CISA launched their Shields Up campaign in mid-February purportedly to meet the increased threat Russia posed due the war in Ukraine. From the initial release:
While there are not currently any specific credible threats to the U.S. homeland, we are mindful of the potential for Russia to consider escalating its destabilizing actions in ways that may impact others outside of Ukraine. … CISA recommends all organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.
The “heightened posture” was referred to as Shields Up, a very clever and easily understood name.
The items in Shields Up were a list of the basic and important security controls that have been required for almost all systems for many years such as multi-factor authentication for remote access, patching, disabling unused ports, testing backups, having an incident response plan and so on.
The only actions that actually were applicable to an increased threat environment were related to increasing detection and lowering reporting thresholds.
I had a chance to interview CISA Director Jen Easterly at S4x22, see below at 17:40, and ask her both what was new with Shields Up (discussed above) and when the Shields would come down. Director Easterly began the walk back of tying Shields Up to the Russian threat related to the war in Ukraine, and said we might move to a Shields Normal rather than the shields ever coming down.
The problem is that tying the need for many of these good practices to a specific cyber threat was a logical mistake. Most were recognized as needed for ICS long before this specific cyber threat and would be needed as this specific threat recedes. (the USG, and much of the community, still doesn’t understand the lack of risk reduction achieved in most ICS patching)
Director Easterly and National Cyber Director Ingliss knew this, of course, and they began to address it with an article last week. The Shields Up set of controls are the new normal. They wrote:
In today’s complex, dynamic, and dangerous cyberthreat environment, the answer is that our shields will likely be up for the foreseeable future.
In less than six months the message pivoted from everyone needs to do this because Russia may retaliate against US sanctions and actions related to the war in Ukraine – to – you will need to do this for the foreseeable future. I imagine they knew this would happen when Shields Up began. After all, how could a security agency say those basic security controls were no longer required?
The initial messaging was misleading, and it was wise. Shields Up has been one of the most effective US Government security messaging efforts I’ve seen in the last 20 years. It’s simple. It’s catchy. It’s a bit Star Trek. It’s something executives can ask … are our shields up?
I wish we could see some metrics on what has changed in terms of posture since the Shields Up campaign began. How many companies that had been fighting putting in these basic controls, that surely were mostly recommended by their security team, had begun this effort?
The only problem with the Shields Up messaging is how does CISA now tell companies they need increased vigilance and security measures when the next specific threat actor or environment occurs? Shields Way Up? Shields “We Really Mean It” Up. Going back to the Star Trek lingo, the Enterprise didn’t always have Shields Up. The Enterprise wasn’t always on Red Alert. Human beings can’t be, or at least aren’t effective at being, on high alert for long periods of time.
I was encouraged with an indication that Easterly and Ingliss plan to address this:
Recognizing that responders are more effective when provided with specific, actionable information, a cyber alert and advisory framework that provides timely warning and recommended actions is the natural successor to today’s “all-on” Shields Up approach.
There could be guidance given to ICS owner / operators in an increased threat environment such as:
- increase ICS isolation (possibly eliminating remote access, corporate network connections)
- isolate redundant backup system from all systems, including primary system, to prevent compromise of backup system
- move all PLC’s / controllers to run mode so logic/program changes cannot be made
- consider disabling high impact automated controls
- create current backup and store off network
These are just examples of what might make sense, along with increase detection resources and lower thresholds, in a temporary higher threat environment. There are sector specific guidance for a heightened environment that also would make sense. This guidance would make operating the ICS and process more difficult and costly, and would not be prudent or possible for a long time. The guidance should be provided before the next alert so owner/operators know what they should do in a high alert situation.
Importantly this is different than saying we are seeing this TTP and here are some ways of detecting and hunting for this type of attack. That information is important, and there are established ways of delivering this information.
A Shields Up approach is different. CISA just needs to come up with a new catchy term because Shields Up is taken and doesn’t mean what it was originally described to mean.