CISA CPGs will likely set acceptable standards for organizational cybersecurity posture across critical infrastructure

CISA CPGs will likely set acceptable standards for organizational cybersecurity posture across critical infrastructure

Intending to reduce cyber risk across critical infrastructure sectors, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a set of voluntary and not comprehensive cross-sector cybersecurity performance goals (CPGs) to help establish a standard set of fundamental cybersecurity practices for the critical infrastructure sector. These baseline objectives will likely help raise industrial cybersecurity posture while prioritizing decisions, spending, and driving action. 

With the CISA viewing the CPGs as ‘a floor, not a ceiling’ and ‘a minimum baseline’ of cybersecurity best practices, companies that are considered critical infrastructure should consider adopting these, as companies that do not adopt the CPGs will likely face increased scrutiny in the event of a data breach.

Developed by the Department of Homeland Security, through the CISA, at the direction of the White House, the CPGs are designed to be easy to understand and communicate with non-technical audiences. The CPGs were informed by existing cybersecurity frameworks and guidance, along with real-world threats and adversarial tactics, techniques, and procedures observed by the agency and its partners. Furthermore, these benchmarks look to improve OT cybersecurity, apart from responding to OT cyber incidents more rapidly and effectively. 

It is largely acknowledged that the OT environment is overshadowed by its IT counterpart, apart from remaining overlooked and under-resourced. The cybersecurity industry largely focused on business IT systems, often neglecting the critical risk in OT, which were designed to optimize reliability and availability and often lack native security capabilities. This puts critical infrastructure entities at serious risk as more OT devices become network-connected. 

Furthermore, many critical infrastructure entities lack adequate OT cybersecurity programs, especially where cybersecurity is still seen as primarily an IT concern. Entities that do have OT cybersecurity programs often lack basic OT cyber protections and are unable to find relevant OT-specific guidance for their environments. 

Additionally, the CPG document provides an approachable common set of IT and OT cybersecurity protections that are clearly defined, straightforward to implement, and aimed at addressing some of the most common and impactful cyber risks. It contains additional explanations and potential variations for OT cybersecurity, where the authors felt appropriate. It also contains five performance goals that are OT specific, including OT cybersecurity leadership, OT cybersecurity training, improving IT and OT cybersecurity relationships, limiting OT connections to the public internet, and network segmentation. 

The CPGs come as a result of the signing of a National Security Memorandum by U.S. President ​​Joe Biden on Improving Cybersecurity for Critical Infrastructure Control Systems last July. The memorandum had required CISA, in coordination with the NIST and the interagency community, to develop baseline cybersecurity performance goals consistent across critical infrastructure sectors. 

As a starting place, the CISA CPGs offer a way to demonstrably implement the NIST Cybersecurity Framework (CSF). The move enables owners and operators of critical infrastructure to measure and improve their cybersecurity maturity while providing a standardized evaluation of an organization’s activities to reduce the likelihood and impact of known risks and adversary techniques. The cybersecurity agency has worked with government, private sector, and international partners to gain a unique insight into the state of cybersecurity across U.S. critical infrastructure and the nature of the threat landscape.

After completing the release of cross-sector CPGs, the CISA is set to work with each Sector Risk Management Agency (SRMA) to develop sector-specific goals. The process will be done by identifying any additional cybersecurity practices not already included in the common baseline needed to ensure the safe and reliable operation of critical infrastructure across that sector. 

Industrial Cyber reached out to experts across the industrial cybersecurity field to assess how much of a game changer are the CISA CPGs likely to be. Additionally, the experts also look into the fact whether these cybersecurity practices suffer from inherent limitations as they have been established based on existing cybersecurity frameworks and guidance and real-world threats and adversary TTPs.

Matt Hayden, vice president of cyber client engagement at General Dynamics Information Technology
Matt Hayden, vice president of cyber client engagement at General Dynamics Information Technology

The CISA CPGs are a game changer for small to medium critical infrastructure owners/operators/suppliers, as they identify threat-driven and standard agreed protection outcomes that must be in place, Matt Hayden, vice president of cyber client engagement at General Dynamics Information Technology (GDIT), told Industrial Cyber. “Previously, there was a boil the ocean approach and this is now a triaged list of must-do actions that track back to larger standards and frameworks.”

Chris Warner, senior security consultant for OT governance and risk at GuidePoint Security
Chris Warner, senior security consultant for OT governance and risk at GuidePoint Security

“The CPGs are essentially a subset of the NIST CSF and have the potential to help smaller or resource-limited critical infrastructure organizations to start or further mature their cybersecurity program,” Chris Warner, senior security consultant for OT governance and risk at GuidePoint Security, told Industrial Cyber. “The CPGs could help bridge IT, OT, and the business to start working together on actionable, less complicated guidance to increase their cybersecurity posture and continue to enhance their cybersecurity program by aligning to the NIST CSF and IEC 62443.” 

Warner added that the challenge is that different cross-sector organizations use such diverse systems, different terminology, and limited expertise in OT/ICS departments and may rely on IT cybersecurity in their organizations. “There will need to be an effort to establish more collaboration between IT, OT, and the business to develop enterprise cybersecurity programs that include a Governance, Risk, and Compliance (GRC) department that addresses OT/ICS security.”

Patrick Miller, president and CEO at Ampere Industrial Security,
Patrick Miller, president and CEO at Ampere Industrial Security,

Patrick Miller, president and CEO at Ampere Industrial Security, told Industrial Cyber that he expects “this to be a significant game changer. We don’t need yet another framework. We need ways to use our existing, great frameworks in alternative ways. This does just that.” 

Miller added, “you can get credit for the good work you’ve already done while satisfying a new need for reporting without needing to reinvent an additional measurement and reporting program.”

Kevin Kumpf, chief OT/ICS security strategist at Cyolo
Kevin Kumpf, chief OT/ICS security strategist at Cyolo

“I truly do not see them as a game changer at this point,” Kevin Kumpf, chief OT/ICS security strategist at Cyolo, told Industrial Cyber. “The Cybersecurity Performance Goals (CPGs) are a ‘minimum’ issuance of ‘best practices’ for Industrial Control Systems. The reality is that organizations should be doing these already as threats to the ICS space have exponentially increased on a yearly basis.”

As the CISA CPGs are voluntary and not comprehensive, it becomes essential to evaluate how they will work on the ground and assess their potential improvement in the cybersecurity posture across the nation’s critical infrastructure providers. 

Hayden said that the goals set a baseline that all critical infrastructure sectors will use to ensure everyone has these essentials covered. “​​It will also be a consistent practice for regulators to leverage into the future,” he added. 

“Smaller and medium-sized CI (Critical Infrastructure) organizations can leverage the voluntary CPGs to prioritize the actions needed to establish or enhance their cybersecurity program, which may not be such a level of effort with restricted resources and budget constraints,” according to Warner. “CPG guidance will help organizations address the highest priorities initially and start working on protecting critical controls.”

Warner added that, typically, CI organizations are inundated with meeting compliance regulations, which puts a significant strain on organizational resources to meet those minimum guidelines that do not increase an enterprise security posture. “Utilizing CPGs and working on aligning to the NIST CSF or IEC 62443 improves your overall cybersecurity posture as opposed to just minimum compliance regulations.”

“I think they are voluntary for now. If no one participates, they will likely become mandatory,” Miller said. “But note that they aren’t designed to dramatically improve the security posture of the [relevant] critical infrastructure sectors overnight. They are designed to be a common, minimum method for measuring how they are doing with respect to basic levels of security. They are intended to remove the patchwork of standards and lack of standards for measurement that exists today. Based on this information, additional or new regulation may follow.” 

Miller added that he is hopeful that they will be useful in creating less reactionary and low-quality regulation than what we’ve seen.

Kumpf identified ‘voluntary’ and ‘not comprehensive’ as keywords of concern. “If we look at entities under the critical infrastructure umbrella, they either have compliance directives they must adhere to or they are self-guided in their efforts. The reality is that you can never get a proper cybersecurity posture just by adhering to compliance efforts, but if you embrace a proper cybersecurity posture, you can extract required compliance directives for an organization.”

Looking into how effective will the cross-sector CPGs be as they work with the National Institute of Standards and Technology (NIST) and the interagency community, and whether they can be seen working as ‘intended to supplement’ each other, Hayden said “the goals are security outcomes that track with the risk framework and other NIST standard sets, but separates the threat-driven essentials for those that have not worked those frameworks and standards before.”

Warner said that the CPGs provide a practical, simplified starting point to work towards alignment with the NIST CSF or IEC 62443 frameworks. “The CPGs are a subset of the NIST CSF, so I see organizations with limited time and resources having an opportunity to start with the CPGs and work to implement the NIST CSF. CISA plans to create sector-specific goals with regulatory agencies that may become more challenging without close involvement with business vertical operators for substantive contributions to cybersecurity for the unique systems across the sectors,” he added. 

“I see them as useful gears in the bigger machine,” Miller said. “They are intended to mesh with the NIST components in a useful way.”

Kumpf said that the reality is that cybersecurity best practices are rooted in NIST 800 / CSF. “CISA has stated that the NIST CSF should be used in conjunction with the CPGs, but the CPGs do not fully address each CSF subcategory which is a point of confusion I have already heard from others in the industry.” 

Additionally, organizations that have already adopted and implemented the NIST CSF do not need to perform additional work to implement the CPGs, which is another point of confusion, Kumpf added. “These two factors essentially say that the CPGs are an extraction from the NIST CSF and if entities followed at minimum the NIST CSF already they would be in good base cybersecurity posture already.”

With the release of the CISA CPGs, it becomes important to chart out the immediate changes these practices will bring about across the critical infrastructure sector. Also, it is important to check out how capable critical infrastructure owners and operators are when it comes to accelerating the adoption of essential actions to improve cybersecurity and helping organizations prioritize their security investments.

“Large companies are going to have these practices already in place,” Hayden said. “This will help medium and small businesses rise their security posture to the threats CISA is working on right now. As CISA moves forward with more specific sector goals, industry will be at the table and will have the hindsight of how the cross-sector goals worked and where they need additional guidance,” he added.

Warner envisioned IT and OT teams working more together to determine how to best use the CPGs if they want to adopt them since they are voluntary. “This has the potential for committees to be made or IT security, GRC, and OT engineers to work with CISOs and other executives on identifying risks and prioritizing security budgets.”

“I think it will help security programs that were deficient or underfunded get some additional funding to meet the new minimum bar,” according to Miller. “It will be increasingly difficult to ignore DHS CISA asking on behalf of the POTUS for this information. I also see it affecting other para-regulatory influences such as state utility commissions, insurance agencies, and even merger/acquisition efforts.”

Kumpf said that he does not see the CPGs having an immediate change impact because, unlike the IT space, safety and availability always supersede cybersecurity and compliance in critical infrastructure areas, which is sadly forgotten by many. 

“The ICS space by nature is slow to change and we cannot just wave a magic wand and patch infrastructure or get rid of shared credentials as examples,” according to Kumpf. “What we can expect moving forward, based on the increase in attacks on the sector, is a higher level of awareness and effort to assess environments and increased efforts to reduce cyber risks pragmatically while not sacrificing safety or availability,” he concluded.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related