The government is an important partner in securing operational technology environments and protecting critical infrastructure, but operators often worry about government overreach. At the PAS OptICS 2020 conference this month, security experts explored the role of government in OT cybersecurity and how government can help without overstepping.
“One of the specific roles of government is to provide for the common defense of its people,” said Chris Lyden, a retired executive with Schneider Electric. “In that context, given that much of the concerns we have in the cyber world today originate with hostile nation states, there’s a significant role that government intelligence organizations can play to help us anticipate and perhaps preemptively stop attacks, incursions, and various problems before they actually become real.”
Over the last year, the U.S. National Security Agency and Cybersecurity and Infrastructure Security Agency have played a critical role in highlighting the current threats the agency has observed. The agencies have also collaborated on cybersecurity issues and shared information about how to best secure National Security Systems, Department of Defense systems, and the Defense Industrial Base as well as other critical infrastructure, against foreign threats.
“What we’re starting to see a lot more of is the federal government in the U.S. is much more active in the investigation side of things,” said Jason A Haward-Grau, advisory managing director of cyber security Services for KPMG in the U.S. “We’re seeing much more collaboration and communication which is crucially important in terms of dealing with advanced threats. OT as we all know is a much more target rich environment than we’d ever want it to be…We’re engaging both with the FBI and others to truly understand the nature of the persistent threat and that makes a massive difference because the U.S. is protected far more effectively with collaboration.”
Kate Fazzini, CEO of Flore Albo, a strategic cybersecurity communications firm, believes that this collaboration and particularly information sharing is a major element of the role of government in OT cybersecurity. Though, she said such information sharing isn’t always easily accomplished.
“One of the things I think is a key government role is making sure information is shared,” Fazzini said. “The intelligence agencies have had a very difficult time with this sometimes because of the way they over classify certain information…. It makes it very difficult for them to share that information with the private sector in a timely fashion. And certainly that information isn’t getting to the second layer outside of those cybersecurity specialists and the employees themselves to stop what’s happening or change what they’re doing in order for things to work a little bit better. I do believe the government creating better ways to communicate with the private sector is one thing they can do a little better.”
Nick Cappi, PAS vice president of product management and technical support, points to the North American Electric Reliability Corporation and Federal Energy Regulatory Commission’s critical infrastructure protection cybersecurity reliability standards as an example of something the government has done right.
“I think there’s a good blueprint out there for how industry and government can work together,” Cappi said. “I think the involvement of industry and government together to drive the direction is critical.”
He also highlighted the National Institute of Standards and Technology and National Vulnerability Database as positive efforts. Moving forward, he said collaboration between the government and private sector will be key.
“There’s a fear when the government gets involved that the cost to implement is going to be astronomical and unattainable, it’s going to hurt profitability,” Cappi said. “So as the government gets involved in these situations and helps define regulations and requirements, we have to involve the owner operators in that process to make sure the things being put in place, the regulations, are in line with the risk and importance of those assets.”