In the second part of the series on the proposals made in the ‘Cyber Incident Reporting for Critical Infrastructure Act of 2021’ to establish a mandatory cyber incident reporting framework for critical infrastructure owners and operators, Industrial Cyber analyzes the proposal to establish a CIR Office (Cyber Incident Review Office) within the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
This office will receive, aggregate, and analyze reports related to covered cybersecurity incidents submitted by critical infrastructure firms.
Catch up with the first part of the series here.
Experts from the industrial control cybersecurity landscape have been sounding the alarm for a decade or more concerning the need for comprehensive cybersecurity for the nation’s critical infrastructure. Delivering a national focus on the lack of cyber resilience for critical infrastructure, providing attention and support from the White House administration, and the bipartisan effort of politicians in today’s climate is a wonderful place to start, say analysts.
Reacting to the fact that such measures will help to enhance cybersecurity within the critical infrastructure sector, and prevent exploits, cybersecurity expert Paul Veeneman said that “the process has been described as ‘a journey,’ and this couldn’t be more accurate. There are many layers to the people, process, and technology involved, the need for OT-IT Collaboration (as opposed to the marketing of ‘convergence’ which is to date, represents risk and is undefined by the industry), network and operations expertise on either side within industrial organizations, and finally looking to the already successful and established regulatory and compliance entities and frameworks previous mentioned above, to provide expanded cyber resiliency ongoing long term,” he added.
The proposed bill calls for the CIR office to assess the effectiveness of security controls and identify tactics, techniques, and procedures (TTPs) adversaries used to overcome such controls and facilitate timely sharing between relevant critical infrastructure owners and operators. At the time of a cybersecurity incident, the CIR Office shall conduct a review of the details surrounding the cybersecurity incident or group of such incidents and identify ways to prevent or mitigate similar incidents in the future.
Analyzing the pros and cons of the proposed CIR Office, Joe Weiss, a cybersecurity expert on instrumentation, controls, and control system cybersecurity, told Industrial Cyber that “The pro is the CIR Office is addressing IT and OT network cyberattacks. The con is the CIR Office doesn’t address the inability of control system field devices to prove cyber forensics and logging to identify cyber incidents. Depending on the staffing of the CIR office, a lack of operational experience can be a major con,” he added.
“If the private sector ends up getting more timely, actionable cyber information out of the government for all the increased mandatory burdens of reporting covered cybersecurity incidents, then that is a net ‘good’ thing,” Bill Lawrence, SecurityGate.io’s chief information security officer (CISO) told Industrial Cyber. In contrast, “if the shared information disappears into the government, that would be of no national value, at the expense of much-increased company incident response and legal budgets. Still, covered entities would have the liability protections described in section 106 of the Cybersecurity Act of 2015, which are allegedly quite powerful, which is good. Also, reporting may not be used for regulation or enforcement actions against non-Federal entities, another ‘good,’“ he added.
However, the reports may “inform the development or implementation of regulations relating to such systems” which could result in more regulations after all, not necessarily a good thing,” Lawrence added. “Finally, covered entities racing to comply with the eventual reporting requirements but have Federal personnel at the gates with the purpose of taking things over because ‘cyber’ is daunting,” he said.
Taking a cautious stand, Veeneman said, “This will depend on the final language of the proposed legislation, protections, liabilities, enforcement, and overlap of CIR, CISA, adjustments of civil penalties. There are many questions left to be answered within the current language to ensure that there is a balance of appropriate authority, action, and accountability.”
The CIR office will publish quarterly unclassified public reports outlining aggregated, anonymized observations and recommendations based on cyber incident reports.
“Publishing quarterly unclassified reports can help as OT networks are common across multiple infrastructures,” Weiss said. “Control system cyber incidents continue to recure across all industries and there is currently minimal to no guidance available. The sooner the information is available, the better. Implementation of my recommendations can help extend cyber security frameworks and control system cyber security standards to address the missing aspects of control system field devices,” he added.
In general, CISA has done well recently with its reports and recommendations, making them graphically appealing, simple to digest and even humorous, according to Lawrence.
“If the CIR office focuses first and foremost on the rapid, confidential sharing of cyber threat indicators mentioned above, then they can spend the rest of their time building useful strategic reports,” Lawrence added. “Look at how valuable the Verizon Data Breach Investigations report can be, even as an annual summary of what is seen on their networks. But the litmus for CIR usefulness is if it carefully nurtures and manages private reporting, adds in more value from interrelated, declassified government attack data, and gets it turned around quickly enough to make our adversaries’ jobs harder instead of any of our defenders,’” he added.
Veeneman’s first reaction was “for the last ten years we have been repeatedly presenting the OT infrastructure attacks from the last 10 plus years, going back to Stuxnet in 2010, the New York dam in 2013, Ukrainian power grid in 2015, Merck and Maersk in 2017, Trisis/Triton in 2018, etc., etc.”
Coming to the fact of the relevance of such measures to industrial frameworks given the time lag involved, Veeneman said that the opportunity to have a ‘national database’ of information to draw upon, engaging entities such as NIST, ISA, NERC, and IEC, could provide the large scale, comprehensive intake that is necessary to leap forward and accelerate opportunities for greater cyber resiliency, industrial frameworks, awareness, training, education, etc., within the sectors of critical infrastructure.
“There is now an omni-present national focus on the availability and sustainability of the Nation’s critical infrastructure and basic resources that are integral to the country’s economy, supply chains, emergency/medical services, and energy, impacting and affecting everyday life for Americans everywhere,” he added.