The new National Security Memorandum on industrial security: What does it mean for me?
By Patrick Miller
What do you need to know now that the White House has issued its National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems? Watch this interview with Ampere Industrial Security's Patrick Miller.
Keysight Sr. Industrial Solutions Manager Gail Ow interviews Ampere CEO Patrick Miller about the memorandum. Interview edited for length and clarity.
GAIL: What is this and what does it mean to me?
PATRICK: The short story is, this is an ask from the President to the critical infrastructure sector to secure their industrial control systems. It's not mandatory, it's not required. It's a voluntary collaborative initiative, as it's called in the memorandum.
It's asking the critical infrastructures --- and there's 16 of these. They're defined within the National Infrastructure Protection Plan. It calls out four of them specifically: electric, gas, water, chemical. For this initial part, the ask from the President is that we're going to start with some what are called ‘voluntary cybersecurity performance goals.’
This is going to be a measurement. They're going to be measured against these goals. They're due in a few months. September 22 of this year is the preliminary set of goals and then the final goals are due by next year. These goals are going to be created by NIST [National Institute of Standards and Technology].
It's really just a measurement of security controls. NIST does this. They create lots of security controls, cybersecurity frameworks, the NIST 800 series, particularly 53 and 82. It's likely going to be one of those.
The memorandum says you can use existing measurements or create new ones. Since some good stuff exists, NIST will probably use one of those to set the performance goals. Then the critical infrastructures are being asked to measure themselves against these goals and report back.
GAIL: If I'm a utility, what does it mean to me?
PATRICK: As a utility, they call out some specifics they want you to do. The first one is what's called basically detection, and it's really more monitoring. It's so that you've got the capability to know what's in your environment, first of all, like an asset management approach. And then what's happening to those devices on your network, specifically the industrial control system devices. They want to know that you could tell if something bad was happening, if there was ransomware, malware, or a bad actor in your network.
Think of it like putting in video cameras and someone to watch the camera and the analytics and all that, but doing this on the network.
So, lots of sensing equipment on the network that looks for bad things happening and then goes back to the security operations center for analysts to look at and decide if something bad is happening.
And then the next piece, what follows after that, is incident response and recovery. If something bad happens because you're detecting it, then you need to respond and do something meaningful from a response perspective. [It] means that you can probably keep operating, right? Then if, for some reason, it gets to a state that's really bad and you have to recover, that the recovery time is really short.
They' re looking at creating --- in a previous executive order they talked about --- what's called a 'cyber NTSB' [National Transportation Safety Board]. It'll likely be a response framework that you'll need to align with at some point. So, you need to be able to detect, you need to respond and recover.
Then the last piece is, since your'e detecting and you're responding, that you share this information with the federal government in an information sharing approach. This in the past has been, "you share a lot of information, get some back." Hopefully we're going to get a more collaborative approach moving forward where there's a lot of good information sharing happening.
We'll see how this all pans out. Again, it's voluntary. Most industries are still kind of figuring out how much of a lift is this. We'll see what they ultimately end up doing in response.
GAIL: When you talk about recovery, that makes me think of pipelines. How does this affect other utilities?
PATRICK: Oil and gas, in particular. The electric sector has already gotten pretty far down this path. They're already regulated with NERC CIP. The NERC CIP standards have been mapped to everything NIST already, so they can measure themselves fairly quickly in terms of where they are, at least for the utilities that are regulated under NERC CIP. Not all electric utilities have things that are bound to NERC CIP.
The pipelines come to mind because of the recent Colonial issues [attackers held Colonial Pipeline's computer systems for ransom in May, which lead to a slowdown in gas delivery for millions of customers and sparked panic buying that dried up supplies at many gas stations].
The TSA [Transportation Safety Administration] has issued some safety guidelines and also security directives (May 2021 and July 2021). Together they work basically as something like NERC CIP, but for the gas space, the pipeline space.
If you're a pipeline operator, you probably of course need to first respond to what the TSA has asked. Then you'll need to map your existing TSA guidelines and directives to whatever NIST produces as this new performance goal framework, whatever that looks like. So, you'll need to perform that control mapping from one set of standards to the other set of standards.
That needs to be done also for chemical and for water, eventually. Those are going to fall into scope as well.
I would say that’s probably the first thing you need to get done. Start by figuring out how you're going to measure yourself against these goals, because those are going to be the first questions. But you're going to be measured in those areas, again, of detection, monitoring, and then response and recovery and information sharing.
GAIL: I think you've gotten into a lot of this, but I'm still a little fuzzy about specifically what I need to do, like tomorrow.
PATRICK: Tomorrow. Great question.
If you're going to respond [to] this in a voluntary fashion, which you should, the first thing you need to do is figure out what does it look like on your environment:
---Do you even know everything in your environment, first of all?
---Do you have an asset inventory?
---Then once you have that, how do you detect what's happening in that environment?
---Do you have enough capability to see whats going on?
---Do you have the technologies to get that security information about those devices out of that network and analyzed?
---Do you have the people with the skill sets to do that, so you can effectively detect and monitor?
And then the response and recovery. You should already be good at incident response. And if you're not, you should practice more. Start having some incident response exercises. You need to practice like it's game day. Go ask Colonial or anybody else that just got hit. This is something you need to be ready for and ready to respond in a really meaningful way, not just in a kind of contain-the-bleeding and stop-the-damage, but you may even need to recover from scratch in some cases — or even go to manual operations.
Those are big asks, so start off by:
— Do I have enough understanding of my environment?
— Can I get this monitoring out of it and make it useful for me so that I can respond faster and better and even recover better if I need to?
That's a lot of human and technology components in there as well. The information sharing piece will follow afterward in terms of what you want to share and what you should be sharing.
GAIL: Okay, bonus question. How hard is this going to be?
PATRICK: It shouldn't be hard, because you're already doing lots of good security things, right?
It'll be less difficult for those that have spent a fair bit of time. They understand their environments. They know what they need to be detecting. They can get rid of some of the false positives and all those challenging things of getting all the technology in place and getting meaningful security information out of that network so that your incident responders aren't just chasing their tails looking at things that are false positive.
I would say it's not going to be that difficult if you've already spent some time on this. If this is new to you, this is likely going to be a heavier lift.
GAIL: I have one last question if you've got the time. You had mentioned September 22 as a deadline. Does all of this stuff have to be implemented by then or do we just need a plan?
PATRICK: Great question. No, this is the first set of preliminary goals to come out by the 22nd of September. This isn't so much that the infrastructures need to respond by then, it's that NIST and the federal side, primarily NIST and DHS [Department of Homeland Security] need to come up with their preliminary goals by then.
GAIL: Thank you so much for joining us today, Patrick. I sure learned a lot.
PATRICK: Thanks for having me.
Gail Ow’s Keysight Technologies companion blog for this video
Industry Brief on the National Security Memorandum from Ampere’s Patrick Miller
