The performance goals released by the Cybersecurity and Infrastructure Agency on Thursday represent a long-awaited push by federal officials to offer a roadmap for under-resourced organizations and providers of critical infrastructure that have become the most endangered targets of sophisticated threat actors.
CISA Director Jen Easterly, in a Thursday media call, said the guidelines would be particularly helpful for local organizations that may operate in the supply chains of larger companies or target rich, resource poor providers like hospitals, K-12 school districts or local water utilities.
“One of the things these corporations worry the most about based on my own experience and the feedback we’ve received is their supply chain, which is often populated by small and medium businesses that don’t have the resources to build a comprehensive cybersecurity program,” Easterly said during the call.
Experts say smaller utilities may face greater challenges when responding to a cyberattack, relative to larger power providers. Last year, Colorado cooperative Delta-Montrose Electric Association was hit by a cyberattack and full recovery took more than a month. The utility, which serves about 35,000 meters, went weeks without some payment processing, billing and other internal systems. The utility also said it suffered a significant data loss.
CISA has been reaching out to private sector organizations and local communities over the past couple of years to figure out where the inflection point has been in terms of gaining the upper hand against increasingly sophisticated cyber threats.
Small- to medium-sized vendors are often the backbone of supply chains that feed into major industrial providers. They often use outdated software widely exposed to the internet that could endanger other vendors and larger companies they work with if a vulnerability or malware goes undetected.
Any such effort to mitigate risk and bring basic cybersecurity measures to critical infrastructure, factories or other organizations is welcome, according to Nicole Darden Ford, vice president of global security and CISO at Rockwell Automation.
“The performance goals are a solid first step, and it offers smaller and medium-sized organizations a roadmap for cyber protections that are achievable,” Darden Ford said. “We must continue to work together with CISA and the cyber community to ensure that all entities have the knowledge and structure to help protect us and our livelihoods.”
The cybersecurity performance goals wil help “simplify security decisions for owners and operators, and set clear expectations about the baseline controls that should be in place for essential services and functions,” according to a joint statement from Reps. Bennie Thompson, D-Miss., chairman of the Committee on Homeland Security, and Yvette Clarke, D-NY, chairwoman of the Subcommittee on Cybersecurity Infrastructure Protection & Innovation.
Experts in industrial cybersecurity point out that many small power companies, water treatment facilities and other firms are geographically dispersed and will need additional help in order to bring their cybersecurity programs up to speed.
Ben Miller, vice president of services at Dragos, a leading specialist in cybersecurity for industrial providers, said guidance would be welcomed, especially when firms are being offered many different frameworks, standards and perspectives.
“They then don’t know which is right,” Miller said. “CISA has, rightfully, a strong voice in the community and adds authority here that is valuable to set direction.”
Miller noted the goals are leveraging existing work in the cybersecurity framework, but tailoring that guidance that makes sense in an operational technology setting.
The cybersecurity performance goals will help provide guidance for many under-resourced organizations and critical infrastructure providers who may need assistance in terms of where to start a cybersecurity program, Grant Geyer, chief product officer at Claroty, said in a blog post released on Thursday.
CISA’s performance goals are a recognition that free market forces alone are not going to be able to drive the private sector into compliance, Geyer said, adding CISA is in effect playing the role of good cop.
“While CISA’s cybersecurity performance goals are not mandatory, they are likely a jumping off point for upcoming regulations coming from the White House and Congress,” Geyer said via email. “Regulators now have a CISA-approved, pre-built checklist of critical areas to focus on that address the key practices, such as account security, data and device integrity, supply chain and third-party risk and response and recovery.”