New bill urges critical infrastructure firms to adopt various measures, in response to mounting cybersecurity incidents

A bipartisan legislation bill that would require critical infrastructure firms to disclose cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of discovery was released by the U.S. House Homeland Security Committee. The ‘Cyber Incident Reporting for Critical Infrastructure Act of 2021’ is set to establish a mandatory cyber incident reporting framework for critical infrastructure owners and operators.

The proposed bill is set to give the industry a 72-hour reporting window, which tech trade groups have been pressing for, as shorter timelines greatly “increase the likelihood that the entity will report inaccurate or inadequately contextualized information that will not be helpful, potentially even undermining cybersecurity response and remediation efforts.” This timeframe will help ensure that the CISA and its interagency partners receive actionable information on significant incidents, and give incident responders time to evaluate the intrusion to determine its impact.  

In a two-part series, Industrial Cyber collects insights from the industrial cybersecurity sector and checks out if the proposed bill is comprehensive enough to deal with the rising threat level and sophistication of cyberattacks that are faced by the critical infrastructure sector. The first part of the series will navigate over how feasible is it for an industrial organization to identify and disclose cybersecurity incidents to the CISA within 72 hours, as required by the proposed bill, and whether industrial organizations usually have all the details of the cybersecurity incident within this time window.

Joe Weiss, an expert on instrumentation, controls, and control system cybersecurity, said that control systems and control system networks are vulnerable to older ‘unsophisticated’ cyber vulnerabilities, sophisticated Advanced Persistent Threats (APTs), and most versions of ransomware and other IT malware. “Because control system field devices have no cybersecurity, authentication, or cyber logging, cyber threats to field devices are generally not identified as being cyber-related. Moreover, as identified in Presidential Executive Order 13920, Chinese hardware backdoors in large electric transformers bypassed all cyber monitoring and protection,” he added. 

As process sensor measurement is the input to operational technology (OT) networks and process historians, OT network monitoring is based on untrusted data. Consequently, raw process sensor measurement is needed to provide process measurement authentication and integrity, Weiss pointed out.

“The legislation is very wide-reaching, allowing the CISA Director the authority (subject to public comment in the Federal Register) to define ‘covered entities’ (critical infrastructure asset owners and operators, including non-federal organizations), and ‘covered cybersecurity incidents’, which may be taken singularly or grouped to become a ‘significant cyber incident,’” Bill Lawrence, SecurityGate.io’s chief information security officer (CISO) told Industrial Cyber.

Lawrence highlights that considerations for each of those definitions are given to the Director in the draft, but of particular interest are those in Section (d) (4) under ‘Covered Cybersecurity Incidents.’ “Here wide net is cast, covering attack sophistication, individuals directly, indirectly, or potentially affected, and potential impacts to ICS systems, as well as loss of access or confidentiality, integrity, and availability to information systems; DDOS, ransomware, or zero-day attacks against IT or OT systems; and compromised cloud service providers, managed service providers, third-party data hosting providers, or supply chain attacks,” according to Lawrence. “That is quite the array of reportable cyber incidents,” he added.

Cybersecurity expert Paul Veeneman said that relative to DFARS 252.204-7012 (and subsequently DFARS 252.204-7019, 7020 and eventually 7021), the proposed legislation that is specifically focused on incident response is initially a good starting point, but will require a more long term comprehensive approach to securing access, management, and monitoring of information systems supporting all sectors of critical infrastructure.

“Having said this, the vast majority of terms, solutions, methodologies, are focused on information technology practices and fall short of requirements for availability and safety for operations technology that comprises more of the base critical resources, bulk power distribution, water, wastewater, commuter & freight transportation, etc.,” Veeneman told Industrial Cyber.

Veeneman also mentioned that the US also has the most comprehensive set of regulatory and compliance entities and frameworks, accepted worldwide, from recognized sources for cyber security controls, standards, requirements, and guidance, starting with NIST, International Society of Automation (ISA), International Electrotechnical Commission (IEC), and North American Electric Reliability Corporation (NERC) and Critical Infrastructure Protection (NERC CIP). “It’s reasonable to assume that a more effective path forward is pulling together already established and successful standards, practices, guidelines, for national critical infrastructure, industrial controls, automation, etc.,” he added.

Analyzing the 72-hour timeline, John S. Miller, senior vice president of Policy and General Counsel at the Information Technology Industry Council (ITI), said in his written testimony before the Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, that it “also aligns with global best practices, which we believe is of great importance to facilitating interoperability of approaches. A shorter timeline for reporting may also serve to undermine cybersecurity, in that such a requirement can expose information about an incident before a patch is applied or operations are restored, making operators and their customers vulnerable to additional attacks by hackers,” he added.

Working towards aligning with global best practices, Miller cited that “The German IT Security Act and various state-level notification requirements in the United States allow for a reporting window of 72 hours. Article 33 of the EU’s General Data Protection Regulation (GDPR) also states that in the case of a personal data breach, impacted companies shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority,” he added.

Weiss believes that is it feasible for an industrial organization to identify and disclose cybersecurity incidents to the CISA within 72 hours. “However, what may not be feasible is detect the vulnerability within 72 hours of infection. This is especially true of control system cyberattacks of the Purdue Reference Model 0,1 devices that have no cyber logging nor cyber security training for the control system engineers,” he added.

“Both Stuxnet and Triton demonstrated that sophisticated attackers can make cyber attacks appear to be equipment malfunctions preventing near (and long-term) term identification of incidents as being cyber-related,” according to Weiss. “In the case of Stuxnet, it was more than year before Stuxnet was identified as being a cyberattack. In the case of Triton, it was months before Triton was recognized as being a cyberattack. As a result, I agree with the cyber incident definition approach to not distinguish between malicious and unintentional incidents,” he added.

“Understanding exactly what occurred in a ‘covered cybersecurity incident’ at a ‘covered entity’ will be very difficult, if not impossible just days after the incident is discovered,” Lawrence said.  

Relying on the proposed bill, Lawrence points out that the proposed legislation says that in no case may the Director require reporting by a covered entity earlier than 72 hours after confirmation that a covered cybersecurity incident has occurred. Thus, raising the question of who exactly does this confirmation. The covered entity should not count on being the one to make that declaration, since the proposed legislation goes on to state under ‘considerations’ while determining the reporting timelines that the Director shall balance the Agency’s need for situational awareness with a covered entity’s ability to conduct incident response and investigations. 

“CISA and other government partners may come knocking sooner than expected, either offering to ‘help’ or taking over the investigation altogether,” Lawrence added.

Veeneman said that it is important to understand that within the proposed legislation, ‘Notification’ is defined as “…not later than 24 hours after the confirmation of a cybersecurity intrusion or potential cybersecurity intrusion.”  

In many scenarios and situations, the realization of the intrusion may occur after the immediate damage and impact have already taken place, causing loss of productivity, availability, or worse, life within the operations environment, he added. 

“While it is beneficial to retrospectively review exploited threats in any cybersecurity maturity model for continuous improvement, this doesn’t necessarily address the root cause within the critical infrastructure operations technology environment that allowed the threat to exploit the vulnerability in the first place. Once cybersecurity incidents have been identified, and organizations are reviewing requirements for notification, there is the matter of disclosure. Disclosure could impact Privacy,” Veeneman added. 

Evaluating whether industrial organizations would have all the details of the cybersecurity incident within the 72-hour time frame, Lawrence said,” Maybe, but unlikely, especially if third-party incident response teams or government ‘fly away’ teams are engaged to assist with (or run) the investigation.” Furnishing attack details to CISA is supposedly protected from disclosure in the Federal government, but that comes with several exceptions, he pointed out.

Weiss said that whether the 72-hour time frame was sufficient or not for industrial organizations would depend on the sophistication of the attack and the sophistication of the OT network and field device monitoring. “Depending on the sophistication of the attack, it may not be feasible to identify an OT network cyberattack for months to even years. Given SolarWinds, the same can be said of IT cyberattacks. Without training the control system engineers to identify what may be cyber-related, there is little chance of identifying control system field device cyberattacks,” he added.

“I believe the biggest concern will be deciding what incidents to furnish to CISA as some incidents may not appear to be cyber-related,” according to Weiss. 

Based on the proposed legislation requirements for cybersecurity notification information, Veeneman said it seems tenable that industrial organizations would be able to provide the details of cyber incidents that they became aware of within the operations systems and environment. 

“However, it remains to be seen if these are the final requirements for a cyber incident disclosure provided to CISA, or will there be a process of further evaluation of cyber incident detail and criteria. Also, this assumes that organizations address gaps where OT and IT personnel may not have access to the tools, training, and expertise necessary to detect, confirm, and produce the details of the cyber incident to be reported to CISA,” he added.

In the next part of the series later this week, we will look into the advantages and drawbacks of the proposed Cyber Incident Review (CIR) Office within the CISA to receive, aggregate, and analyze reports related to covered cybersecurity incidents submitted by covered critical infrastructure firms.