I’ve had the chance to interview the last three leaders of DHS’s OT security efforts at S4 (only missing out on Seán Paul McGurk). For good or bad, the message has been consistent. Emphasis on information sharing, public / private partnership, new .gov organizational activities, and other bromides. There has been a consistency in the absence of metrics related to security posture or risk. I contend also consistency in the lack of return on investment of time, money, and most importantly the effectively using the clout that DHS has when it comes to addressing OT cyber risk.
Will this change with Sean Plankey?
Let’s look back.
Marty Edwards still holds the record of the longest serving person responsible for OT in DHS (6 years 4 months). This was back in the days of ICS-CERT where DHS structurally had a separate organization responsible for OT Security. This meant the leader could be someone like Marty who had experience as an engineer with an OT asset owner, OT integrator, and a national lab OT security program. The downside was Marty didn’t have nearly the clout and power that the Director CISA has.
Marty was a good sport and allowed me to interview him in an interrogation setting at S4x16. Below is his answer on metrics, how do we know if DHS is succeeding. (Full interview at this link). Metrics were activity based. They put out this many alerts, this many documents. They performed x onsite assessments. Trained y number of people. To his credit Marty wasn’t happy with these activity based metrics.
Chris Krebs came in shortly after Marty, with a blip of NPPD control, and was there when ICS-CERT was disbanded and rolled into CISA. He did come and speak at S4 and sat for an interview. OT security seemed to be lost in the larger set of responsibilities the CISA Director has. Chris was not disinterested or uncaring, but the biggest part of this in OT was characterized by organizational changes.
Jen Easterly was the CISA Director until January of this year. While also lacking OT and OT security experience, it was an area that received great attention under her time at CISA. This time might be the highest volume and most effective messaging to raise the profile of OT security we will ever see from the USG. It was presented in a variety of formats, and Jen herself has a knack for delivering a message in a way that gets noticed.
If the goal was to raise OT security awareness across the critical infrastructure sectors, especially small and medium sized companies, and the broader constituencies in public and government, it was a smashing success. CISA was held in high regard broadly across the US and world. If the goal was making progress in improving the CI OT security posture and reducing OT cyber risk the results were disappointing. This era would score high on activity and image metrics, and low on results metrics.
The Secure By Design Pledge is a great example. Another is the Shields Up promotion that I had a chance to ask Jen about at S4x22.
As noted by Jen in the clip, a lot of the content and messaging was aimed not at the OT security professionals or those engaged in OT cyber risk management. It will be very difficult for Sean or anyone to match CISA’s performance on wide-spread awareness. There is an opportunity for Sean or whoever comes next to do much better in working with, support, and message to the OT security community.
A bright spot is Sean has a year at BP and led the US Dept of Energy’s cybersecurity program for energy systems at CESER. Hopefully this remains an area of passion and gets emphasized in CISA. The Trump Administration has been willing and eager to throw things out and start over. This can be bad, and it can be good. It all depends on what replaces it. Inevitably this much change means a lag time while the new is put in place, and this is already being noticed.
Personally I’m hoping for less messaging, more work with the OT security community, more OT and OT security experience recruited into CISA, and less integration of OT into the large CISA cybersecurity efforts. And most importantly, whatever they decide to prioritize for their resources comes with how success will be measured at the start. What are the metrics? Unlikely, I know, but dare to dream.