CISA directive likely to drive investment costs, raise need for more staff, update technology and processes

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued earlier this week a Binding Operational Directive that mandates federal civilian executive branch (FCEB) agencies to enhance efforts to detect vulnerabilities and manage cybersecurity across their networks. The directive is expected to push up investment costs, lead to federal agencies updating technology and processes, while also driving a solid deployment plan with the additional need of staff to enact the plan. 

The directive also requires these federal civilian agencies to report detailed data about vulnerabilities to CISA at timed intervals using automated tools. It mandates that by Apr. 3, next year, all FCEB agencies must perform automated asset discovery every seven days, initiate vulnerability enumeration across all discovered assets, and automate the ingestion of the detected vulnerabilities into the CISA database. The directive also calls for developing and maintaining the operational capability to initiate on-demand asset discovery and vulnerability enumeration to identify specific assets or subsets of vulnerabilities within 72 hours and more. 

Additionally, by Apr. 3, agencies and CISA, through the CISA’s Continuous Diagnostics and Mitigation (CDM) program, will deploy an updated CDM Dashboard configuration that enables access to object-level vulnerability enumeration data for CISA analysts, as authorized in President Joe Biden’s Executive Order on Improving the Nation’s Cybersecurity issued last May. 

Forrester analysts pointed out that security teams have been flying blind when trying to enumerate vulnerabilities on unknown assets for decades. “Organizations often have multiple or outdated configuration management databases, spreadsheets, or vulnerability scans limited to known IP ranges and sites,” Erik Nost and Jess Burn, senior analysts, wrote in a blog post this week. “A lot of teams knew about assets that existed in silos or shadow IT that they couldn’t validate. Attempting to aggregate any asset data led to messy duplicate and contradicting data.”

The analysts also said that CISA’s outlined importance of asset enumeration in security programs is an exclamation mark on years of security team proclamations, an aging NIST cybersecurity framework, and recent attack surface management acquisitions. “Although discovery of unknown external assets is not specifically mentioned in the directive, external attack surface management vendors have been gobbled up over the past several months,” they added.

Danielle Jablanski, an OT cybersecurity strategist at Nozomi Networks, wrote in an emailed statement there is a “constant drumbeat of industry experts reflecting on government guidance, standards, and recommendations for cybersecurity that stipulates the federal government must do more to walk the walk on building resilience within federal systems and federal technologies before mandating industries to do better. This directive is a step in exactly that direction.”

Threat actors targeting OT and ICS seek to craft the perfect concoction of capabilities and vulnerabilities that will cause disruption or damage to their target, Jablanski said. “They can be both opportunistic, highly tailored, or a mixture of both.”

Jablanski said that the directive is crucial for two reasons. Firstly, if network activity is not monitored in real-time, the status of assets is largely unknown, and whether they have vulnerabilities or not these assets cannot be protected without the necessary visibility into their day-to-day functionality. Secondly, vulnerabilities are not all the same, the degree to which vulnerabilities impact the integrity and availability of systems varies by technology, deployment, configuration, and environment, she added.

“The highly anticipated CISA cross-sector cyber performance goals (CPGs) are another step in the right direction, to help owners and operators of critical infrastructure prioritize and implement the NIST cyber security framework,” according to Jablanski. “It will also provide a benchmark or starting point for the industry to self-evaluate their own cybersecurity practices and program maturity, prioritizing based on technology scope, costs, impact, and complexity.”

It will require a critical look at current tools and strategies and, in many agencies and organizations, an investment in dollars to update technology and processes, Liran Tancman, CEO and co-founder of Rezilion, wrote. “Agencies need the right tools for vulnerability detection and prioritization, and they need automated technology for remediation of those vulnerabilities so that they can be focused on more mission-critical objectives.” 

Tancman pointed out that critical infrastructure in particular often operates with older, legacy technologies that cannot properly defend against modern-day threats. “With tight budgets, federal agencies and critical infrastructure organizations will need to do some reevaluation of where their time and dollars are allocated if they want to truly be able to manage risk today. Going back to my comment about legacy technology, government agencies and critical infrastructure organizations are often behind when it comes to the tools they are using. 

“But this establishes baseline requirements for agencies to use in identifying assets and vulnerabilities, and in order to accomplish that these types of organizations will need to invest in creating and using a Software Bill of Materials (SBOM) with dynamic capabilities so that they can see real-time changes in their assets,” Tancman said. “And they need to combine the SBOM and VEX and get the actual risk present in their environment. VEX is a machine-readable artifact that tells you which vulnerable components in an environment are actually exploitable.” 

Tancman said that the objective of the VEX is to provide information for organizations to use and prioritize their remediation efforts. “This contextualization is provided by the software vendor with a machine-readable artifact with justification values of why a particular component is not affected by a specific vulnerability and therefore not exploitable. Organizations should use a Dynamic SBOM that combines a real-time SBOM and the VEX,” he added.

“This is stating the obvious, but the #1 resource that civilian agencies will need to be able to comply with the CISA directive is a solid deployment plan and enough staff (or contractors) to enact that plan,” Ron Brash, vice president for technical research and integrations at aDolus, wrote. “Assuming that is in place (a big assumption), the agencies will need to purchase and deploy the tools that can perform regular automated asset discovery scans and interpret the results from these scans.” 

Brash said that the initial effort to do this is never trivial, as building an accurate IT asset list almost always requires a lot of gumshoeing to correlate the results reported by the tools with what is actually in place. “That said, it is a worthwhile endeavor as if you don’t know what you are actually trying to protect, it is hard to protect it. Plus, once the basics are done, it is much easier to keep your assets list up to date.”

“The real challenge will be the requirement to perform vulnerability scans ‘across all discovered assets, including all nomadic/roaming devices (e.g., laptops), every 14 days,’” Brash said. Again there are lots of tools available, but they tend to be focused on IT assets, not OT or IoT assets. As a result, agencies will likely run into a ‘Pareto Problem’ — common IT assets like servers and workstations (the 80%) will be easy (20% effort), but then all the remaining non-traditional assets will take 80% of the effort,” he added. 

With the explosion in both OT and IoT products in the last decade, few agencies will escape this pain: think security cameras, badge readers, HVAC systems, and even soft drink machines as connected devices that will take a lot of effort to scan safely and reliably, Brash said. “Agencies with OT assets (such as air, water, or land monitoring and management) will have an even tougher time,” he added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.