As stakeholders work to shape a new cybersecurity framework for critical infrastructure, they highlight some options and the challenges inherent in devising such standards.
What can be done to reduce the cyber risk to the U.S. infrastructure, and is it possible to establish a reasonable cybersecurity framework that will be detailed enough to be useful and general enough to work across sectors and across time as threats evolve? That’s the challenge facing the National Institute of Standards and Technology (NIST), which is the body in charge of implementing the President’s February 12 Executive Order on Critical Infrastructure Cybersecurity.
To work toward that goal, NIST asked for industry comments. Nearly 250 [updated after 2nd workshop: final count was 243] commentators, including those representing single companies and those representing sectors, responded to NIST’s request. Their suggestions will serve as the raw material from which the framework will be constructed.
Some commentators pointed out the limitations of any effort. The Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), for example, noted that “given realistic resources, vulnerability reduction alone cannot reduce aggregate risk to an acceptable level at any point in the foreseeable future.” Moreover, it noted that known attacks against critical infrastructure have employed zero-day attacks—exploiting vulnerabilities not previously known. Thus, it writes in its NIST comment letter, those attacks “would have been successful even if all known vulnerabilities to the target systems had been remediated.”
ICS-ISAC also notes the challenges unique to utilities: “Methods as basic as the application of software patches become extremely problematic in ICS environments where the consequence of such a patch causing a fault may be higher and more likely [to occur] than the problem fixed by the patch, or where no ‘off hours’ window of opportunity to apply such patches presents itself.”
In response to a question about which cybersecurity practices present the most significant implementation challenges, the National Grid, an international electric and national gas company, wrote that since many utilities have legacy systems that weren’t built with those security practices in mind, even something as basic as user identification and authorization can be difficult to implement as can incident monitoring and detection. And the challenge of implementing encryption and key management is “significant.”
That doesn’t mean nothing can be done, however. In fact, notes ICS-ISAC, utility systems may be easier than other systems to monitor for abnormal conditions because changes are rare and controlled. Network traffic for these entities follows predictable cycles “explicitly known to system designers and operators.” Moreover, it explains, whether the industrial control system is for “manufacturing, energy, transportation, water, or other sector-specific area, the operational process in place has been designed with the singular attention to continuous awareness of the state of the physical process.”
That means that existing situational awareness technologies likely could be used to detect attack attempts with “less customization and operational attention in ICS environments than in IT.”
The key would be an accurate inventory of software and hardware and an initial baseline of normal activity to lay the groundwork for detecting divergence from the norm. This might be achieved via a “mirroring” process to avoid any potential impact with actual operations, states ICS-ISAC.
In addition to monitoring for abnormalities within a discrete system, the framework should seek to facilitate improved situational awareness about the “aggregate state of national infrastructure,” notes ICS-ISAC. Like many others, it notes that no current means exists for stakeholders to know if there is an active attack underway anywhere in the infrastructure, which might serve as an early warning to others. In this regard, ICS-ISAC makes an interesting point not often raised in connection with information sharing: It can’t rely on human-to-human efforts alone.
For information sharing to be a truly functional component of any cybersecurity program, states ICS-ISAC, the “infrastructure itself must become significantly more autonomous and connected, increasing its ability to detect and respond to threats at a speed and with a reliability that will rapidly become beyond human operators’ capability.”
The National Grid also addresses the need for more automated information sharing. And while commentators generally want the framework to avoid being too prescriptive, when it comes to information sharing, the National Grid says that “explicit standards are required.... If done properly, these standards will enable industry participants as well as system vendors to create compliant solutions for information sharing.” For example, the National Guard writes, “Firewalls, IDS/IPS systems, log collectors, applications, and operating systems could have reporting modules that would send encrypted anonymous log data to a centralized clearinghouse for data mining and evaluation.” But it notes in its NIST comments that “the framework must take special precautions to protect the anonymity of participants and their customers.”
As to the challenge of creating a framework that can be applied across sectors, the National Grid has an interesting proposal that might be called a Lego system. It suggests “the development of a list of snap-in or a la carte standards [relevant to specific technologies, such as supervisory control and data acquisition (SCADA) systems].... Industry participants can choose to integrate each standard into their framework....” And vendors could get certified showing that they meet the standard, so then an entity with a SCADA system could simply make sure that it used a certified vendor.
ICS-ISAC would like to see this level of automation go one step further so that not only do systems self-diagnose and self-report, they self-heal, mimicking the human immune-system.
The framework must also take care not to be too myopic in its view of what constitutes a cyber risk, writes the National Association of Regulatory Utility Commissioners (NARUC). “Cybersecurity must encompass not only utility-owned systems, but some aspects of customer and third party components that interact with the grid, such as advanced meters and devices behind the meter,” it notes. Moreover, the framework should recognize that it’s not only about avoiding malicious attacks. “Cybersecurity must protect against inadvertent sources—user errors (including accidents), hardware failure, software bugs, operator error or plain negligence—as well as intentional attacks,” it writes, adding that natural disasters have to be factored in as well, because “a flooded server room cannot provide service any better than one flooded with data traffic from a denial of service attack.”
NARUC further notes that cybersecurity efforts have typically focused on business process systems, basically IT networks and systems, but these are very different in nature from utility SCADA control systems. For example, SCADA systems “have much longer deployment lifetimes with much rarer software updates and much scarcer physical security measures.”
But NARUC also notes that owners and operators of these systems have “not been sitting idly by....” For example, the North American Electric Reliability Corporation (NERC), which spearheads industry standard-setting efforts, has already issued some cybersecurity standards, which are still evolving, and NARUC itself issued a cybersecurity primer as a guide for utilities last year.
As for what basic concepts NARUC would like NIST to keep in mind as it shapes the framework, these include defense-in-depth principles and the importance of resilience as well as the importance of the human factor. In terms of ensuring compliance, NARUC notes that regulators don’t have to become IT experts, but they do have to know enough to be able to ask “smart cybersecurity questions of utilities.”
NIST will have held two workshops by June. The first simply set the stage; the second was planned for late May (after press time) and was to be focused on examining all of the submitted industry comments, with the goal of beginning to cull ideas for the framework; there will be several more workshops before a first draft is issued for comment in October.
As critical infrastructure operators wait for the framework to take shape, they should not take the view that the threat is too complex to address. As White House Cybersecurity Coordinator Michael Daniel noted in the first NIST workshop in April, 90 percent of the data breaches that do occur turn out to be caused by known vulnerabilities that could have been avoided with simple security measures. Michael Arceneaux, managing director of the Water ISAC, seconded that, noting, “Basic hygiene would take care of a lot of the cybersecurity gaps in the water sector.