With the private industrial cybersecurity market thriving, the Department of Homeland Security is continuing to push for closer coordination with experts on the front lines of defending facilities like power plants from hackers.
In speeches last week to vendors, security researchers, and state officials, DHS personnel said they wanted to help put companies on a more proactive defensive posture to thwart hacking threats to industrial environments.
The department has been working with ICS vendors to test security products before they go to market, but more needs to be done, Jeanette Manfra, assistant director for cybersecurity at DHS’s Cybersecurity and Infrastructure Security Agency, said last Wednesday at Hack the Capitol, an ICS security conference in Washington, D.C.
“In this space, unlike really, frankly, any other, we have got to have much more capability to prevent the attacks from happening before they get in there – or at least detect them quickly so we can stop them and mitigate those consequences,” she said.
The DHS outreach is a recognition of the expertise and dollars that the private sector has invested in ICS security, and the reality that the vast majority of control systems that underpin key sectors like electricity and manufacturing are not owned by the government. Some 85 percent of critical infrastructure entities are privately owned, Mike Steed, founding partner at the Paladin Capital Group, said this week at the Cyber Investing Summit in New York.
“We want the ICS community – and those are both the vendors and the operators of the system – to be able to be more empowered to defend themselves,” Manfra said. “And part of that empowerment means they have information that’s relevant to that defense.”
More than a 1,000 miles away, at a National Governors Association conference in Shreveport, Louisiana, a DHS control systems specialist was making the same pitch. “We need to make sure that we are out there in front of the problem and not just readying ourselves to able to…collect the pieces,” Jonathan Homer said.
That means getting actionable threat information into the hands of the people who own and operate energy, manufacturing, and other critical infrastructure facilities. And in that regard, industry analysts and DHS officials say there is a clear need for improvement.
Of the 443 security vulnerabilities that could impact ICS publicized last year by DHS and private-sector organizations, a third of them had errors in how they rated the potential severity of the vulnerability, according to a study by ICS security company Dragos. Many experts say the Common Vulnerability Scoring System (CVSS) that is used to rate the severity of software flaws needs to be overhauled to be more effective for industrial environments.
“Overall, [the public threat] reporting could be better and more targeted, regardless of whether it’s ICS or not,” Manfra told reporters.
DHS’s Homer also addressed the issue of threat reporting. “[The reports] only become valuable when you or your constituents down at the asset-owner level action them,” he said. “And so, yes, we will continue to improve the quality and quantity of those reports if you will continue to increase the utilization of the reports.”
While threat sharing is important, so too is practicing a unified response to the threat. One of the best ways DHS can build stronger relationships with the private sector would be to focus on supporting public-private cybersecurity drills like a regular grid exercise put on by DARPA, said Bryson Bort, founder of ICS security companies SCYTHE and GRIMM.
“The exercises are an opportunity to experiment with new technology and forge improved relationships and coordination” with asset owners, said Bort, an organizer of the Hack the Capitol conference.
As both awareness of ICS-specific threats and the depth of private-sector expertise has grown, DHS has had to adapt to how it approaches the challenge. The department has realized that it is most effective when it disseminates and amplifies ICS security insights that often originate in the private sector, according to Dragos CEO Robert M. Lee.
“One key change I’ve noticed is a stark realization by DHS that the expertise, insights, and innovation into these problems is happening in the private sector,” Lee told CyberScoop. “The government being behind the private sector was never part of the messaging or focus before.”
Lee praised DHS’s outreach efforts, adding: “In the industrial infrastructures, they are listening more and finding their unique role.”
With those lines of communication open, DHS officials can better understand where they can add value to private-sector security efforts and where that work would be duplicative.
“We’re all a part of the same community, whether you’re a vendor, an owner-operator, or a security researcher, or in the government,” Manfra said at Hack the Capitol, which was hosted by the nonprofit ICS Village, the Wilson Center, and the National Security Institute at George Mason University’s Antonin Scalia Law School. “We all have the same…goal in mind of increasing the security of our country. Sometimes, conversations are going to be hard between us and among us. And that’s okay, because we’re all coming at it from different angles.”
StateScoop’s Benjamin Freed contributed to this report.