Last July, the White House released a National Security Memorandum establishing a voluntary partnership between the U.S. federal government and critical infrastructure asset owners and operators that focused on enhancing the cybersecurity posture of the nation’s critical infrastructure.
Section 4 of the memo called for coordination between the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) to develop cybersecurity performance goals for critical infrastructure providers. While they were given a year to complete this task, the Cybersecurity Infrastructure and Security Agency (CISA) – a stand-alone, operational component of the DHS – and NIST published their initial cybersecurity performance goals and objectives for critical infrastructure control systems in September 2021.
As industry-recognized standards and regulatory frameworks continue to evolve, organizations are likely wondering how to align these goals and objectives with their existing security program. Dragos has partnered with many industrial organizations implementing new security measures and knows firsthand how overwhelming any new set of directives or voluntary requirements can be.
Upon reviewing the new CISA goals and objectives, we are confident that they can be successfully adopted by industrial organizations of varying levels of maturity. This blog covers the history of cybersecurity regulations, the goal of CISA’s standards for ICS, and key ways you can align your enterprise’s current industrial cybersecurity strategy with the new standards.
Mapping Your Security Controls to the New CISA Standards
Later in this post, we discuss what the CISA requirements are and how they map to existing standards and/or requirements. However, it is important to first understand how we, as an industry, arrived at this point.
Timeline of Cybersecurity Standards & Requirements
The following timeline highlights key moments leading to today’s regulatory environment:
- 2008: NERC-CIP v1 approved by FERC – provided federally mandated, baseline minimum cybersecurity requirements to maintain reliability of the bulk electric system (BES)
- 2012: DOE releases C2M2 and RMP – voluntary standards to build upon existing requirements and provide a roadmap for cybersecurity. C2M2 provides a maturity model that allows organizations to assess their overall security posture
- 2014: White House, NIST and DHS release Cybersecurity Framework – framework based on elements of C2M2 and intended to serve as a Rosetta Stone for regulations
- 2015: DOE releases the Framework Implementation Guidance – additional guidance intending to link existing cybersecurity requirements
- 2021: White House issues National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems – established voluntary initiative to encourage maturation of cybersecurity across various industries identified as critical infrastructure
- 2021: CISA Releases Critical Infrastructure Control Systems Cybersecurity Performance Goals and Objectives – defined baseline security practices for critical infrastructure owners, regardless of industry, to support national and economic security, public health, and safety
CISA Goals & Objectives in Context of Previous Models
Asset owners should note that the new CISA goals and objectives are not intended to replace existing standards or regulations, but rather define cybersecurity baselines that asset owners should then be able to demonstrate.
In other words, CISA’s goals and objectives provide baseline cybersecurity practices for the nine categories identified but do not prescribe how asset owners should achieve those baselines.
This can be compared to maturity models like the Cybersecurity Capability Maturity Model (C2M2). The C2M2 was originally designed for the electric (ES-C2M2) and oil & natural gas (ONG-C2M2) subsectors, however, a generic version is available for organizations in other industrial verticals interested in assessing their cybersecurity maturity. While CISA’s goals and objectives do not directly map to the C2M2 domains, comparing the two may help those familiar with the C2M2 methodology orient themselves to the new CISA baselines.
The following table maps the categorizations used by CISA and the C2M2:
CISA CATEGORIES | C2M2 DOMAINS |
Risk Management and Cybersecurity Governance | – Risk Management – Cybersecurity Program Management |
Architecture and Design | – Cybersecurity Architecture – Cybersecurity Program Management |
Configuration and Change Management | Asset, Change, and Configuration Management |
Physical Security | Identity and Access Management |
System and Data Integrity, Availability, and Confidentiality | Identity and Access Management |
Continuous Monitoring and Vulnerability Management | – Threat and Vulnerability Management – Situational Awareness |
Training and Awareness | Workforce Management |
Incident Response and Recovery | – Event and Incident Response, Continuity of Operations – Information Sharing and Communications (Enhanced Objective under CISA) |
Supply Chain Risk Management | Supply Chain and External Dependencies Management |
This mapping is intended to provide asset owners with a general understanding of how CISA’s categories align with their security program. However, a more granular comparison will reveal differences in the criteria included in each grouping.
For example, the C2M2 Identity and Access Management domain includes logical and physical access controls, whereas CISA decided to address them in separate categories (System and Data Integrity, Availability, and Confidentiality and Physical Security, respectively). Additionally, the Physical Security category addresses environmental controls to reduce the likelihood of physical damage to critical assets (e.g., temperature and humidity controls), which are not covered by the C2M2.
Although CISA’s goals and objectives do not map precisely to existing maturity models or standards, asset owners will benefit from understanding these goals in the context of their existing security program rather than seeing them as a separate set of requirements.
What is a Cybersecurity Baseline?
While the above table contextualizes CISA’s goals and objectives with a more familiar framework, C2M2, it may still be unclear how mature security programs must be to achieve these objectives. The answer is… it depends.
CISA’s cybersecurity baseline objectives apply to all control system operators, whereas enhanced objectives “include practices for critical infrastructure supporting national defense; critical lifeline sectors; or where failure of control systems could have impacts to safety.”
So, the level of maturity required to satisfy CISA’s objectives is directly tied to the industry of the asset owner. For asset owners unsure if the enhanced objectives apply to their sector, DHS plans to coordinate with interagency and private sectors to determine sector applicability.
But to answer this question more directly, the C2M2 uses a 0-3 scale of maturity indicator levels (MILs) and CISA’s cybersecurity baseline objectives are closely aligned with MIL2 criteria. This means that identified security practices are documented and performed consistently.
However, CISA’s enhanced objectives, not surprisingly, require more mature practices. For instance, requiring dedicated test environments and implementation of multifactor authentication are found in the C2M2’s MIL3 criteria.
5 Key Ways to Align with CISA Cybersecurity Goals & Objectives
While asset owners will need to assess their security program in the context of CISA’s goals and objectives, Dragos has identified common findings that impact organizations across industry verticals that can help in aligning to the new CISA guidelines.
1 | Improve Asset Visibility
As noted in the Dragos Year in Review, 90% of our service engagements identified lack of visibility across OT networks, which will impair asset owner’s ability to satisfy objectives included in CISA’s Architecture and Design, System and Data Integrity, Availability, and Confidentiality, and Continuous Monitoring and Vulnerability Management categories. Learn more about how asset visibility builds the foundation for OT cybersecurity.
Furthermore, the ability to monitor control systems to detect malicious activity is also tied to Section 3 of the White House’s National Security Memo.
2 | Focus on Network Monitoring & Segmentation
CISA’s guidance on physically segmenting control systems will likely provide an additional challenge for asset owners, as improper network segmentation within industrial environments is, unfortunately, the rule rather than the exception. Findings associated with improper segmentation were identified in 88% of our service engagements.
Asset owners should think of network monitoring and segmentation as complementary practices when designing their networks, as implementing chokepoints for network traffic enables organizations to monitor network traffic with greater efficiency.
3 | Develop Incident Response Plans
Dragos offers C2M2 modules as an addendum to its service engagements, which has enabled us to capture additional insights respective to the industrial community’s overall cybersecurity maturity. Through these assessments, Dragos has observed that many organizations have not defined the criteria needed to effectively declare, escalate, and prioritize incidents.
Asset owners should consider performing scenario-based tabletop exercises (TTXs) to identify gaps in their ability to identify and respond to security incidents. The output of these exercises can be used to refine criteria used throughout the detection and response process.
4 | Establish Cybersecurity Requirements for Third Party Services
Establishing cybersecurity requirements for third parties is another area Dragos has identified immaturity consistently throughout the industrial community. Asset owners are largely concerned with operability when defining tender documentation, procurement contracts, service-level agreements, etc., but often neglect the inclusion of cybersecurity requirements for third-party vendors and contractors.
Activity groups are targeting trusted relationships between asset owners and their vendors with greater frequency, which highlights the need for strong supply chain security controls enforced by the asset owner.
5 | Know Your Security Resourcing Needs
Lastly, asset owners consistently reported that they did not have adequate resources (funding, people, and technology) to maintain an effective cybersecurity program. The challenges associated with resources will depend largely on the organization’s size. Larger organizations are more likely to have the budget necessary to address resourcing concerns internally, while smaller organizations may need to outsource some of their cybersecurity capabilities.
Regardless of how organizations address resourcing concerns, it is important for hiring and procurement strategies to reflect the needs of their security program. Architecture reviews are an effective method of highlightingthe gaps in an organization’s security program and topology, which can help drive effective resourcing. Regardless of the organization size, keeping and training OT security talent continues to be a challenge.
Looking Ahead
The intention of CISA’s goals and objectives are to provide asset owners with direction for their security programs, not overwhelm them with additional regulatory requirements. Organizations should review CISA’s guidance in the context of their security program, identify areas for improvement, and plan accordingly.
We expect future public-private partnerships, programs, and incentives will increasingly include these metrics and objectives in the years to come.
Ready to put your insights into action?
Take the next steps and contact our team today.