CISA Cybersecurity Advisory Committee meets, as OT, control systems security take a backseat

The Cybersecurity and Infrastructure Security Agency (CISA) had its second Cybersecurity Advisory Committee meeting last week. The subcommittee chairs provided an update on the progress being made on key objectives outlined by the director during the Committee’s inaugural meeting last December. The focus of the subcommittees has primarily been on IT network-associated considerations and assuming that these decisions would apply to operational technology (OT) and control systems, as well. 

“I was thrilled to host CISA’s Cybersecurity Advisory Committee today and hear about the ongoing work of the six subcommittees,” Jen Easterly, CISA director, said in a media statement. “The Committee has truly hit the ground running in scoping key areas of focus to help support our evolution as the nation’s cyber defense agency. I look forward to our next meeting in June where we’ll begin to get a sense of key deliverables.”

The Cybersecurity Advisory Committee consists of a diverse slate of leaders from across the industry, academia, and government, who provide recommendations on the development and refinement of CISA’s cybersecurity programs and policies. The mission of the Committee is to advise, consult with, report, and make recommendations to the CISA on the development, refinement, and implementation of policies, programs, planning, and training pertaining to the agency’s cybersecurity mission.

Commenting on the CISA Cybersecurity Advisory Committee meeting, cybersecurity expert Joe Weiss said that process sensors and OT networks are used in every physical infrastructure. “Securing OT networks is necessary but it’s not sufficient. Compromising process sensors can damage any process, yet neither the sensor compromise nor the system damage may be identifiable by the OT networks,” Weiss wrote in a blog post on Sunday.

“For IT and OT networks, network security is necessary and sufficient; the discussions were relevant. However, for control systems, network security is necessary but NOT sufficient,” according to Weiss. “This is because control system devices often have lesser communication and security capabilities than IT and OT network technologies and it is those limitations that are not being addressed,” he added. 

The process sensor processor issue is a good example, Weiss pointed out. “Because process sensors are used in every sector, these deficiencies can affect our entire economy,” he added. 

Moreover, IT network security policies based on the ISO27000 standards are not directly applicable to many control system applications, Weiss said. “Consequently, the International Society of Automation (ISA) has been developing the ISA62443 suite of Industrial Automation and Control Systems (IACS) cyber security standards. These standards are now ‘horizontal standards’ meaning they are applicable to all sectors. Without the detailed understanding of control system device limitations, it is not possible to know if the Committee’s recommendations apply to control system devices or could possibly do harm such as with process sensors,’ he added.

The Cybersecurity Advisory Committee members provided updates on the work of the subcommittees. The ‘Transforming the Cyber Workforce Subcommittee’ focuses on “building a comprehensive strategy to identify – and develop – the best pipelines for talent, expand all forms of diversity, and develop retention efforts to keep our best people,” Ron Green, chief security officer at Mastercard, said. “During today’s meeting, the subcommittee chair discussed how they are identifying ways to fill existing vacancies and to reduce bureaucratic barriers that impede rapid recruitment and onboarding,” Green added.

The ‘Turning the Corner on Cyber Hygiene Subcommittee’ is helping the Committee “think through and execute a holistic, scaled approach to ensure that all organizations – public or private, large or small – have the information and resources needed to implement essential security practices,” George Stathakopoulos, vice president of corporate information security at Apple, said. “During today’s meeting the subcommittee chair outlined efforts to date, including establishing a national call to action for broader adoption of basic cybersecurity practices, including multi-factor authentication (MFA), supply chain assessment and evaluations, patching known vulnerabilities, and establishing incident response plans,” Stathakopoulos added.

The ‘Technical Advisory Council’ is helping further catalyze CISA’s relationship with the technical community to shift the balance in favor of network defenders. “During today’s meeting, the subcommittee chair provided an update on a range of initiatives on expanding collaboration with the technical community, including hackers, academics, and researchers,” said Jeff Moss, founder and president of DEFCON Communications. The chair also discussed potential programs that would bring members of the technical and research community into government service for a period of time to actively participate as a member of CISA’s operational teams, Moss added.

The ‘Protecting Critical Infrastructure from Mis- Dis- and Mal-information (MDM) Subcommittee’ is evaluating and providing recommendations on CISA’s role in confronting MDM harmful to critical infrastructure, in particular election infrastructure, said Dr. Kate Starbird, Associate Professor, Human-Centered Design & Engineering, University of Washington. “During today’s meeting the subcommittee chair discussed strategies to combat MDM, to include relevant data sets and messaging strategies, Starbird added.

In February, CISA provided critical infrastructure owners and operators with a threat overview of malicious hackers using influence operations, including tactics such as MDM, to shape public opinion, undermine trust, amplify division, and sow discord. The move came following the Russia-Ukraine geopolitical turmoil.

The ‘Building Resilience and Reducing Systemic Risk to Critical Infrastructure Subcommittee’ is helping CISA determine how to best drive national risk management and identify the criteria for scalable, analytic model to guide risk prioritization, Thomas Fanning, chairman, president and CEO at Southern Company, said. “During today’s meeting, the subcommittee chair discuss how they are scoping the best frameworks to collaborate with industry to identify systemic risks across National Critical Functions,” Fanning added.

The ‘Strategic Communications Subcommittee’ is focused on expanding CISA’s reach with critical partners to help build a national culture of cyber resilience, said Niloofar Razi Howe, senior operating partner at Energy Impact Partners. “During today’s meeting, the subcommittee chair highlighted how they are identifying any gaps that exist with respect to stakeholder perception, communication, partnership, and engagement and how best to communicate CISA’s longer-term vision, mission, and strategy to all stakeholders, including the general public,” Howe added.

The next meeting will be held in-person on Jun. 22, this year, in Austin, Texas. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.