The Cybersecurity and Infrastructure Security Agency released a new strategy for securing industrial control systems in the United States. The strategy presents a proactive and collaborative approach to protecting the nation’s critical infrastructure and essential services.
“In recent years, we have seen industrial control systems around the world become a target for an increasing number of capable, imaginative adversaries aiming to disrupt essential services,” said Christopher Krebs, Director of CISA, in a press release. “As attackers continue trying to exploit vulnerabilities in ICS, we need to make sure we’re staying ahead of them. Together with our partners in the ICS industry and the security community, this strategy will lead us to new, unified initiatives and security capabilities that will markedly improve the way we defend and secure ICS.”
The strategy for securing industrial control systems includes proactive measures for architects, owners and operators, vendors, integrators, researchers, and other stakeholders in the ICS community.
“ICS security presents unique challenges,” Krebs says in the report. “Traditional ICS devices used to manage industrial processes are difficult to secure without creating unacceptable disruptions to critical industrial processes. The largescale use of newer technologies—such as 5G cellular networks, artificial intelligence, pervasive machine-to-machine communications, and advanced data analytics—introduces both advantages and additional uncertainties and may significantly change the ICS risk landscape.”
CISA’s strategy for securing industrial control systems includes a five-year plan with four guiding pillars. These include asking more of the ICS community and delivering more to them; developing and utilizing technology to mature collective ICS cyber defense; building deep data capabilities to analyze and deliver information that the ICS community can use to disrupt the ICS cyber kill chain; and enabling informed and proactive security investments by understanding and anticipating ICS risk.
“The work that CISA does will continue to support the ICS community,” Krebs says. “The analysis, training and exercises, vulnerability coordination, assessments, and response services we provide today will continue to make a real difference to the Nation’s security. In addition, CISA’s Securing Industrial Control Systems: A Unified Initiative will support national efforts to secure control systems in the areas of workforce development, standards and best practices, supply chain risk management, and incident management. We have made substantial progress since we first stood up an ICS security capability in 2004, but there is still more to do. Our adversaries are driven, imaginative, and persistent. Accordingly, we must be agile enough to counter them.”
The goal of the new strategy is to ensure industrial control systems perform within thresholds under duress. This means ensuring ICS networks are resilient to cyberattacks and continue to perform within operational parameters in support of national critical functions, despite malicious actions by adversaries in the control systems environment.
CISA is working to enable the ICS security community to be faster and smarter than its adversaries. By facilitating collaboration across industries and national borders, CISA believes the ICS community can increase the cost, time, and complexity thresholds for successful ICS attacks to the point that they exceed the capabilities of even the most advanced threat actors.
According to the new strategy, OT devices and networks should be secure by design. Cybersecurity should be a preeminent consideration in the development and design of new products, and operators should be able to apply security updates without operational disruption.
As part of the initiative, CISA is working to make security resources readily accessible. By using broadly available and easily implemented ICS cybersecurity tools and services, CI asset owners will be able to radically increase their baseline ICS cybersecurity capabilities. Additionally, the federal government will invest resources based on ICS risks to the security and resilience of national critical functions.
“As CISA implements this initiative over the next several years, the ICS threat environment will surely evolve,” the report concludes. “CISA will adapt to changes in the environment and manage specific ICS risk management activities accordingly; the foundational pillars around which this initiative builds will endure.”