tashatuvango - Fotolia
The U.S. government identifies 16 sectors as critical infrastructure, but inconsistent regulations and management leave many sectors lacking security.
The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) lists the 16 critical infrastructure sectors on its website, and of those, only three -- energy, government and nuclear -- are under regulations mandating that security requirements be mapped to all five sections of the NIST Cybersecurity Framework (CSF). The health sector has HIPAA requirements, which map to the Protect section of the CSF, and the water sector has requirements that map how to Identify and Respond to cybersecurity incidents based on CSF guidelines.
At least one expert believes the risks could be exacerbated because of the interconnected nature of the sectors. Steven Briggs, senior program manager at Tennessee Valley Authority, spoke on the state of critical infrastructure cybersecurity at the virtual CircleCityCon, a security conference normally held in Indianapolis, and discussed his research with SearchSecurity. Briggs said one problem is cybersecurity rules have historically been reactionary: Of those critical infrastructure verticals with security requirements, the genesis of those regulations could be traced to specific events. For example, the 2003 blackout in New York City led to the North American Electric Reliability Corporation Critical Infrastructure Protection regulation of the electric sector, while Stuxnet and the Fukushima disaster each played a part in the development of cybersecurity requirements for the nuclear sector.
Other verticals have little to no requirements, Briggs said. Instead the government relies on a voluntary adoption process for critical infrastructure security, which means it becomes a cost-benefit analysis that makes it less likely organizations will "voluntarily protect their systems."
Steven BriggsSenior program manager, Tennessee Valley Authority
"The U.S. government does not treat all critical infrastructure the same," Briggs said. "The electric sector and nuclear generation are heavily regulated, while the majority of other critical infrastructure that could have just as devastating impacts on American lives have little to no cybersecurity requirements."
Briggs suggested the critical infrastructure sectors that are not bound to security requirements should at least be following the NIST CSF and not wait for government regulation to standardize a security framework.
Once critical infrastructure sectors are measuring themselves the same way, the assessments should be shared with government oversight groups. Briggs said this would give the government a more accurate picture of the security controls in place so policies can be designed to address real needs.
The Mitre ATT&CK and the Mitre ATT&CK for Industrial Control Systems frameworks are "great to model your controls framework against and ensure that the risk they describe are accounted for," Briggs said. However, the specific recommendations listed in the NIST CSF include the necessary detail to allow a company to implement a governing policy.
Once policies are in place, Briggs said cooperation and collaboration are key to security. He said big companies need to provide cybersecurity advice for the smaller ones, and all companies should be collaborating across sectors.
"Ask for help, and collaborate with others in their vertical and other verticals," Briggs said. "Everyone that I have worked with is always open to sharing information, ideas or advice."
Critical infrastructure security reporting
Beyond the lack of security requirements, Briggs said the management and reporting structure of critical infrastructure sectors is confusing at best. Sectors are separated and overseen by different government agencies, and even sectors that report to the same agency, like DHS, likely report to different people.
This separation of reporting leads to another troubling issue: Most critical infrastructure companies don't know where to report cybercrimes.
"The majority of these cybercrimes are not going to get reported because they don't have to be," Briggs said. "They are also negatively perceived as a weakness for the company."
The results of cyber attacks going unreported in a normal enterprise has substantial consequences, Briggs added, but cyber attacks against critical infrastructure could end up killing people.
"When a hospital is hit with ransomware and it delays a nurse or doctor a minute from saving someone's life, then that patient has been murdered by the cyber attacker," Briggs said. "These companies need to help law makers understand that picture and encourage sound legislation to hold cybercriminals accountable."
This separation also makes it more difficult for the government to design a strategy to secure critical infrastructure, despite the different sectors having operations that are closely tied together. For example, Briggs noted the IT sector covers organizations and companies producing hardware, software, IT systems and services, but the internet -- which relies on those technologies -- is included the communications sector. Additionally, all services are reliant on the emergency services and water sectors in the case of a fire.
"You can't have IT without power. You can't have power without water. You can't have water without power," Briggs said. "If any one of these other critical infrastructure sectors is impacted, there will be significant impacts or operational risk to the others."
The interconnected nature of critical infrastructure not only makes the lack of regulations puzzling, but can lead to cascading effects after an attack. If the electrical grid is targeted, the impact will not be limited to the electric sector, nor would the effects of an attack on the internet be limited to the communications sector.
However, Briggs said efforts are underway to centralize a lot of the governance and guidance under the DHS CISA group.
"I believe this group, in coordination with NIST, would be able to establish a central critical infrastructure security framework and have the oversight, execution and support capabilities to aid the critical infrastructure sector organizations through its implementation and updating," Briggs said.