The Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released a new strategy aimed at boosting the cyber security of control systems used in industrial processes and demonstrating the agency’s commitment to making industrial control system (ICS) cyber security a priority.
Cyber-attacks against industrial control systems and operational technology in general are a concern because they can shut down or disrupt production lines, or worse, cause control systems to malfunction, resulting in damage or loss of life and impact entire communities such as if a dam or nuclear power plant fail.
“In recent years, we have seen industrial control systems around the world become a target for an increasing number of capable, imaginative adversaries aiming to disrupt essential services,” CISA Director Christopher Krebs said in a statement. “As attackers continue trying to exploit vulnerabilities in ICS, we need to make sure we’re staying ahead of them. Together with our partners in the ICS industry and the security community, this strategy will lead us to new, unified initiatives and security capabilities that will markedly improve the way we defend and secure ICS.”
In a separate opening letter included in the 15-page strategy, Krebs said existing ICS devices are difficult to secure without impacting operations and that with the coming of technological advances with 5G artificial intelligence and advanced analytics, these will offer “both advantages and additional uncertainties.” He also highlights the increasing convergence of information technology and operational technology is opening new attack vectors against ICS devices.
The strategy lists four pillars to guide CISA. The first pillar is to “Ask more of the ICD community, and deliver more to them,” which involves strengthening partnerships between the agency and its partners in the ICS community writ large to “empower CISA’s partners to mitigate ICS risk.”
The second pillar is to “Develop and utilize technology to mature collective ICS cyber defense,” with a focus that drives a more proactive approach to securing and hardening ICS systems, including designing security into “new ICS devices.”
Pillar three, “Build ‘deep data’ capabilities to analyze and deliver information the ICS community can use to disrupt the ICS cyber kill chain,” is aimed at CISA obtaining more and better quality data to improve its analytics capabilities so it, in turn, “can provide better threat and vulnerability information to our partners.”
With the fourth pillar, “Enable informed and proactive security investments by understanding and anticipating ICS risk,” CISA said it will better understand the “risk landscape” to “inform investments into proactive initiatives that move the ICS community ahead of the threat curve.”
It also said that having greater visibility into the risks facing the community will give it a better understanding of the dependencies’ critical infrastructures and that of the national critical functions on ICS. A better understanding of the risk landscape will also allow the agency to provide improved modeling of the risks and consequences.