The U.S government on Wednesday released an Executive Order that will bring about decisive steps to modernize US critical infrastructure and its approach to cybersecurity by increasing visibility into threats, while employing appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks.
The order incorporates the scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid. It also includes the protection and security of the IT systems that process data, and the OT (operational technology) environments that run the vital machinery to ensure safety.
“It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security,” said Joseph R. Biden Jr., U.S. President, in the Executive Order. “The Federal Government must lead by example. All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.”
The President’s action comes after several cybersecurity attacks on US critical infrastructure, including one at fuel pipeline company Colonial Pipeline, which on Wednesday “initiated the restart of pipeline operations,” according to a company statement. “Following this restart, it will take several days for the product delivery supply chain to return to normal. Some markets served by Colonial Pipeline may experience, or continue to experience, intermittent service interruptions during the start-up period. Colonial will move as much gasoline, diesel, and jet fuel as is safely possible and will continue to do so until markets return to normal,” it added.
The cyber incident at Colonial Pipeline is said to involve the DarkSide ransomware. The company reacted on May 7 by taking certain systems offline to contain the threat, leading to a temporary halt of all pipeline operations and affecting some of the company’s IT systems.
Apart from the Colonial Pipeline attack, the US critical infrastructure has frequently been hit by cyber attackers in recent months, such as the SolarWinds supply chain attack in December and the Oldsmar water plant hack in February. Such attacks were possible primarily due to the use of commercial software, which often lacks transparency and adequate controls to prevent tampering by malicious players, the order said.
The federal government has decided to improve the security and integrity of the US critical infrastructure and software supply chain, with a priority on addressing critical software. To this end, it has initiated that within a month of the executive order, the Secretary of Commerce acting through the director of NIST shall solicit input from the federal government, private sector, academia, and other appropriate actors to identify existing standards, tools, and best practices, or develop new ones.
The Executive Order calls for the standardizing of the government’s playbook when responding to cybersecurity vulnerabilities and incidents. The playbook shall incorporate all appropriate National Institute of Standards and Technology (NIST) standards, which must be used by Federal Civilian Executive Branch (FCEB) agencies, and articulate progress and completion through all phases of incident response, while allowing flexibility so it may be used in support of various response activities, according to the order.
Additionally, the Director of Cybersecurity and Infrastructure Security Agency (CISA) must consult with the director of the National Security Agency (NSA) to annually review and update the playbook, and provide information to the director of Office of Management and Budget (OMB) for incorporation in guidance updates.
The government also aims to centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks, while investing in both technology and personnel to match these modernization goals. The migration to cloud technology shall adopt zero trust architecture, as practicable. The CISA shall modernize its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with zero trust architecture.
The Secretary of Homeland Security acting through the director of CISA, in consultation with the Administrator of General Services acting through the Federal Risk and Authorization Management Program (FedRAMP) within the General Services Administration, shall develop security principles governing cloud service providers (CSPs) for incorporation into agency modernization efforts, according to the order.
The Secretary of Homeland Security in consultation with the Attorney General, shall establish a Cyber Safety Review Board, to review and assess, with respect to significant cyber incidents that affect FCEB information systems or non-federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses, according to the Executive order.
“The question on everyone’s mind is whether the EO will stop the next SolarWinds or Colonial Pipeline attack,” Amit Yoran, CEO of Tenable and founding director of US-CERT in the U.S. Department of Homeland Security, wrote in an emailed statement. “Make no mistake — no one policy, government initiative or technology can do that. But this is a great start. This is one of the most detailed and deadline-driven EOs I’ve seen from any administration,” he added.
“Today’s threats, without a doubt, require full-spectrum solutions, but nothing will change the threat landscape without firm action from governments around the world,” Daniel Smith, head of security research for Radware’s Cyber Threat Intelligence, wrote in an emailed statement. “No task force against ransomware will solve this unless we are ready to address international loopholes and arrest criminals who operate with impunity from specific regions in the world.”
Cybersecurity experts have been suggesting the shift to zero trust architecture, as it is technology agnostic and can be applied to policies and strategies within an organization to provide a holistic approach to network security. “Zero Trust is a security model that requires strict identity verification and moves the decision to authenticate and authorize closer to the resource,” wrote Anastasios Arampatzis in a blog post for Adacom.
“Zero Trust can reduce the lateral spread of attackers and malware by blocking access and communication that is not explicitly authorized,” Gary Kinghorn, marketing director at Tempered Networks, wrote in an emailed statement. “It is unlikely that whatever the initial ransomware host that was compromised would have had authorization to systems that can affect the flow through the pipeline or the control systems.”
“With OT digital transformation, connectivity from IT to OT is far more common for most ICS asset owners and operators,” Mike Hoffman and Dr. Tom Winston, Dragos’ executives wrote in a company blog. “Dragos has observed the atrophying of prevention controls from assessments and incident response actions. This, coupled with a lack of visibility and monitoring of assets, affects ICS asset owners and operator’s ability to have an effective response to incidents and not detecting early IT-based warning signs of compromise.”
“The issues that occurred with the Colonial Pipeline ransomware attack are not unique to pipelines or any other critical infrastructure as the IT/OT convergence is moving critical operational data to IT without the proper controls or visibility,” wrote Joseph M. Weiss, control systems cybersecurity expert in a blog post.
“With the hacking of IP networks, there is a need to detect operational changes independent of the OT network which can be accomplished by monitoring the physics of the process sensors. Control system cybersecurity and the appropriate integration with IT security needs to be stepped up to prevent ransomware IT hacks from causing physical damage and causing significant societal upheavals,” Weiss added.