(September 2017) – Protecting this nation’s critical infrastructure is becoming much more difficult in the face of escalating cyber-attacks as well as the increasing complexity of systems underlying our critical infrastructure. In the “good old days”, much of our critical infrastructure was built with analog technology that was much less susceptible to cyber-attacks. Not anymore. Most of our Nation’s critical infrastructure is Internet dependent and is the target of persistent cyber-attacks. Evidence suggests that Nation State adversaries have tested the resilience of our electricity grid to cyber-attacks and found significant weaknesses. Recent successful attacks on our elections and financial infrastructures have also been well documented. It is increasingly clear that a Nation State with the desire to disrupt our critical infrastructures can do so at any time. In the near future, this same capability will be available to unaligned groups such as terrorists. These are clearly sobering observations for the most powerful nation on the globe.
Polls suggest that the public is increasingly aware and concerned about the pervasive cyber vulnerabilities in our critical infrastructure. Reports repeatedly confirm that the organizations charged with providing essential services to citizens and for protecting sensitive personal and financial information from cyber threats are doing a very poor job. What needs to happen to ensure adequate cyber resiliency? Moreover, are we at a tipping point for placing increased attention and accountability for protecting our critical infrastructure?
First, let me address what I believe needs to occur to start the process of ensuring that proper attention is being paid to cyber resilience for our critical infrastructures. The essential and necessarily the first step in improving cyber resilience is ensuring that all organizations responsible for critical infrastructure are implementing good cyber hygiene through the implementation of proven best cyber security practices. Why do this? The vast majority of successful cyber-attacks continue to exploit inadequate implementation of basic technical and management disciplines—a lack of fundamental cyber hygiene.
Using a consensus process, CIS has documented the 20 activities (i.e., the Controls) involved with ensuring good cyber hygiene through implementation of proven best practices. The CIS Controls specifically and directly relate to the most common cyber-attack patterns. Not coincidentally, CIS has observed that virtually all of the successful attacks against critical infrastructures exploited poor cyber hygiene, most frequently the failure to patch known software vulnerabilities. That is, if the Controls had been implemented, these attacks would not have occurred.
It is important to understand that if organizations do not implement the fundamental best practices defined in the Controls, all other efforts and expenses to provide enhanced security are literally wasted. Attackers have consistently shown that they focus first on the easily-exploited weaknesses in basic cyber hygiene, including the following weaknesses: patching known vulnerabilities, ensuring only authorized hardware and software are permitted to operate, auditing for anomalous activity, and limiting system administrator privileges. Patching (only) some systems against known vulnerabilities, as was apparently done recently by Equifax, just does not cut it. A single unpatched system is all that is need for an adversary, using automated scanning tools, to exploit that single vulnerability. Once the single vulnerability is exploited, attackers can easily move within the enterprise.
It is very logical to ask why organizations fail to implement basic cyber hygiene. After all, if this is truly basic hygiene, shouldn’t it be routine and “job one”, especially for critical infrastructures? My experience as a CIO and an executive of government and private sector organizations tells me that there are several reasons why organizations do not implement basic cyber hygiene.
In many cases, the IT and security staff do not have a clear understanding of basic cyber hygiene; we are not adequately training these staffs. Unfortunately, there is also a lot of “noise” in the cyber security arena that creates confusion regarding appropriate methods to protect systems. For example, cyber security governance frameworks from NIST, ISO, IEEE, and other organizations tend to be comprehensive but only general in nature, leaving critical implementation details to each organization. These frameworks fail to inform organizations that basic cyber hygiene techniques address risks shared by all systems and are thus not optional. Compounding the problem is the fact that cyber tool vendors oversimplify the challenge of cyber resiliency and often promise a silver bullet solution with marketing such as “just buy my product and your enterprise will be secure”. The problem of cybersecurity is much more complex than can be solved by any single tool.
Despite what might appear to be compelling logic for implementing cyber hygiene best practices in critical infrastructures, I am not optimistic that the increased frequency of cyber-attacks or even the mounting impact to citizens will serve as the catalyst for voluntary action to protect our cyber dependent critical infrastructure. I strongly believe that if we want to improve the resilience of our critical infrastructures, the public must demand that executives and IT staff are paying attention to basic cyber hygiene and are held accountable for failure to do so. As a parallel example for comparison, every organization responsible for elements of our critical infrastructure undergoes an audit of financial processes and systems that examines adequacy of implementation of best practice financial controls, that is adequacy of financial hygiene for the organizations. Failure of organization leadership to fix material weaknesses in basic financial controls is cause for firing the CEO and/or CFO of the organization, regardless of whether the control weakness has been exploited. Shouldn’t the same process and standard be used for holding leadership accountable for implementing basic cyber controls?
Today, we have ample evidence that leadership of critical infrastructure organizations only appear to “get it” after a successful attack. In most cases, the successful attack exploited weakness in basic cyber controls and was usually discovered many months after the attack was initiated. Boards of directors, executive management, and the IT staff need to be held personally accountable for failure to provide adequate attention to basic cyber security of critical infrastructure components or systems that maintain sensitive personal information.
In order to motivate owners and operators of critical infrastructures, I have come to the conclusion that the government must require implementing basic cyber controls to change the current direction. The government regulates other areas dealing with safety and security of the public, why not the increasingly critical area of the cyber backbone of our critical infrastructures. It is time that the government require that organizations responsible for critical infrastructures implement proven cyber best practices like the CIS Controls. California has provided good leadership in this area by stating that failure to implement the CIS Controls “would be indicative of an organization’s failure to provide reasonable security.”
I believe that we have reached a necessary tipping point where the status quo of public apologies after an attack and more free credit monitoring is no longer sufficient. We need those who have authority over our Nation’s critical infrastructure to take the prudent steps of requiring basic cyber hygiene and holding leadership accountable for failure to do so. It is truly time to get serious about protecting our Nation’s Critical Infrastructure.