Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Risk & Compliance
Secure Remote Access
SOC & Incident Response
System Design & Architecture
Threat Landscape
Vulnerabilities

US critical infrastructure providers lack advanced cyber defenses, in-house cyber skills, Trellix reports

April 15, 2022
US critical infrastructure providers lack advanced cyber defenses, in-house cyber skills, Trellix reports

Cybersecurity company Trellix has released a report that analyzes the progress required to protect critical infrastructure providers from cyber-attacks, the perception of the requirements demanded by the U.S. Executive Order on Improving the Nation’s Cybersecurity (EO 14028) among organizations, and the general state of relations between national governments and critical infrastructure providers on cybersecurity matters. 

In the report, titled ‘Cyber Readiness Report,’ Trellix revealed that 75 percent of U.S. oil and gas sector survey respondents have not yet fully deployed multifactor authentication (MFA) making remote access to systems much easier for hackers. It also found that 74 percent of U.S. healthcare respondents have not fully implemented software supply chain risk management policies and processes. The survey was designed to gauge the maturity of advanced cybersecurity implementations among U.S. government agencies, state and local governments, and private sector peers responsible for protecting the nation’s critical infrastructure. 

Over half of U.S. critical infrastructure providers in state and local government (51 percent), and oil and gas (55 percent) blame a lack of in-house cyber skills for not fully implementing cybersecurity measures, Trellix said. While 38 percent of healthcare respondents favor U.S. government funding to help them improve sector cybersecurity, many critical infrastructure providers reported that they had not fully implemented sufficient supply chain risk management policies and processes, which is a particular concern following the SolarWinds and Microsoft Hafnium breaches in 2020 and 2021. Nearly three-quarters, about 74 percent of healthcare providers admitted this had not been fully implemented, the report added. 

“The hostilities in Ukraine have sharpened focus on the cyber readiness of critical infrastructure,” Bryan Palma, CEO of Trellix, said in a media statement. “The risks are known and well-discussed, but often these organizations do not have the cybersecurity talent to implement the necessary defenses. We need to scale security skills to prevent understaffed critical infrastructure from falling victim to cyber-attacks.” 

Trellix discloses that for U.S. government agencies the recent EO is a likely catalyst for implementing more modern cybersecurity tools. Though, all respondents from these organizations face barriers in the implementation of these technologies to meet the mandate’s requirements. In addition, as many as 91 percent of U.S. critical infrastructure providers and 94 percent of government agencies and critical infrastructure providers around the world also report challenges in implementing endpoint detection and response, extended detection and response, MFA, and zero trust architecture (ZTA) technologies.

On balance, U.S. government agencies are ahead of their private sector critical infrastructure peers in the implementation of these cybersecurity technologies, Trellix data revealed. Just 29 percent of U.S. critical infrastructure providers have fully developed and implemented ZTA solutions compared to 40 percent of those in U.S. government agencies, it added.

Trellix said that EDR and XDR are the most difficult cybersecurity solutions to implement at 66 percent of U.S. respondents, while MFA is the least difficult according to 57 percent of the respondents. As many as 76 percent of U.S. government agency respondents agree that currently there is no real consistency as to how organizations respond to a cyber incident, prompting calls for the government to introduce more standardized incident response playbooks, it added.

In the U.S., 90 percent of those in government agencies believe that the EO will result in some level of improvement in changing how well organizations are protected and defended against cyberthreats, the Trellix report said. For those across the rest of the globe, 89 percent of those surveyed in APAC and 87 percent in Europe believe that similar formalized, government-led initiatives will lead to improved protection against cyberthreats.

Trellix said that on top of these mandates, there are calls for improved cooperation and coordination between critical infrastructure providers and government agencies, as almost all respondents, around 99.7 percent, believe that there are areas where greater support is needed from their country’s government. 

One notable area where U.S. agencies lag critical infrastructure providers is cloud cybersecurity modernization, where 41 percent of these entities’ respondents report having implemented these measures compared to only 29 percent among their government agency peers, Trellix revealed. 

“There could be a number of explanations for these differences. It is likely that government agencies in the US have been pushing especially hard to accelerate their efforts in terms of technologies such as MFA and ZTA given the vast quantities of highly sensitive data that they manage as well as the undoubtedly large target on their back from threat actors across the globe,” according to the report. The sensitive nature of government work has been traditionally on-premise, and perhaps explains U.S. agencies’ slower adoption of cloud technologies and the security measures to protect them, it added.

Trellix also found additional differences between government agencies and critical infrastructure sector groups when exploring the importance of these cybersecurity elements for both respondents’ own industries as well as their national security. 

“For example, cloud cybersecurity modernization is most likely to be the IT solution that is important to individual sectors in the US (82% for those in government agencies; 87% for those in critical infrastructure) while zero trust architectures are least likely to be deemed important (81% for those in government agencies; 78% for those in critical infrastructure),” Trellix reported. However, the research does show that while there is six percent of respondents, who are yet to begin implementing ZTA, almost all have the intention to do so in the future, it added.

The lag in ZTA implementation is evident across both the U.S. government and critical infrastructure sectors and respondents suggest that it could simply be attributed to the difficulty of implementing the technology, Trellix said. “A notable 81% of US government agencies say that ZTA is highly or extremely difficult to implement, compared to 59% of those from critical infrastructure organizations. Overall, however, EDR and XDR are the most likely to be difficult to implement (66%) among all US respondents, while multifactor authentication is the least likely,” it added.

Respondents from the U.S. are optimistic that the EO will have a positive impact on cybersecurity. “Supporting this, 96% feel that it will result in at least a low level of improvement (97% for those in critical infrastructure, 90% for those in government agencies),” the Trellix report said. “When exploring opinions across different regions, levels of confidence are similar, as 89% of those in APAC and 87% in Europe feel that formalized, government-led initiatives will lead to improved protection against cyberthreats,” it added.

The report also noted that it is also important that the cybersecurity products being implemented are being developed securely, and so further mandates would be welcome. However intrusive these levels of oversight may feel, organizations suggest that they would be comfortable with this, if it introduces improvements and further protection.

The Trellix report concluded that ​​the broad elements and expectations of the EO are welcomed by many surveyed respondents from both critical infrastructure organizations and government agencies, and it is hoped that it will raise standards and improve responses to cyber incidents across the nation. 

“While these initiatives are imperative in seeing improvements in the protection of the evolving attack surface, it is also important to recognize that there are other areas that pose opportunities for progress,” the report said. “From data sharing to inconsistent playbooks, there are barriers that must be overcome to improve the relationship between the government and critical infrastructure institutions. Combined with government-led initiatives such as the US EO, organizations can confidently say that they are making significant progress to effectively thwart the threats of cyber adversaries,” it added. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation