Will CISA's Cybersecurity Performance Goals Make A Difference?

President Biden's National Security Memo in July 2021 required DHS to issue Cross Sector Cybersecurity Performance Goals (CPG), and CISA Director Easterly has said this is the main CISA document ICS asset owners should look at for guidance on what to do.?The 37 CPG were released last week, and?this checklist is the easiest way to view and track progress.

To their credit, CISA solicited and took in guidance from private industry, including input from those with OT experience. The CPG document contains additional explanations and potential variations for OT where the authors felt appropriate. There are even five performance goals that are OT specific (4.2 OT Cybersecurity Leadership, 4.4 OT Cybersecurity Training, 4.5 Improving IT and OT Cybersecurity Relationships, 5.5 Limit OT Connections to the Public Internet, and 8.1 Network Segmentation)

Where the CPG May Help

1. Help Small / Medium ICS Asset Owners Prioritize Security Activities

Small and medium size asset owners, such as a lot of municipal water, have a small IT security team that is now being asked to do OT as well. Some refer to these as the 'cyber poor'. Most of these are early in their ICS security journey and need to know what to do first. This document should help those asset owners.

The US NIST Cybersecurity Framework has 5 functions, 22 categories and 98 subcategories/security controls. The 37 performance goals spanned across 33 NIST CSF subcategories. Reducing from 98 to 33 is some level of prioritization, and another way to view the CPG is as a NIST CSF target profile.

The document could have been more valuable to these smaller asset owners if it was a shorter list or if it prioritized the 37 performance goals into 3 strata. I'm reminded of a large oil company whose security team started with a list of ~120 ICS security controls and failed, reduced it to ~30 security controls and failed, and then reduced it to 11 ICS security controls they applied globally and succeeded. They may have more than that now, but the key is to scope something that is achievable and get that early win.

2. Help Companies Of All Sizes In Sectors New To OT Security

There are some sectors, such as hospitals and some building automation functions, where even the larger companies could benefit from guidance on what to do first and assistance in getting budget approved to do this. A CISO can take the CPG worksheet to the CEO and Board and show deficiencies. It will be interesting to see if this helps drives budget in these lagging sectors.

3. Help Fight Off Hot Technology Solutions

Zero Trust, SBOM, Passive Detection, ... and other hot markets throw a lot of marketing dollars out to explain what these solutions do and why every asset owner needs them. This is not a knock against these vendors, but many asset owners' ICS security programs are not ready for these solutions. There are many better places for the cyber poor to put time and money to efficiently reduce risk.

The CPG can be used as a justification when the vendors' marketing dollars have convinced some executive or board member that the hot technology should be a priority. Of course you are correct Board Director, however right now we are focused on meeting the CPG that DHS has said we should address first. And by the way we could use some more budget because look at this checklist on where we currently stand on the 37 performance goals that DHS says every company needs to address.

Where The CPG Won't Help

There is an important distinction between America's Critical Infrastructure and critical infrastructure in America. Every water treatment plant, power generation station, small pipeline, sluice gate, ... that serves even 100 people or less could be considered critical infrastructure in America. They deliver a critical product or service to some people in the United States.

This is different than America's Critical Infrastructure which are the 100, 500, 1000 or you pick some number of the most important critical infrastructure systems to the country. Most important because of the large number of people they serve or a key facility important for serving or protecting a large number of people. Colonial Pipeline is one of America's critical infrastructure systems because it is needed to deliver about half of the gasoline and jet fuel to the Eastern US. The system that brings potable water to my house in Maui, which by the way was out for two months recently, is not America's Critical Infrastructure.

1. America's Critical Infrastructure Asset Owners In Oil/Gas, Electric, Water, And Most Other Sectors

I was onstage in Miami Beach with large asset owner CISOs the week the CPG came out. Looking out at these highly skilled and experienced professionals, it was obvious they did not need the US Government to tell them they should change default passwords and network segment OT from IT. In fact, these CISOs are better informed about cyber risk in their environments than CISA. The CISOs list of the 37 most important security activities would be somewhat different, and more effective for their company, than the CPG's 37.

CISA's CPG actually created additional work with little value for America's Critical Infrastructure asset owners. If this list of CPG's takes hold, there is reason to be skeptical about whether they will, then CEOs and Boards will be asking for regular reporting on where the company stands on the DHS CPGs.

2. America's Critical Infrastructure Cyber Risk

CISA's mission is:

"We lead the National effort to understand, manage, and reduce risk to our cyber and physical infrastructure."

This does not differentiate between infrastructure that is critical to the nation and any infrastructure in the nation. In a sense, the CPGs address CISA's mission. I'd contend the mission needs to be changed to "understand, manage, and reduce risk to America's Critical Infrastructure." The old saying - - if everything is important than nothing is important.

Since the CPGs do little to reduce cyber risk for America's Critical Infrastructure asset owners, it follows the CPGs do little to reduce America's Critical Infrastructure cyber risk.

3. Consequence Reduction

After some glimmers of light on the consequence side of the risk equation with support for INL's Consequence-Driven, Cyber-Informed Engineering (CCE) and Dept of Energy's Cyber-Informed Engineering, the lack of performance goals strongly related to reducing the consequence of a successful cyber attack are a regrettable omission.

Most notable is the lack of a Recovery Time Objective (RTO) performance goal. Your ICS has been compromised and everything with an IP address is lost or not trusted. How fast does the ability to provide the product or service at some minimal effective level need to available? The discussion alone of what RTO is needed has huge value to an asset owner. The discussion gets the key players on the same page on what is important to the company. In most cases this discussion leads to initial RTOs much shorter than the business requires, reality that some things are not as important as people think and others are actually critical, and consequence reduction measures that are not more security controls.

To be fair, CPG 7.2 Incident Response Plan and 7.3 System Backups would play a role in getting the ICS back on line, hence reducing consequence. These show the IT security control bias to cyber risk that is holding us back. They don't consider, and perhaps preclude, the non-hackable safety and protection systems, manual operations, secondary supply, expanded capacity and reserves, and other options that can be highly effective to maintaining or restoring the critical product or service.

-----------

CISA needed to put out these CPG. It was mandated by President Biden, and an effort to help the "cyber poor" is worthwhile. It is not a great lead or primary document that will drive America's Critical Infrastructure where it needs to be.

My thoughts on what the US Government should do to address America's ICS related Cyber Risk is in my article OT Cyber Security Regulation (If I Were Omnipotent).