This is part of a continuing series on the Philosophy of Cybersecurity Legislation. With all of the calls for improving cybersecurity and the increasing sense that legislation is necessary this series will try to define the necessary parameters for effective cybersecurity legislation. The earlier post in the series was:
Flexibility Needed
The most common complaint about calls for cybersecurity legislation over the last ten years or so has been that the cybersecurity field changes so quickly that any legislative effort is doomed to being out-of-date by the time that it is enacted. New types of threats, the expanding scope of cyber operations in daily life and the ever-changing variety of tools used by both defenders and attackers all make it hard for the crafters of legislation to provide laundry lists of do’s and don’ts in their legislative efforts.
Having said that, there are four key areas that any successful cybersecurity program is going to have to address:
• Identify critical cyber
components,
• Limit access to those components,
• Monitor those components for
signs of compromise, and
• Have a plan in place to recover operations.
I am not trying to say that an organization can afford to ignore the security of non-critical cyber components, but national-level cybersecurity legislation is going to have to focus on critical operations (CO) of private-sector critical-infrastructure (PSCI). There is just not enough time, money or personnel available to the federal government to worry about the cybersecurity infrastructure of each and every component of the economy.
Identify Critical Cyber Components
The task of identifying the 3Cs, ‘critical cyber components’ is going to be the key to a successful national critical infrastructure cybersecurity program, and it is going to be the most difficult process to define for this legislative effort. Each critical infrastructure sector is going to have different types of economic output that are going to have to be protected and each facility is going to have a different set of cyber controls in place that guides the completion of that output.
The goal of a successful critical infrastructure cybersecurity bill is not going to be to define what the 3Cs are for each and every facility in the United States. The task would be monumental, it would never be complete, and there would be too much resistance from every sector of the economy to ever allow the bill to pass. No, that task is going to have to be passed to the regulators at the Sector Specific Agencies (SSA) that oversee federal efforts to help protect each of the 16 CI sectors.
Even these regulators are going to have a tough time defining how each facility identifies its own 3Cs. One thing is certain however, the regulatory definitions are going to have to be operational in nature, basing the criteria on what systems are absolutely necessary for the continued output of whatever product or service that makes the facility critical infrastructure in the first place.
For example, in the Chemical Facility Anti-Terrorism Standards (CFATS) program DHS defines critical cyber systems as those that directly impact the safe/secure storage, handling or shipping of one or more of the DHS chemicals of interest at the facility which are the basis for the facility being covered by the CFATS regulations. Only those critical cyber systems have to be addressed in the facility’s site security plan. Facilities would probably want to protect their other cyber systems, but that is not the worry of the CFATS program.
Limit Access to 3Cs
Limiting access to 3Cs is one of those areas that legislative efforts are going to have to be carefully directed away from requiring specific types of technology for solving the access problem. The systems across the 16 critical infrastructure sectors are just too diverse for a single solution to be effective. While encrypted communications and two-factor authentication (2FA) will certainly be widely used in securing critical cyber components, requiring their use will be self-defeating when the next adversarial tool defeats 2FA or a new cybersecurity upstart comes up with an easier more effective way to address remote operations.
No, what a national legislative solution to protecting CO-PSCI from cyber-attacks is going to have to do is to authorize the regulators to establish processes by which regulated facilities can propose methodology to limit access to their 3Cs. If those methods achieve the four goals listed below then regulators would be required to accept the methodology:
• Systems in place to
administratively identify those who are authorized access to 3Cs,
• Systems in place to confirm that
a person attempting access is authorized for that level of access,
• Systems in place to alert
appropriate authorities when an unauthorized access is attempted, and
• Systems in place to prevent unauthorized person from manipulating the controls of, or information transiting, a 3C component.
Notice that protecting access to information in a 3C component is not one of the four goals of limiting access. Where a primary purpose of a 3C component is the protection of information from unauthorized access the SSA should be authorized by this legislation to include ‘residing in or’ between the words ‘information’ and ‘transiting’ in the fourth goal above.
Monitoring for Signs of Compromise
This has always been one of those areas of cybersecurity that has caused multiple problems in the past. If the definition of attack is too broad (pinging a connection for instance) there are too many compromises to effectively deal with and if they are too narrow (publication of compromised data for example) then the attacker has had way too much access to the system for effective mitigation.
But again, if we limit the systems of concern to just the 3Cs and limit access in the way’s describe above we can have a better handle on defining signs of compromise. A simple definition could be the transit of data or command into or out of the defined system either via an unauthorized mode of communication, or to/from an unauthorized source or destination.
Another sign of compromise has been suggested by the Coast Guard in a recent Marine Safety Information Bulletin (MSIB 03-21) [corrected # and provided link, 3-16-21 10:17 EDT] where it required any MTSA covered vessel or facility to report a breach of security if:
• They have downloaded the
trojanized SolarWinds Orion plug-in (see FBI Private Industry
Notification 20201222-001 https://www.ic3.gov/Media/News/2020/201229.pdf);
or
• They note any system with a critical security function displaying any signs
of compromise,
including those that may have not originated from the SolarWinds Orion
compromise but utilize
similar TTPs (see CISA
Alert AA20-352A).
Thus, we could include a requirement to include checking for indicators of compromise published by CISA, the FBI, NSA, the SSA for the PSCI, or the applicable industry or sector information sharing and analysis center (ISAC).
Again, how systems were monitored would be a regulatory matter for the SSA crafting the implementing regulations.
Recover Operations
One thing that is obvious from the SolarWinds breach is that any organization can be breached given an adversary with the appropriate resources and desire. Thus, any cybersecurity plan must contain a response plan for how the system will be recovered when a successful attack does occur. Again, since the scope of a response plan is going to vary from sector to sector, the legislation would not be expected to describe the acceptable parameters of a cyber response plan beyond the goal of returning to operation those parts of the business that are deemed to be the critical operations that were responsible for the facility being regulated as a CO-PSCI.
One thing that the recovery plan will have to include is the identification of outside resources that the facility will need to recover from a successful cyber-attack. SSA’s should be required to compile those lists from CO-PSCI across the sector and periodically report to Congress on those recovery assets that facilities would have to have assistance from the government to obtain in the event of a worst-case attack. FEMA could then be given the task of stockpiling the appropriate assets to aid recovery operations.
Part 3 to this series will address information sharing.
No comments:
Post a Comment