to be able to detect and to be able to see your assets, and to be able to understand what’s happening on your network is incredibly important to the enhancement your cybersecurity posture. It has to start with visibility, and I’m particularly happy that the executive order has a section that’s focused on that.
MeriTalk: A lot of the EO directs government agencies to do some very specific actions, but with the private sector, outside of already highly regulated industries, it’s harder to get the private sector off the dime and do something about protecting industrial control systems (ICS). How does Accenture approach some of these companies and say you’ve got to do more to get better security?
Driggers: Accenture has expertise across many industries – oil and natural gas, aviation, electricity, telecommunications, water treatment facilities, chemical facilities, etc. When we think about operational technology and industrial control systems, we think about those facilities that provide services, materials, and/or products everyday citizens rely on.
But it’s broader than just utilities or industrial facilities. For instance, commercial buildings like hotels and shopping malls have industrial control systems as well, like fire suppression systems and HVAC, so there are really industrial control systems all around us. But we really think about it. And while most of this type of infrastructure is owned and operated by the private sector there are similar types of facilities owned and operated by government agencies like the Department of Defense, Department of Energy, or NASA.
Implementing cybersecurity in those environments is somewhat unique from the way cybersecurity is traditionally accomplished in IT business systems mainly because ICS assets control physical infrastructure or safety processes and if not operating properly could put people and/or property at risk. So, it requires unique skills and expertise to understand not only the security of the ICS asset but also what that ICS asset controls in the environment, and how critical it is to a particular process or functionality of the facility.
When you’re talking about operational technology, a lot of times you’re talking to civil engineers, you’re talking to plant managers. They understand the functions and processes that are happening inside the environment, they understand when to take this offline, here are the impacts to the safety system and things like that. But the security aspects of securing that particular device so that it can’t be hacked is a different type of skill. So that’s why it’s important that that we take those engineers, and we pair them up with cybersecurity professionals, particularly those that understand industrial control systems and operational technology, so that then we can build in security as the beginning of the development of these devices, instead of bolting it on later.
MeriTalk: For a long time, the security debate has included discussion of incentives for private operators to invest in better security. After everything we’ve seen this year, particularly with ransomware, has everyone finally gotten the message that they really do need better security?
Driggers: That realization is spreading. There are clearly more companies across all critical infrastructure sectors that have a better understanding, or a clearer view of their risks, and the threat landscape. Whether or not there will be greater investment to improve the cybersecurity across these industries, it remains to be seen.
But I do think because of the recent ransomware attacks that have been disruptive to the food supply and the oil supply, everyday citizens are being impacted and wondering why these companies are not securing their facilities or putting in place procedures to mitigate against attacks much more quickly.
Again, cybersecurity is a team sport. No one has all the technology, all the information, all the insights, and all the expertise to defend against every threat. So, it’s important when an organization or a company gets hit, that they engage the Federal government quickly, because the government may have information or insights to share that can help them recover more quickly.
Another important function that government provides is taking the information and insights they gain from the affected entity and share pertinent pieces of that more broadly to arm network defenders across industry, state, local, and Federal government to help them defend and protect the networks and systems they’re responsible for. That’s why it’s important to work with the Federal government and to have trusted public-private partnerships.
The Cyber Threat Alliance has a great model, where different companies from across many different industries are readily sharing indicators of compromise, and other types of information.
MeriTalk: Over the years, there’s been a lot of complaining about the quality of threat data sharing. Is it getting better now that cyberattacks seem more frequent, and are getting public attention?
Driggers: I certainly think that there’s more wind in the sails. At the end of the day the primary path to sharing information with the Federal government is with CISA, for the most part. The maturation of that agency in the last couple of years has changed a lot of opinions in terms of whether a private sector entity wants to work with the government.
Beyond information sharing, industry should leverage some of the other services CISA provides. I also believe there’s more trust between industry and CISA, as well as other agencies within the Federal government, than there has been in the past. Is there a lot more work that the government needs to do to improve their services and to understand? Absolutely, but there’s also a tremendous amount of work that needs to happen across industry as well, to ensure the vital services that underpin our national security, our economic security, and our public health and safety are not disrupted, or if they are, that we are able to quickly understand the impacts and the cascading effects so that we can quickly respond and mitigate those impacts.
MeriTalk: We’ve read a lot about CISA threat-hunting abilities across government agencies, helped by provisions of last year’s National Defense Authorization Act. If you are a private sector critical infrastructure company with industrial control systems, can you call up CISA and ask for similar services?
Driggers: To a degree. Certainly there are threat hunting and incident response services that the Federal government can make available to private sector, state, local and Federal government entities. Those services are low-density, high demand, in terms of available resources, meaning there are a finite number of teams available. Those types of services are prioritized based on several factors, so it’s certainly not first-come, first-served. That said, there are specialized companies, including Accenture, that offers these types of services.
MeriTalk: In the last couple of years, the awareness of CISA and what it does has grown in the public eye. If you are a critical infrastructure operator worried about your control systems security, is a relationship with CISA one of the most important that you can make?
Driggers: The bottom line is use whatever relationship you have, whether it’s the FBI or CISA, that’s who you should call if you experience a cyberattack or if you detect malicious activity on your network. CISA and the FBI will tell you that there’s no wrong door within the Federal government to report an incident and there’s a lot of really good coordination between CISA and the FBI that’s been happening for a number of years and it continues to grow and strengthen.
It’s important for companies across all sectors to have strong robust relationships based on trust with CISA. Don’t wait until you have an incident – start to build that relationship now. There’s a lot of focus on CISA’s cybersecurity mission and rightly so, but CISA’s underpinning mission is the security and resilience of our nation’s critical infrastructure from all hazards.
MeriTalk: Especially this year, cybersecurity and ransomware seem to have become much bigger government policy stories, including a Biden-Putin summit where that was a major issue. In light of how crucially important critical infrastructure is, any thought as to whether we are on a path to government making cybersecurity a less optional thing for critical infrastructure providers?
Driggers: There are certain government officials and lawmakers that believe we need cybersecurity mandates, and then there are others that worry that mandates and regulations will turn into costly and useless compliance drills, and don’t necessarily drive down risks.
There has to be a balance. If you mandate a certain set of criteria, then most of industry is going to comply with that baseline criteria that could quickly become outdated due to the evolution of technology and new types of infrastructure.
MeriTalk: Is there something in between that would promote security but not make it static?
Driggers: The National Security Memorandum issued by the White House on July 28 sets a path to develop cybersecurity performance standards for critical infrastructure. If done thoughtfully and with industry input, it could be successful. These types of “mandates” could drive the necessary change across industry and across how industry partners with the Federal government.
As I said earlier, cybersecurity truly is a team sport. There is no island of security that people can go to and not have to worry about this. Security investments need to be made and need to be part of your business operating model. Along with investments in technology, you’re going to need to invest in your people, the establishment of a training and exercise program, the development of an incident response plan, and mitigation planning. Automate routine processes so your analysts can focus on the hard stuff. Every employee has a responsibility to help protect your network.
Again, the National Security Memorandum sends a signal. That’s going to lead to CISA issuing cybersecurity performance standards within a year, and hopefully that will provide baseline security practices that industry has been asking for. Hopefully that moves the needle in a positive direction.
MeriTalk: Do you see that as a first step in the process that can grow from there?
Driggers: I think so. The memorandum is a continuation from the initial 100-day plan and the Securing ICS Critical Infrastructure executive order.
These three pieces of policy direction coming out of the administration provide very clear and focused direction, guidance, and action. They are focused on a particular topic, provide specific actions with time frames, and call out specific agencies. Implementation is the hard part and where things can go off the rails. This is why government and industry need to work together.
In the past, executive orders and other policy guidance were very broad.
MeriTalk: Any final advice?
Driggers: You’re not going to be able to defend 100 percent against everything. Technology and the capabilities of our adversaries are changing too rapidly. Because of this we are constantly chasing vulnerabilities and looking for threats.
We are spending immense time, effort, and resources to understand and analyze threats and search for and mitigate vulnerabilities. And understanding risks are critical elements. But there’s not enough time focused on consequence analysis and mitigation. This piece is essential for critical infrastructure owners and operators due to the vital services and functions they provide.
Collectively, we need to shift more time, effort, and resources towards understanding and developing plans, playbooks, capabilities to mitigate the consequences of a disruption to these vital services and functions, and not just play whack-a-mole with vulnerabilities.