DHS wants better coordination on ICS security

A top cyber official at the Department of Homeland Security said the agency wanted to think "more strategically" about how it interacts with other federal agencies and private industry when it comes to protecting the nation's industrial control systems from cyber and physical threats.

At a Nov. 12 cybersecurity conference hosted by Sightline Media, Rick Driggers, deputy assistant director at the Cybersecurity and Infrastructure Security Agency, said the federal government has offered a variety of resources and services to industrial control system operators over the years, such as vulnerability scanning and assessments, hunt and incident response, malware analysis and vulnerability disclosure policies.

That operational and tactical support must be paired with a broader reorientation of how the government coordinates its outreach efforts among different agencies and its engagement with industry, he said.

"Those types of infrastructure that we're worried about protecting against today are going to be different in the future," he said. "Ten, 15 years ago, we weren't worried about securing cloud technology or cloud infrastructure. Today we are."

Driggers laid out four goals for CISA for the next year: asking industry for greater contributions to the security space while ensuring government is adding value along the way, driving technological innovation to mature cyber defense capabilities, building deeper data capabilities and taking a cross-sector perspective on industrial control systems.

Industrial control systems such as SCADA systems and distributed control systems operate, govern and control technology and machinery in energy, transportation, water and wastewater systems, financial services and other industrial sectors. Such systems are often old, unpatched, insecure and vulnerable to cyber or physical attacks that could cause cascading negative effects on U.S. society and the economy.

CISA already has an interagency working group that includes representatives from the Departments of Defense, Energy and Transportation, the National Security Agency, the National Institute of Standards and Technology, the Environmental Protection Agency, the Federal Communications Commission and other agencies,

Driggers said CISA plans engage with private ICS operators "at the practitioner level" through the end of this year. Early next year, it will open up the interagency working group to give members of industry a seat at the table as the government reevaluates its work on a number of issues, including bolstering security standards, gaining a better understanding of common supply chain parts and components across different ICS systems and increasing detection, response and workforce capabilities.

CISA also wants the government to look inward and ensure that it is sending a consistent message as various departments and agencies reach out to industry with their own initiatives. Driggers said the government must "collectively get [our] house in order in terms what the federal government is doing across the various different landscapes" of ICS security efforts.

After his speech, Driggers told FCW that the agency wants to ensure the government is properly aligning its investments in ICS security programs, capabilities and services it offers to the private sector.

"I think the problem we've had in the past is that different departments and agencies -- and probably different programs within different departments and agencies -- are going out and engaging industry and wanting to learn and understand about their own specific issue when really, if you look at it from an operational technology perspective, a lot of what we're trying to mitigate, protect and defend are common across multiple different types of OT environments and particularly across different types of sectors," he said.

Additionally, he said the government must speak with one voice when it is engaging with critical infrastructure partners on cybersecurity issues.

Recently Rep. Mike Rogers (R-Ala.), the ranking Republican on the House Homeland Security Committee, expressed concern that other federal civilian agencies weren't doing enough to coordinate their cybersecurity efforts under CISA's umbrella. Driggers told FCW the agency wants to ensure "that we're communicating, coordinating and collaborating and being very transparent about ICS investments" and that "if the Department of Energy person is talking to energy [sector industry], they're saying the same thing I am."

As for new data analysis capabilities, Driggers said the government as a whole is still in a state of data immaturity, leaving gaps in information that make it difficult to leverage technologies like machine learning and artificial intelligence. Coming up with new metrics for security operators to measure could help develop the "very, very tough questions" that lead to long-term improvements.

"How do we collect [in] those gaps, how do we work with private industry if there are those gaps and then how do we apply the big data analytics and machine learning and artificial intelligence analytics to that data. Right now, we're not in a position to do that," he said.