High-profile incidents such as the SolarWinds supply chain attack that affected multiple U.S. government agencies, the attempted manipulation of control systems at the Oldsmar water treatment plant, and the ransomware attack on Colonial Pipeline, the issue of cybersecurity for operational technology (OT) has caught the attention of officials in Washington.
It’s no wonder, given the high stakes involved. The supply chain attack led to data breaches in multiple U.S. federal and state agencies, as well as international and foreign organizations such as NATO, the European Parliament, and major private-sector entities such as Microsoft and Equifax. The Oldsmar incident could have ended with tragic consequences in the surrounding communities. The ransomware attack on Colonial Pipeline led to widespread fuel supply disruption in the Southeast and Northeast and caused the company to incur tens of millions of dollars in damages.
Now the U.S. government isn’t just paying attention. It’s also trying to take action. The executive branch has already imposed new rules and regulations, and legislators are also working to pass new laws. We’re going to take a look at some of the measures that are being taken and talk about how visibility solutions can help you manage the impact of these policy shifts.
Legislative Action on Cybersecurity
One example of action on the legislative end is the U.S. House of Representatives’ passage of several new bills addressing security for cyber-physical systems in late July.
On July 21, members of the House voted to approve four bipartisan cybersecurity bills coming out of the Homeland Security Committee. One of these was the DHS Industrial Control Systems Capabilities Enhancement Act of 2021, which aims to enhance the ability of the Cybersecurity and Infrastructure Security Agency (CISA), a division of the Department of Homeland Security (DHS), to work with public and private sector organizations on a partnership basis to harden security and identify vulnerabilities.
Another was the Cybersecurity Vulnerability Remediation Act. This bill amends the Homeland Security Act of 2002 to make provisions for remediating cybersecurity vulnerabilities through such measures as allowing CISA’s director to “identify, develop, and disseminate actionable protocols to mitigate cybersecurity vulnerabilities, including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.” It also obligates CISA’s director to submit a report to the Homeland Security Committee on the progress of vulnerability remediation programs within a year.
Also approved was the State and Local Cybersecurity Improvement Act. The measure establishes a program under which DHS will make $400 million worth of grants available to state, local, tribal and territorial governments that are seeking to improve their own cybersecurity posture. It also states that these governments must develop comprehensive cybersecurity plans that will guide the use of such funds.
Additionally, legislators passed the CISA Cyber Exercise Act. This bill is designed to give U.S. businesses and public-sector organizations new ways to assess the security and resilience of critical infrastructure facilities, and it also provides for the establishment of a National Cyber Exercise Program that will test the country’s plan for responding to major cyberattacks.
And the House wasn’t the only source of action. Members of the Senate voted on July 21 to introduce the Cyber Incident Notification Act of 2021, a measure that aims to require all federal agencies and contractors working for federal agencies, as well as all organizations operating in areas critical to U.S. national security, to report cybersecurity incidents and data breaches to CISA within 24 hours of initial discovery.
Executive Cybersecurity Initiatives
Meanwhile, the executive branch has been busy as well.
For example, the Colonial Pipeline ransomware attack has led the Transportation Safety Administration (TSA), another division of DHS, to issue two directives addressing cybersecurity requirements for the owners and operators of oil, gas, and petroleum product pipelines and liquefied natural gas (LNG) terminals designated as critical infrastructure. The first directive, which was published in late May, calls on the organizations involved to evaluate their cybersecurity strategies and solutions, make plans to shore up weak spots, and deliver a report on their findings to CISA and TSA within 30 days. It also requires pipeline owners and operators to identify and designate staff members who will be available on a 24/7 basis in the event of a cybersecurity incident.
The second directive, published on July 20, outlines the new cybersecurity requirements that pipeline owners and operators must meet. TSA has not disclosed the new requirements publicly, as they have been designated as Sensitive Security Information (SSI) that may only be distributed to organizations with a need to know. However, Saumitra Das, the CTO, and co-founder of Blue Hexagon, recently told IndustrialCyber.co that he believed pipeline companies were being called upon to go above and beyond industry best practices.
Meanwhile, DHS is not the only federal agency on the move. On July 21, the Department of Energy (DOE) announced that it had released version 2.0 of its Cybersecurity Capability Maturity Model (C2M2) tool. The updates will allow C2M2 to fulfill its original function of helping private-sector companies evaluate and improve their cybersecurity posture in light of evolving technologies and security threats, it said.
All of these follow the May 12th “Executive Order on Improving the Nation’s Cybersecurity,” which directs the US Federal Government to move towards a Zero Trust cybersecurity architecture.
Visibility is Essential to Meeting New Requirements
The above list is not even a comprehensive picture of the discussions now happening in Washington about cybersecurity and critical infrastructure. But it should serve to illustrate the point we made above about the changing nature of the policy landscape.
In practical terms, this means that organizations that rely on OT are going to have to develop strategies for dealing with the federal government. If they’re pipeline owners or operators, they’ll have to figure out ways to meet TSA’s new regulatory requirements – and if they’re not, they should not lose sight of the possibility of a similar shift in other critical infrastructure sectors. They’ll also have to consider what steps might be necessary to meet proposed legal requirements such as notifying CISA of security incidents within 24 hours.
With the Zero Trust directives, The National Institute of Standards and Technology (NIST) and National Cybersecurity Center of Excellence in accordance with Special Publication (SP) 800-207, have selected 18 tech companies to include: Amazon Web Services, Appgate, Cisco Systems, F5 Networks, FireEye, Forescout Technologies, IBM, McAfee, Microsoft, MobileIron, Okta, Palo Alto Networks, PC Matic, Radiant Logic, SailPoint Technologies, Symantec, Tenable, and Zscaler to demonstrate zero-trust security architectures as guidance for agencies and industry as part of the Zero-Trust Architecture Project.
Right now, Washington is focused on keeping critical infrastructure protected, and it wants the owners and operators of critical infrastructure facilities to be able to prove that they can offer the requisite level of protection. Without visibility, no such proof is possible – because you can’t secure what you can’t see.
Garland is focused on packet visibility. What do all 18 of these companies have in common? Their security tools rely on packet visibility to see everything on the network. That is why Garland is a trusted visibility partner for many of the 18 selected companies, providing network TAPs and Packet Brokers to ensure these zero-trust security architectures have the required visibility best practices in place.
With our track record of providing custom visibility solutions for the federal government, such as portable and easy-to-use TAPs for Department of Defense (DoD) rapid response teams and critical infrastructure companies worldwide, Garland Technology can help your teams get ready for the moment when you find yourself facing an array of new legal and regulatory requirements.
Looking to add TAP Visibility or traffic aggregation to your Zero Trust or Critical infrastructure deployment, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do.
