The Cybersecurity of our Critical Infrastructure: Part One
Our critical infrastructures are the crucial puzzle pieces keeping the country running smoothly, allowing for safe and comfortable homes, schools, and everyday life. Each sector of our infrastructure is interconnected, not just with one another, but with advanced digital technologies. These technologies offer advancements in efficiency and capability, but it also opens the door to unforeseen cyber threats. With the increase in machinery and process requiring IT and OT resources, the concern at foreign and domestic cyber events has risen proportionally. Today we’ll go through the cybersecurity processes, standards, and shortcomings of the chemical, nuclear, energy, and food and agriculture sector; throughout this four part series, keep the question in mind: are we doing everything possible to create sustainable cybersecurity for our critical infrastructures?
To get a full breakdown of each sector and their purposes please visit the previous CrestBlog post, Sixteen Critical Infrastructures: An Overview.
Now since Executive Order 13636, Improving Critical Infrastructure Cybersecurity, issued in early 2013, every private and public facility within each sector has been tasked with creating, implementing, and maintaining sector specific cybersecurity plans, based on identifying their technical/intelligence assets and limiting widespread access to critical frameworks. The National Institute of Standards and Technology (NIST) issued a step-by-step plan (Framework for Improving Critical Infrastructure Cybersecurity) not long after, and this has been the foundation of all cybersecurity plans born of EO 13636.
Sector Specific Plans
Chemical Sector:
The chemical sector originally established a list of sector-specific resources, education tools, and adherence standards in 2014, many of which have been used to this day.
Resources:
Chemical Security Assessment Tool: a web-based assessment platform used to collect and review security information from chemical facilities. It identifies those that meet or oppose the criteria for high-risk facilities and provides methods to conduct a Top Screen and Security Vulnerability Assessment (SVA), and to develop a Site Security Plan
Chemical Facilities Anti-Terrorism Standards (CFATS) and Risk Based Performance Standards 8 (RBPS 8): these provide the standards on how to obstruct cyber sabotage by preventing unauthorized onsite or remote access to SCADA, DCS, PCS, ICS, critical business systems and other sensitive computerized systems at all chemical facilities
Cyber Resilience Review (CRR) and Cyber Security Evaluation Tool (CSET): these are tools used widely across every sector, as the CRR assess programs and practices asset management, controls management, configuration and change management, vulnerability management, incident management, service continuity management, risk management, external dependency management training and awareness, and situational awareness. The CSET guides the enterprise through a step-by-step process to assess their control system and information technology network security practices compared to industry standards. These are the main tools of accountability regarding identification and management of IT/OT cybersecurity in any industry.
American Chemical Council Responsible Care Security Code (RCSC)- Cybersecurity Guidance: This gives the ACC members and responsible cybersecurity professionals a guide on how to implement the NIST Cybersecurity Framework. While compliance is subject to ACC members only, it is strongly encouraged to use this framework for most chemical sector organizations
Critical Infrastructure Cyber Community Voluntary Program: This volunteer program is set into place to promote awareness and implementation of the NIST Cybersecurity Framework
Energy Sector:
There are quite a few shared standards between the chemical and energy sector, as often those two interact with each other to create their ultimate outputs, this includes RBPS-8, CRR, CSET, and the Chemical Facilities Anti-Terrorism Standards. They do slightly diverge however, since the energy sector requires not just sector specific cybersecurity, but sub sector specific cybersecurity. The sub sectors with the greatest need for individual assessment and mitigation are the Electricity Subsector and the Oil and Natural Gas Subsector.
Electricity Subsector Risk Management Approaches include:
The North American Reliability Corporation (NERC) CIP Standards which provide cybersecurity standards to secure the energy system assets that operate and maintain the bulk electric grid
Interagency Report (IR) 7628, Guidelines for Smart Grid Cybersecurity provided by the NIST gives an in-depth framework for development of effective cybersecurity strategies catered to particular smart grid-related characteristics, risks, and vulnerabilities.
Oil and Natural Gas Subsector Risk Management Approaches include:
Control Systems Cyber Security Guidelines for the National Gas Pipeline Industry, established by the Interstate Natural Gas Association of America (INGAA), outlines the management of natural gas pipelines control system cyber security requirements for all operators.
RP 780 Risk Management Assessment Methodology details the how-to of handling risk assessments for oil and natural gas operations; established by the American Petroleum Institute (API)
The Food and Agriculture Sector
There is not much about this sector’s cybersecurity’s efforts that are not identified in other sectors, therefore their cybersecurity efforts seem to be more of a broad standardization based on the NIST Frameworks and multiple government cybersecurity assessments such as CRR, the FISMA Scorecard (a measurement of an organization ability to identify, protect against, detect, respond to, and recover from cyber threats and events) and the Management Initiatives Tracking System Scorecard which monitors an agency’s progress in implementing IT and OT management initiatives
Nuclear Reactors, Materials, and Waste Sector:
Due to the specific potential volatility of this sector, cybersecurity seems to be an extremely serious conversation in this industry. They not only have sector specific cybersecurity requirements, but also have aided in the evolution of cybersecurity for critical infrastructure. The NCR (Nuclear Regulatory Commission) is one of the biggest proponents of forming comprehensive cybersecurity practices, and integrating cybersecurity into the foundation of all OT and IT assets.
NCR Nuclear Power Plant Cybersecurity Requirements:
Establish a dedicated cybersecurity assessment team
Identify critical systems and critical digital assets that fell within the scope of the NRC requirements
Isolate key control systems
Implement robust controls of portable media and equipment (such as thumb drives, CDs, and laptops), including minimizing the use of devices that are not maintained at the plant, scanning devices for viruses both before and after being connected to plant equipment, and implementing additional security measure when the source of the data or device originates outside the plant
Enhance defenses against insider threats by implementing training and insider mitigation programs that include cyber attributes, increasing security screenings of individuals who work with the digital plant equipment, and increasing cybersecurity training and behavioral observations
As you can see the rigorous implementation of cybersecurity standards based on NIST Framework was taken extremely seriously, with a comprehensive plan for awareness, identification, mitigation, and prevention created within the year of EO 13636.
Shortcomings of these critical sectors
Now the problems across all critical infrastructure sectors seems to be vast with 86% having limited visibility of their systems (meaning they do not know how their systems respond to false positives, daily noise, and actual threats/attacks), 44% having shared IT/OT credentials amongst large groups of employees, 70% with external connectivity to critical OT, and 77% having poor segmentation. All of these numbers were reported in 2022 by the NCR, despite EO 13636 being in effect for almost a decade. This is quite a serious issue of national security, as these shortcomings can lead to adversaries gaining access to entire systems off stolen group credentials, stealing precious data by navigating through unsegmented systems, shutting down entire systems through remote disruption of external systems and not to mention the issues of securing Industrial Control Systems (an issue outlined in a previous CrestBlog article).
What is the solution to this negligence though? While the NIST standards are technically being met by most agencies, cybersecurity implementation was formulated to fit pre-existing critical systems and machinery, making it open to greater vulnerability than if cybersecurity was to be designed as the foundation of all internal and external systems. This is why government minds are looking to improve the cybersecurity of our critical infrastructure by creating all technologies with cybersecurity as the foundation. This not only makes these systems less vulnerable, but easier to defend in the event of a cyberattack, since the protocol for defense is either already programmed into said technology, or easily ready for IT experts. These ideas are being presented after the EO 14028 “Improving the Nation’s Cybersecurity” was signed into effect by President Joe Biden May 12, 2022. This opened the door for both human and capital resources to be devoted to creating the most impenetrable systems for our critical infrastructure. Agencies such as CISA, DHS, DOJ, and FBI are all working together to evolve solutions and precursors to cyber attacks.
With this updated EO, there is no doubt that there will be major advancements in how the U.S. views and handles cybersecurity, both private and publicly. Crest Security Assurance looks forward to being a part of future mitigation tactics and furthering the awareness and preparedness of our nation's critical infrastructure. For more information on how Crest can protect your organization please visit the services tab of our website.
Stay tuned next week for part two where we’ll go more into detail about the commercial and manufacturing sectors’ cybersecurity practices!
Sources:
https://www.cisa.gov/sites/default/files/publications/nipp-ssp-nuclear-2015-508.pdf
https://www.cisa.gov/sites/default/files/publications/nipp-ssp-energy-2015-508.pdf
https://www.cisa.gov/sites/default/files/publications/nipp-ssp-food-ag-2015-508.pdf
