Cybersecurity threats to critical infrastructure continue to rise as threat actors take advantage of the acceleration of digital transformation initiatives spurred by the pandemic, rapid growth in several sectors and geographical locations, and the work from anywhere paradigm shift. While the cost benefit and competitive advantage of connectivity are great for businesses, they have also introduced additional cyber risk. The rise of the Extended Internet of Things (XIoT), cyber-physical systems (CPS) and underlying connected assets that were not necessarily designed to co-exist seamlessly in a connected environment are now subject to an expanded attack surface. This also includes internet technology (IT) and operational technology (OT) assets, the rise of various IoT technologies, and the processes and pathways that connect them.
To help organizations drive toward a baseline of defense more rapidly, the Cybersecurity Infrastructure & Security Agency (CISA) hasreleased its new Cross-Sector Cybersecurity Performance Goals (CPGs). Organizations should consider the guidelines as a straightforward starting point to implementing best practices in the NIST Cybersecurity Framework (CSF).CISA describes these CPGs as “a prioritized subset of IT and OT cybersecurity practices aimed at meaningfully reducing risks to both critical infrastructure operations and to the American people.”
In this blog, we’ll take a closer look at key areas put forth in Section 4 of the CPG core document, which proved a framework for cybersecurity leadership and governance in today’s highly interconnected XIoT environments. We’ve supplemented CISA’s recommended actions with some of Claroty’s key learnings and best practices based on proven success working with critical infrastructure organizations of all sizes, within various sectors.
Goal: Help address lack of accountability, investment, or effectiveness of the cybersecurity program overall.
CISA recommends that a named role/position/title be identified as responsible and accountable for the planning, resourcing, and execution of cybersecurity activities. This may include activities such as managing cybersecurity operations at the senior level, requesting and securing budget resources, and leading strategy development.
We have observed that many organizations create an OT governance process and Security Operations Center (SOC) that is separate from IT. This approach recreates processes and doubles coordination, wasting time and effort. Instead, organizations should establish an XIoT SOC that cohesively addresses IT and OT cybersecurity concerns within the broader scope of XIoT cybersecurity. Centralizing organizational cybersecurity leadership and governance under one person is ultimately the most effective approach. This could be the CISO or a direct report who has a great deal of strategic experience and management expertise. We find that, ideally, the Organizational Cybersecurity Leader should be appointed internally. This ensures they have the institutional knowledge and established working relationships to overcome challenges involved in consolidating governance and maintaining continuity of monitoring and reporting.
Goal: Help address lack of accountability, investment, or effectiveness of OT cybersecurity program.
CISA recommends a named role/position/title be identified as responsible and accountable for planning, resourcing, and execution of OT-specific cybersecurity activities. In some organizations CISA suggests this might be the same person as the Organizational Cybersecurity Leader.
The OT Cybersecurity Leader must serve as the point person in the event of a cyber incident and should be knowledgeable inSOC procedures, requirements, and objectives or be willing to undergo training on these subject matters. Additionally, Claroty recommends implementing a Cybersecurity Site Leader (CSL) at each of an organization’s physical OT sites. This individual should be able to speak the language of plant stakeholders and understand their roles well enough to work together to effectively resolve critical issues. During a security incident, the CSL must be prepared to lead rapid response, coordinating with SOC and site-specific OT personnel. The CSL must also be able to accurately gauge the severity of an event and weigh the tradeoff between the risk at hand and the potential operational disruptions mitigation actions may cause.
Goal: Help address poor working relationships and lack of mutual understanding between IT and OT to improve OT cybersecurity.
Strong working relationships are essential for overcoming challenges involved with bringing together IT and OT personnel to work toward common objectives. CISA recommends that organizations sponsor at least one social gathering a year that is focused on strengthening working relationships between IT and OT security personnel.
In our experience, the challenge in bringing IT and OT teams together to work toward the common goal of strengthening an organization’s overall security posture is that these teams typically have different priorities. As CISA mentions, social gatherings provide an opportunity to build IT and OT alignment and, if possible, should be done more frequently. IT and OT teams also tend to prioritize the three principles of confidentiality, integrity, and availability differently. Teams that manage information security typically prioritize confidentiality of data over integrity and availability, whereas the teams that run OT networks prioritize availability (or uptime) over integrity and confidentiality. To bridgethe IT-OT security gap, both teams need to learn each other’s nuances. This will ensure that two teams are not doing the same thing at double the cost. Overall, implementing strategies that help build strong working relationships and mutual understanding will foster an environment where teams can unite to reduce cyber risk.
While adherence to the CPGs is not mandatory, the need to improve the cybersecurity of our nation’s critical infrastructure is urgent amid unprecedented cyber threats. CISA’s CPG guidelines are a great way to quickly implement a subset of practices prioritized for risk reduction, and to benchmark existing programs, validate that critical areas are covered, and close any gaps. With these guidelines, and Claroty’s expert experience in securing cyber-physical systems, organizations can not only reduce risks to their critical infrastructure operations, but also to the American people. We know that effective cybersecurity leadership and governance is foundational to building a strong cybersecurity posture, but knowing where to start can be a challenge, so we’re here to help.
How Secure Access Enables Compliance With ISA/IEC 62443
Understanding SEMI E187 & E188 Compliance for the Semiconductor Industry
How to Incorporate NIST Cybersecurity Framework 2.0 Into Your Cybersecurity Strategy
Interested in learning about Claroty's Cybersecurity Solutions?