CISA CPGs will likely help raise industrial cybersecurity standards while prioritizing decisions, spending, action

The recent cybersecurity performance goals released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) provide an approachable common set of IT and OT (operational technology) cybersecurity protections to improve cybersecurity across the nation’s critical infrastructure. The CISA CPGs are written and designed to be easy to understand and communicate with non-technical audiences, including senior business leaders, and aimed at addressing some of the most common and impactful cyber risks.

As a starting place, the CISA CPGs offer a way to demonstrably implement the NIST Cybersecurity Framework (CSF). The move enables owners and operators of critical infrastructure to measure and improve their cybersecurity maturity while providing a standardized evaluation of an organization’s activities to reduce the likelihood and impact of known risks and adversary techniques.

The cybersecurity agency works with government, private sector, and international partners to gain a unique insight into the state of cybersecurity across U.S. critical infrastructure and the nature of the threat landscape. 

Leveraging partnerships across all critical infrastructure sectors and with their respective sector risk management agencies (SRMAs), insights from government partners both in the U.S. and abroad, and its cyber assessments, hunts, and incident response efforts, CISA regularly observes patterns across critical infrastructure where essential cybersecurity best practices are not sufficiently applied. Subject matter experts and critical infrastructure operators providing input during this document’s development shared similar observations. 

The CISA CPGs cover account security, device security, data security, governance and training, vulnerability management, supply chain/ third party, response and recovery, and other parameters such as network segmentation, detecting relevant threats and tactics, techniques, and procedures (TTPs), and email security. 

Commenting on the CISA cybersecurity performance goals, Robert M. Lee, CEO and co-founder of Dragos, wrote in an emailed statement that the CISA has shown its commitment to working alongside the industrial cybersecurity community with the release of the common baseline cross-sector CPGs. 

“CISA took extensive input and feedback from industry stakeholders and this updated guidance reflects that they were listening closely, providing actionable but not overly prescriptive guidance – exactly the type of support the community has been requesting,” Lee said. “It allows asset owners and operators to work towards shared goals while giving them the flexibility and expertise to implement them in ways best suited to their organizations and risks. 

Lee also points out that most of the CISA CPGs map closely to the critical controls needed for strong OT cybersecurity—having an incident response plan, a defensible architecture, visibility and monitoring, secure remote access, and key vulnerability management. “This guidance can help lift industrial cybersecurity standards across the board to better protect our nation’s critical infrastructure. CISA’s continued focus on OT cybersecurity as foundational to national security, and distinct from IT cybersecurity, is an important contribution to the community’s advancement.”

The CPGs could become an invaluable cybersecurity guide and checklist for critical infrastructure owners, many of whom are considered small- or medium-sized private-sector entities, Grant Geyer, chief product officer of Claroty, wrote in a company blog post. “While some of these critical infrastructure entities serve relatively small communities with critical services such as water and electricity, others may represent linchpins to economic security and public safety such as pipelines.”

“While this is a very complex topic for policy makers and cyber security professionals, CISA and many others have acknowledged that the reality on the ground today is that there is a resource gap hindering the efforts of many of these companies,” Geyer said. “While the CPGs alone will not solve this problem, a set of cost-effective, outcome-orientated, actionable practices will help bridge the gap.”

Ron Fabela, CTO and co-founder at SynSaber, wrote in an emailed statement that the updated cross-sector performance goals released are general provisions for critical infrastructure covering both IT (enterprise) and OT (industrial control systems) environments. “These CPGs are tied directly to NIST Cybersecurity Framework (CSF) controls, which are considered a subset of the overall CSF. The CPGs are also entirely voluntary as stated in the report, to be used as a guide for all organizations to improve their cybersecurity posture.”

Fabela points out that this does not come without some challenges specific to OT systems. “Top down guidance from CISA or other agencies are often hard to apply and measure across such large and diverse critical infrastructure sectors. Difficult to measure criteria for success are left to those doing the measurement.  There’s also the tension between performance-based goals that are not overly prescriptive (as they should be) and guidance that is non-applicable to the audience.”  

“Even within this report and checklist asset owners are left analyzing what is applicable and feasible. Many of the goals have unique callouts for ‘OT’ and plenty of caveats such as ‘where technically feasible,’ a phrase that has been the bane of effective cybersecurity governance of ICS,” Fabela adds. “Overall asset owners need not fret over renewed guidance from CISA. The goals in the CPG report should not come as a surprise to anyone operating cybersecurity programs.” 

Fabela adds that ICS applicability and action have always been a challenge when it comes to top-down policy, but asset owners, SOC managers, CISOs, and technicians should see the CISA CPGs as an opportunity to implement real security projects within their organization even if the CPGs lack regulatory teeth.

“My first reaction is that CISA is saying all the right things. Easterly stresses that small to mid-sized organizations are struggling with cyber risk management,” Padraic O’Reilly, DoD cyber risk advisor and co-founder of CyberSaint, wrote in an emailed statement. “I see this every day in my work as the founder of a risk management software concern. Many want to improve but do not know where to start or where to direct resources.” 

O’Reilly flagged that the stated purpose of the CPG…to help identify and prioritize the most important cybersecurity practices along with support in making a compelling argument to ensure adequate resources for driving down risk…is the central problem in cyber at this moment in time. 

“The goal of all cyber risk management should be the discovery of an optimal set of remediations that can then be resourced and tracked,” O’Reilly said. “This is a large part of what our customers do in our software, but lower maturity customers struggle with the complexity of this task. CISA has access to the most extensive threat data, as well, which is absolutely necessary to find the top areas for immediate remediation. They have also tied their guidance to MITRE and the TTPs, which is best practice and an approach we use, as well.”

Edward Liebig, global director of cyber-ecosystem at Hexagon Asset Lifecycle Intelligence, wrote in a statement that it is admirable that CISA’s plan is to update these goals every 6 to 12 months. “As technologies evolve, the risks, TTPs, and scope will naturally change. This, coupled with the evolution of Industrial Revolution 4.0, will morph the recommendations and outcomes as appropriate.”

“However, balancing risk reduction and cost is a common exercise for CISOs, and it starts with visibility into your assets. CPG 3.1 recommends collecting network traffic and communications to and from log-less assets,” Liebig said. “While visibility is a must, this goal does not reflect the true capabilities of more advanced asset management tools for OT. It’s about getting the most bang for your buck, and I believe that should be one of the first amendments.”

CISA’s plans to draft sector-specific goals with regulatory agencies may become a slippery slope to maintain over time without very intimate involvement with the industry vertical operators, Liebig added. “There should be a concerted effort to establish and encourage participation in industry-specific ISACs (such as the E-ISAC), as collaboration among vendors will go further in solving the problems within OT security.”

Derek McCarthy, director for field engineering at NetRise, wrote that “overall I think the document is useful in that it is making the NIST CSF (and other similar frameworks) more digestible and actionable/user friendly, and providing more well-defined guidance on specific actions to take to reduce risk across the enterprise (on both the IT/OT side).”

Last month, CISA released its initial comprehensive plan of action to focus on and guide the agency’s efforts over the next three years. The Strategic Plan communicates the agency’s mission and vision while also promoting the unity of effort across the agency and partners, and defining success for CISA as an agency. It also describes the stakeholder, policy, and operational context ‘in which we must perform and present the strategic changes CISA will make to better execute our vital mission over the next three years.’

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.