There has been a deluge of guidance and services, and a growing desire to regulate, coming from the US Government in the last two years. A portion of that has been aimed at OT and ICS security. CISA has led the way in volume since Jen Easterly became Director. The Dept of Energy’s CESER, DoD, NSA, and other sector specific agencies have been prolific as well.
Do these efforts have the potential to make a difference in OT and ICS security cyber risk for the nation?
The efforts can be broken into three areas: guidance, regulation and services.
The easiest, and unsurprisingly, the area with the most activity, the most promised and delivered. The most helpful? No, for three reasons.
- In the last five years there has not been a shortage of guidance on security controls and cyber risk management. The US Government is not providing something that is missing.
- The US Government guidance is almost always the conservative consensus of what is being said and written elsewhere. It is not new or different guidance. It is repackaged guidance.
- There is too much US Government guidance. Too much content. Much of it overlapping and some of it conflicting.
Asset owner and broader OT and ICS security community’s efforts have not been hampered by lacking quality guidance documents. More likely they have been hampered by having too much unfocused guidance. CISA’s Cybersecurity Performance Goals were a possible change, and they have been overwhelmed and lost in all of the other guidance.
We have seen cybersecurity regulations in pipeline operations and medical equipment, and attempted in water. The SEC disclosure rules are a different, less prescriptive approach.
Regulation is hard. It’s hard to write a set of regulations that efficiently reduces or caps OT cyber risk. It’s hard to get regulation in place in the US. And it’s hard to run a regulatory compliance program.
Regulation is also the only of these three areas that in most cases can only be done by government. It is the area where the government should be spending resources on. Of course the fear is they do it wrong and add a lot of cost for the risk reduction achieved.
The focus shouldn’t be to create a long list of security controls. My recommendations for regulation are in an earlier article.
The US Government, primarily CISA, offers scanning, assessments, training, incident response and more to asset owners with OT. Services that are duplicative of what’s available from private industry. Not as good as private industry, but free (at least to the asset owner if not the taxpayer).
Most of these services (assessments, incident response, anything not automated) don’t scale. The two cases that can be made for these services are:
- they provide a sample-based set of data that the government can use to understand the security posture and threat environment.
- they are mandatory services that the government can use to step in for incidents that would have a high or catastrophic impact to the country. Colonial Pipeline is the best example to date.
These don’t appear to be the drivers in 2024. Like the guidance documents, the services are an easier opportunity to show action and counting stats that are often accepted as success.
Note: One of my 2024 resolutions is to have a max of one article per month on the US government efforts in OT and ICS security. Can I show the restraint?