National Cybersecurity Strategy to rebalance responsibility for defending cyberspace, bring in accountability

National Cybersecurity Strategy to rebalance responsibility for defending cyberspace, bring in accountability

The administration of U.S. President Joe Biden rolled out earlier this month its National Cybersecurity Strategy to reimage cyberspace, and shift the cybersecurity burden to technology providers. The document imposes additional mandates on organizations that control the majority of the nation’s digital infrastructure with an enhanced governmental role in upsetting hackers and state-sponsored entities, recognizing that new and updated cybersecurity regulations must be calibrated to meet the needs of national security and public safety.

As part of a larger effort by the U.S. administration to improve cyber and technology governance, the National Cybersecurity Strategy sets its eyes on bolstering security, and resilience across critical infrastructure installations, increasing accountability for tech companies, boosting privacy protections, and ensuring fair competition online. The initiative will address cyber threats and make the digital ecosystem defensible, resilient, and values-aligned. 

The National Cybersecurity Strategy takes upon a much more assertive position on the need for regulation and for the government to incentivize the industry to do more for cybersecurity. It seeks to build and enhance collaboration around five pillars – defend critical infrastructure, disrupt and dismantle threat actors, shape market forces to drive security and resilience, invest in a resilient future, and forge international partnerships to pursue shared goals. 

The National Cybersecurity Strategy calls for two fundamental shifts across critical infrastructure sectors, including redistributing the burden of cybersecurity away from private citizens, small enterprises, and local governments and towards the institutions most qualified and well-positioned to lower risks for all of us. It also works towards realigning incentives to favor long-term investments by striking a careful balance between defending ourselves from immediate threats today and while strategically planning for and investing in a resilient future.

Industrial Cyber reached out to cybersecurity executives to analyze the implications of the National Cybersecurity Strategy document that expects regulation to ‘level the playing field, enabling healthy competition without sacrificing cybersecurity or operational resilience.’ These professionals draw on their experience to assess the potential benefits and drawbacks of such a change and how it would impact OT/ICS environments in critical infrastructure and OT environments.

Itzik Kotler, CTO and co-founder of SafeBreach
Itzik Kotler, CTO and co-founder of SafeBreach

“As a statement of strategy, we are encouraged by the recognition that IT/OT convergence and digital transformation have increased cyber risk to the critical infrastructure. The strategy document recognizes that this risk is tied to our national security,” Itzik Kotler, CTO and co-founder of SafeBreach, told Industrial Cyber. “The language referenced above is included in Strategic Objective 1.1. This Objective looks to establish ‘modern and nimble’ regulatory frameworks. As with all strategy documents, the overall effect will come down to the implementation.” 

The administration is encouraging the regulator to do this in collaboration and coordination with the regulated entities, according to Kotler. “The objective looks to drive a harmonized set of minimum cybersecurity requirements. At the same time, the Administration does recognize that doing so may cause a disadvantage to some of the critical infrastructure sectors where making the necessary long-term investments to reach this set of minimal requirements will eliminate their ability to compete. 

He added that therefore, the administration recommends that any regulators also incentivize companies to invest in cybersecurity through the ‘rate-making process, tax structure, or other mechanisms.’ “This signals that the Administration does understand that the added cybersecurity comes at a cost and that it must provide a path to make said investments,” according to Kotler.

Roman Arutyunov co-founder and-vice president of product, Xage Security
Roman Arutyunov co-founder and vice president of product, Xage Security

“Today, cybersecurity adoption varies by the industrial sectors and company size. Yet, attacks can have devastating consequences on companies’ services to small and large communities alike,” Roman Arutyunov, co-founder and senior vice president of product at Xage Security, told Industrial Cyber. “Regulation across sectors with proper incentives is needed to ensure that we are properly protecting every community and all critical services. Additionally, as our supply chains converge, attackers will leverage the weakest links—which is why it’s essential to raise performance across the board.” 

Arutyunov added that CISA’s recently released cross-sector performance goals focus on ensuring that fundamentals can be applied across the board. “A potential drawback could be an impact on innovation as some sectors may need a more tailored, unique approach; however, we are far away from feeling this impact.”

Yakov-Yeroslav-CEO-and-co-founder-of-Sasa-Software-1
Yakov Yeroslav CEO and co-founder of Sasa Software

Focusing on the pros, Yakov Yeroslav, CEO and co-founder of Sasa Software, told Industrial Cyber, based on their experience in Israel as well as other parts of the world, “regulation is a major motivator to achieve marked upgrading of security postures in national infrastructures, both governmental and private. As cyber threats increase in sophistication, with multi-national cyber-gangs and state-sponsored hackers repeatedly targeting core national assets, no individual sector should be left to deal with such threats by their own devices.”

Increased regulation means that the government will take a leading role in determining security gaps, defining best practices, and developing the expertise and guidance to ensure that national assets are nationally protected, and even the weakest links still maintain a minimal set of security standards, Yeroslav said. “Regulation also creates a common, outcome-oriented language that helps cut through hype and define core capabilities by which OT/ICS security teams can objectively assess and compare security vendor offerings.”

Turning to the cons, Yeroslav said that binding industry to regulation always carries with it the danger of sluggish response to change. “The highly dynamic nature of cybercrime raises the concern that by the time the regulation is rolled out, the threat landscape has evolved to an extent that the regulation will be, at least in part, outdated,” he added.

“Another side effect of increased regulation is that the attention of network defense teams inevitably shifts from achieving better security to achieving more compliance, in effect reducing their alertness to the particular risks and weaknesses of their systems and generating a more passive defense posture,” according to Yeroslav. “For these reasons, regulation in cyber-security should always include a dynamic component that allows for periodical updating, based on accumulating intelligence and with routine dialog between regulators’ cybersecurity leadership.”

Jason Rivera - Director, PCNSA, CCNA
Jason Rivera – Director, PCNSA, CCNA, Security Risk Advisor

Bearing in mind that regulation may represent the ‘most minimum set of requirements,’ the assertion that competition can help drive meaningful innovation of cybersecurity for ICS/OT systems and environments is valid, Jason Rivera, director at Security Risk Advisors, told Industrial Cyber. “As long as a common set of goals exists, we can drive together in the same direction.”

‘But while regulation provides asset owners the opportunity to attest and security partners the motivation to innovate, its hindrance is the vacuum of variant, subjective, and competing process and technology gains (in operational resilience) that it creates and quite frankly, we’re already in,” Rivera said. “What we really need is less subjectiveness of security rights and wrongs downstream from regulation,” he added.

Rivera also highlighted that the other rub with regulatory strategies is that while they’re good for establishing accountability and a common set of goals, they’re often also the bare minimum. “And yet, that might be best for ICS/OT security because we are still very much at a maturing state. So ‘leveling the playing field’ in my opinion, is a strategy best suited for more mature spaces. Even though impressive strides have already been made, there’s still a ton more to do as a community.”

The National Cybersecurity Strategy is looking to rebalance the responsibility for defending cyberspace. The experts are looking into the effects that this will have on OT environments. Additionally, they are assessing what the focus areas from a cybersecurity perspective should be for industrial and manufacturing companies in 2023, as OT systems become more complex and interconnected.

Kotler underscores that this is one of the more important aspects of the National Cybersecurity Strategy. “The Administration is recognizing that too often responsibility for cybersecurity defense is unfairly tilted onto the end-user. Rebalancing the responsibility will drive greater accountability on the manufacturers and suppliers of ICS/OT systems and associated components. This is largely addressed in Pillar 3 of the Strategy.” 

“We find the notion of ‘security labels’ mentioned in Strategic Objective 3.2 to offer an approach to encourage transparency and market incentives in OT/ICS environments as well,” according to Kotler. “This will help clarify dependencies between the different components of complex OT systems, and encourage a harmonized approach to establishing a higher level of cybersecurity resilience across these complex systems.”

The rebalancing of the responsibilities needs further clarification, Arutyunov said. Responsibilities can be split between vendors and system operators with vendors responsible for their products, and system operators responsible for using those products as part of the overall solution. 

“The IEC 62443 set of standards and certifications designed for OT environments breaks this down into the product development process (IEC 62443-4-1), component (IEC 62443-4-2) and overall system (IEC 62443-3-3) certification,” Arutyunov added. “Vendors are responsible for the first two, and operators are responsible for achieving the latter.” 

Rivera said that the focus for industrial and manufacturing cybersecurity in 2023 should be on perfecting the basics. “For example, ethernet VLAN standards have existed since 1998 and yet most industrial and manufacturing organizations do not have a level of network isolation to actually lean on, in defense of those systems and environments.” 

Most organizations are also missing basic or comprehensive asset management, and even fewer are testing security controls and inspecting what’s expected from defensive measures, according to Rivera. “And yet, a properly segmented ICS/OT network provides an almost immeasurable degree of defensive security maturity,” he added.

Rivera added that as complexity and interconnectivity continue to drive the landscape of innovation and by proxy, security risk, the focus needs to stay highly prioritized and representative of the most significant security and business risks. “ICS/OT security risk is a business risk and since every business is different, prioritized risk reduction objectives based on their business need to be as well.”

Oren David, CEO of Bavelle Technologies said that there will be two major impact areas on OT systems – the first area is technology. “While not the technology of the OT network directly, all the technology surrounding the OT network will see a jump in advancement. As threats become more advanced, so should the defenses surrounding critical assets. That means continuing to pursue innovation in how critical assets are being protected and increasing cyber readiness across the board,” he added.

“This includes the second area of impact—an organization’s workforce. The workforce is still the most vulnerable aspect of any cybersecurity posture. Employees can unknowingly carry malware via USB drives or download it via the web or email,” according to David. “Training and educating a workforce is an initiative that should be built into any robust cyber security plan. Ensuring that every employee, not just IT and Cybersecurity professionals, are well versed in recognizing suspicious activity and know how to report incidents properly can mean the difference between letting an attacker in and stopping an attacker in their tracks.” 

David pointed out that the core of the National Cybersecurity Strategy is looking to rebalance the responsibility of defending cyberspace. “We must let manufacturing and industrial companies focus on what they do best, and on the specialized needs of each individual OT/ICS environment in order to build a tailored defensive posture specific to that environment,” he added.

In its ‘Strategic Objective 1.5: Modernize Federal Defense,’ the National Cybersecurity Strategy said that ‘The Federal Government requires secure and resilient information, communications, and operational technology and services to perform its duties.’ The experts throw light on whether these measures are sufficient to stem growing cybersecurity threats and attacks against OT/ICS environments.

Kotler flagged that Strategic Objective 1.5 looks to push the modernization of legacy OT/ICS environments. “Specifically, modernize those systems that are not defensible against modern cybersecurity threats. It is important to note that this initiative is expected to be implemented over multiple years. This is an important move in that the Administration is recognizing that legacy OT/ICS systems need to be upgraded to support zero trust architecture (ZTA) and multifactor authentication (MFA).” 

While gauging whether these measures are sufficient, Kotler said that these two measures are certainly a move in the right direction. “The initiative to modernize also ties to other strategic initiatives in this document that further address the growing cybersecurity threat ecosystem. The Administration also recognizes that some legacy systems will not be easily modernized within a decade and that it must find additional ways to mitigate the risks to these systems.”

Arutyunov pointed out that this directive clarifies that OT security is an integral part of the federal government’s cybersecurity strategy. “Previous efforts focused on IT critical infrastructure, not OT critical infrastructure. Furthermore, the directive zooms in on zero trust architecture specifically meant for OT critical infrastructure. This is an important and significant step forward.” 

He added that OT security and zero trust are only part of what’s required. “The people, processes, and tools also drive convergence and eliminate complexities. Today’s OT/ICS environments are victims of complexities associated with disjoint security solutions. A unified approach is required instead.”

Rivera said that while it is incredibly challenging to get right, the design, build, and implementation of a zero-trust architecture is commendable and one of the most ardent vehicles of a true defense-in-depth approach. When done correctly, it can significantly reduce the potential and likelihood of security incidents.

“The challenge is that zero trust is a journey, and while undertaking that journey, threat actors and their arsenal of weapons keeps changing. The evolving threat landscape and proliferation of ransomware and commodity malware may be more likely to impact an ICS/OT environment than novel malware focused on ICS/OT systems,” according to Rivera. “So while the objective of 1.5 is essential, I don’t think it will be the thing that defense teams thank themselves for at a day to day defensive security level now.” 

But, he cautioned that in five to 10 years from now the zero-trust, defense-in-depth approach is likely to pay dividends. “It’ll just depend on how many exceptions or concessions were made during implementation,” Rivera added.

Yeroslav said that these measures are definitely a strong first step in the right direction that, when accomplished, will create an overall more inhospitable environment for attackers than they find today.

“A robust defensive cybersecurity posture is multi-layered and complex. Bringing that complexity out of the individual organization or agency to the national stage, and creating a complex nationwide defense against threat actors, comprised of numerous defensive layers, probably won’t stem growing cybersecurity threats, but it does bring the whole country to a state of high alert and preparedness in the case of an eventual attack,” Yeroslav pointed out.

That said, by itself, upping security in the federal domain will not bring the required resiliency to OT/ICS networks, Yeroslav assesses. “Sector-specific rules and regulations must be developed to meet the particular threats and challenges unique to this sector, including the inherent prevalence of legacy systems, the requirement for zero-downtime operational continuity, and the routine interface with global supply-chains.”

Strategic Objective 5.5 of the National Cybersecurity Strategy covers ‘Secure global supply chains for information, communications, and operational technology products and services.’ The experts estimate the role that the focus on the supply chain has brought to the OT and ICS environments. They also look into how capable are industrial organizations of adhering to SBOMs, in light of the legacy systems and outdated software that operate within such infrastructures.

Industrial organizations that fail to adhere to SBOMs may find themselves being edged out by competitors that do, according to Kotler. “In this, the Administration is signaling to organizations with legacy systems that they must adapt and address the technical debt by modernizing their legacy systems and updating the software within their infrastructure. The Administration is expecting to balance this requirement throughout the entire supply chain. This may, in turn, provide organizations with the leverage they need to address issues in their legacy systems and outdated software components,” he added.

Arutyunov said that regarding supply chains, the ‘elephant in the room’ is that every OT organization has tens or hundreds of partners and vendors that help deliver services. “The supply chain is quite long. All these entities have remote access and often on-site access to the OT environment. Organizations face significant challenges in managing this access securely, as poorly managed access is the number one attack vendor for supply chain-based attacks. I believe modernizing access controls will have a much more significant impact on securing OT operations. A zero trust approach is needed.” 

He pointed out that “contrary to the directive, replacing legacy systems isn’t necessary to achieve zero trust. In fact, if we delay the implementation of zero trust in OT due to the time required to update legacy systems, we will be living with the risk for a very long time. Xage delivers zero-trust access to any asset, legacy or new, today.”

“SBOMs are just one aspect of the supply chain that has received a lot of attention lately,” according to Arutyunov. “We are hearing from our customers that they are not well-positioned to access the SBOMs for their products–especially when it comes to legacy products. Vendors are much better positioned to assess supply chain risks related to their products and provide actionable guidance to organizations.”

Securing the global supply chain could be a worthy goal for the federal government – but probably not an appropriate one for the OT/ICS industry itself, Yeroslav highlighted.

“In our view, OT/ICS is a prime example of a sector that must adopt a zero-trust approach on all levels, regardless of any risk minimization applied towards the supply chain. In fact, the heavy and continuous reliance on the third-party servicing of a wide variety of operational units, including by foreign manufacturers, makes the task of monitoring and controlling the security practices of supply chain partners by the OT/ICS industry a near impossibility,” Yeroslav said.

The zero-trust approach, increasingly promoted in several recent national guidelines, effectively ensures the continuing integrity of OT systems because rather than trying to establish trust, it aims to bring defenses as close to the target networks as possible, establishing protective insulation and isolation through segmentation, minimizing permission policies, and the application of high-grade content filtering (such as CDR) to all incoming and outgoing data routes, according to Yeroslav. “Focusing efforts on prevention and protection, rather than trying to control troves of supply chain actors could free up resources towards the further development and customization of dedicated network defense envelopes that surround critical operational systems, be they legacy or other.”

“Supply chain security and risk management is a near and dear concept to anyone working in ICS/OT environments,” Rivera said. “The past few years of global dynamics have shown how vulnerable the inbound and outbound supply chains are, independent of cybersecurity risks. So any additional focus on supply chain strengths and weaknesses in ICS/OT environments is welcomed.”

To that end, the introduction and acceptance of SBOMs are very feasible, both for asset owners and OEMs, according to Rivera. “But the actual adoption of SBOM as a principle will bring more work to develop or triage them, and the likely need of an organizational or programmatic approach.”

“One of the biggest challenges with SBOMs is what to do with it and the vulnerabilities that it reveals,” according to Rivera. “Some organizations will completely shun SBOMs because of this, while others will welcome the vulnerability knowledge and do little about it, while others welcome and are wholly focused on a programmatic approach to vulnerability management in their CI/CD pipeline.”

The National Cybersecurity Strategy document is also set to realign incentives to favor long-term investments. The executives determine how the OT environment will handle the upgrade, what changes will result, and whether there will be any downtime.

With this direction, Kotler feels that the administration is truly recognizing that the effort of leveling up the cybersecurity of OT environments will take time and that the operators of these environments need to make these long-term investments rather than opt for short-term patches and practices that do not address the underlying risk. 

“By recognizing this is a long-term journey, the administration is facilitating the work that needs to be done,” he added. “At the same time, we must recognize that no one Objective in this Strategy document stands alone. Rather, these Strategic Objectives are developed to support the implementation of other Objectives throughout the five Strategic Pillars.”

“OT environments favor long-term investments as their systems are designed to last more than 20 years in many cases. A complete overhaul of products and systems does not guarantee better security, as even most modern systems have major security flaws,” Xage’s Arutyunov said. “Instead, incentives should be aligned with long-term investments to a flexible security architecture that is able to preserve investments and adapt to a changing attack landscape. Today, solutions exist that protect against attacks, prevent them in the first place, and enable quick response and mitigation without requiring ‘rip and replace’ strategies,” he added.

The realignment to long-term investments will allow the OT/ICS environment to focus more on the core functions of the environment rather than establishing cybersecurity basics, Yeroslav said. “The goal here is not to change the OT/ICS network to add inherent security features; the goal is to build a vault around these environments to protect them and allow them to perform the functions they were designed to do. This can translate to little or no downtime for the OT/ICS environment, given that there is no integrated impact, just a peripheral impact on the systems protecting the OT/ICS environment.”

Yeroslav added that long-term investment will require the stewards of these systems to vet properly and choose agile technologies adaptable to the growing creativity, complexity, and aggression from malicious actors. “In selecting the right technologies, each OT/ICS system will be building a tailored approach to its specific needs, which can also adapt to those needs in the long term.”

“The challenge with patching and maintenance in ICS/OT environments is very well known. These machines can be old, one of a kind, proprietary, or completely disconnected from networks,” Rivera said. “Any changes being introduced need to be thoroughly discussed, understood, agreed to, and planned accordingly. But because some security objectives may not require a disruptive change, the strategy for new technology or process investments just needs to prioritize and account for both the low-hanging fruit and that one-of-a-kind machine.” 

There’s simply no silver bullet for securing these environments with zero chance of impact or a need for downtime, Rivera concluded.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related