The US Government’s Impact On OT Cyber Risk

(Begins with the bad, and ends with the good)

The US Government Hindering, Not Helping, Reduce OT Cyber Risk In The 1 To 3 Year Timeframe

I’ve been frustrated with the mountains of OT security guidance and regulations coming from CISA and other US government agencies. Most, but not all, of it is not wrong. It is documenting a large and growing set of OT security good practices. The frustration is a large amount of their recommendations and projects will have negligible impact on an asset owner’s or society’s OT cyber risk.

Even worse, the gems in this large mound of rocks get lost. The actions that could make a difference in the next 1 – 3 years are fighting for attention and resources with the feel good, check mark, almost no impact security controls. And I must mention that the lack of attention to consequence reduction is a huge miss. For example, the small and medium water sector should spend 80%+ OT cyber risk reduction resources on consequence reduction.

There has not been a shortage of solid and near comprehensive OT security guidance prior to the US government. There’s ISA/IEC 62443. There’s numerous training programs and white papers and webinars. The failure to make more progress in OT cyber risk the last 15 years has not been due to a lack of information. 

The lack of progress can be blamed on a lack of awareness of OT cyber risk, an area the US Government and other hysteria has made great progress, and a lack of focus on actions that will maximize OT cyber risk reduction. The US Government gets failing grades on the later, and continues to make this worse.

Every additional feel good, not wrong security control that doesn’t make a big dent in OT cyber risk takes away from a security control or consequence reduction action that does. 

When I have a chance to interview a US Government leader I ask them how they are measuring the success of their programs that get more funding year after year. I’ve yet to get an answer. To date the metric seems to be the number of guidance documents, the number of new programs, and the net promoter score of CISA. The later may be at an all time high by the broader population and a low in the most experienced OT security community. Perhaps CISA and other sector agencies are making a positive impact outside of OT – – – IT, voting, state and local government. It is admittedly a very large and difficult job, that somehow Congress and many think tanks believe should be even larger.

The US Government Is Helping Reduce Cyber Risk In The 10 to 15 Year Timeframe

I’ve made the mistake of letting my disdain for US Government actions aimed and claimed at having a near term impact cloud my analysis of the long term impact of certain US Government efforts. To be clear, the long laundry list of recommendations is having a negative impact in the short term, and this will continue, if not changed, in the medium and long term. 

There are two positive examples of where US Government action will have almost no impact in the near term and a large positive impact in the 10 to 15 year timeframe: medical device security and SBOMs. While the messaging doesn’t reflect they will have minimal impact on OT cyber risk for years, it is smart to start.

The birth of ICS security began with the 9/11 attack in 2001. While a few pioneers were working before then, planes flying into buildings led many to think what other rarely considered attacks could have a major impact. It didn’t take long for those in the automation industry to identify the lack of authentication for control and administrative commands sent to controllers, PLCs and RTUs.

When this was brought up, the almost universal reply was “it will take decades” to add authentication to these Level 1 devices. A decade later it hadn’t started, and this led to Project Basecamp in 2012. Even after Project Basecamp it was another 5 years before serious work began on adding security to a few industrial protocols. Products with the secure industrial protocols are now available, although the asset owner use is still small. As is the prioritization given to this issue by government and industry leaders.

Imagine where we would be in 2023 if the US Government had said in 2005 that beginning in 2007 we will only purchase Level 1 devices that have an authenticated industrial protocol.

At the end of 2022 the PATCH Act provisions were included in the omnibus spending bill. They gave the FDA authority to require medical device manufacturers to provide a SBOM and have a vulnerability management program, including disclosure, providing patches, etc. 

This new regulatory authority will have little impact on healthcare cyber risk for decades. The overwhelming majority of healthcare cyber incidents and related impact today are caused by ransomware. There is scant evidence that providing SBOMs and patching medical devices would lessen these incidents and impact. Which mistakenly led me to brush this aside as more security theater with little impact. There will be a small impact in 3 years, more in 5 years, and in 10 – 15 years we may see a majority of medical devices in use with a much improved security posture.

Similarly I have under appreciated the US Government’s growing requirements for SBOMs. They are not in a position to use them. They are overwhelmed trying to keep up with the top level products let alone the components. I viewed it as a feel good paper exercise that was wasting resources that could have been applied much better to achieve cyber risk reduction.

Looking at this requirement with a ten-year lens, it could have a big impact. Not because in 10 years the US Government (or industry) will make great use of these SBOMs. The impact will come based on how this will drive the vendor development teams to better understand and manage their supply chain and development process. To address, and limit growth of, their technical debt. 

Thanks to those who are looking at OT cyber risk with a long term lens and with focus on one thing that can make a difference. The potential problem is most who do not live in this OT security world believe these programs will have a short term impact on OT cyber risk based on the messaging. They won’t.

Cynically, I guess the good news is there are no metrics for success other than an activity occurring. 

This article was inspired by a conversation I had with Josh Corman for the Unsolicited Response show. This episode will come out tomorrow in the audio podcast feed and on the S4 Events YouTube Channel.