CISA and other US government departments have accomplished little in OT cyber security and risk management over the past two decades. There has been an increase in funding and activity, not results. While the loss of talent and capability this year in the USG is regrettable, it is time for a reset.
Previously I laid out what I believe governments should do, see OT Cyber Security Regulation (if I were omnipotent). This is similar to PCAST’s minimum viable delivery objectives that came out later.
It’s fine if you believe something else should be done. What’s clear is that past work has had minimal impact. CISA and the broader USG need to try something different, and they need to have a hypothesis and risk-based metric for each effort. They need a reset.
Let’s look at past activities that need to stop or be radically changed:
OT Security Guidance Content
The amount of CISA generated content exploded in the last four years. Rarely did a week go by when there wasn’t one or more guidance documents telling private industry what they needed to do in OT security. More and more documents and other content. More and more requirements. More and more hype of the threat, most recently on trivial small water utility incidents.
A lot of this information was duplicative. Many times it was conflicting. Rarely was it prioritized. As soon as something potentially constructive came out, such as the Cybersecurity Performance Goals, it was diminished by a number of other guidance documents.
OT security is not held back by a lack of good practice documentation. The opposite is true. CISA and other USG departments should cut back on their guidance and associated recommended requirements. Most of it isn’t wrong. It’s not needed and not helpful.
A ray of hope is the possibility of an organized and more limited set of guidance documents in a Foundations of OT Cybersecurity structure.
Government Programs Inefficiently Duplicating Private Industry And Known Information
Rob Lee stated it well in his congressional testimony last month (at 34:47):
“We have to let the private sector lead on technology. We already have the tools to detect advanced threats. Federal efforts to replicate them just waste money and slow adoption. Fund deployments. Not reinvention. Government should focus on over the horizon threats. The private sector has already created the tools and techniques needed to deal with the threats in the here and now. It’s just about execution. Government tools have consistently underperformed in comparison with private sector tools and at a higher cost to taxpayers.”
The fourth witness in this congressional hearing was Nate Gleason of Lawrence Livermore National Lab. Amusingly and ironically, he touted the Cyber Sentry program which was just the type of program Rob was correctly highlighting as a duplicative and less capable technology. Unfortunately none of the representatives noticed and questioned this panel disagreement.
Rob focused on detection and threat. The USG’s duplicative programs are much broader than that. Two different examples:
- Dept of Energy CyTRICS identifies vulnerabilities in vendor products. There are many companies that do this, and the CyTRICS vendor participants (GE, Hitachi, Rockwell Automation, Westinghouse, etc.) have the resources to hire them. The vendor participants have skilled internal teams that can do this testing. The most galling aspect is the results are finding 101 level vulnerabilities that would be found by a basic assessment (and are already known by many). Huge inefficiency for this program, unnecessary for USG to do, and easily done by private industry.
- Multiple programs that security demonstrate technology will work in various OT sectors when this is already known. These are increasingly cropping up, especially in renewable energy. NIST’s NCCoE is one example. Government funds a program that shows certain technology can work in a wind farm, on the manufacturing floor, in a water treatment plant, … Unnecessary.
CISA and Other Government Services
There is an increase of the USG knocking on the door of critical infrastructure and offering to do a free assessment or assist with incident response or help with system design. This makes no sense. There are plenty of OT security consultants now, and if more are needed the market will create them. Even if the USG is effective in these services, it can’t scale to what is needed. It’s a program that will fail.
The USG should do only what only the USG can do.
The downside to the reset is a significant loss of capability. A lot of talent was terminated, unfunded, or resigned. While I’m critical of the USG OT security efforts, with an increasingly large budget, over the years, the recruiting and growing of talent by Jen at CISA and other departments was an accomplishment that was thrown away.