This article is sponsored by ABS Group.
Basic cyber security measures are no longer sufficient to protect national infrastructure and the industrial operations from cyber attacks. ABS Group’s new Cybersecurity Program Manager Jon Bierer explained to SmartBrief the best certifications for the sector, how to prepare for future cybersecurity regulations and threats, and what often overlooked systems are vulnerable.
How has the risk profile for the industrial sector changed in the last few years?
All regions and countries have different risks. Some of those risks have grown exponentially in the last couple of years given recent impactful events, such as the COVID-19 pandemic, record inflation and the Russia-Ukraine conflict. The regular course of business was widely interrupted around the world as economies slowed and the global supply chain was impacted. Many companies tried shifting to a work-from-home strategy during this time, as well.
All these factors contribute to significant shifts in the way business is conducted. When that happens, it often leaves gaps in processes and gaps in security. Gaps that couldn’t have been identified ahead of time, but only in hindsight. These gaps, once discovered, will take time to remedy and may require a comprehensive review to ensure that everything is considered and nothing is missed. Understanding your business and its inherent risks will be key to securing your business and its future during these challenging times.
How often is security for operational technology overlooked? Why might that be?
Operational technology (OT) is often overlooked by most business sectors. Most of the money spent on cybersecurity is generally focused on securing IT systems, such as in-office networks, servers and employee workstations. This is typically where the critical data resides and so it receives the bulk of the attention. Operational technology shouldn’t be overlooked, though.
Within OT are Industrial Control Systems (ICS). These systems run industrial operations and power machines that keep electricity on, water flowing and air conditioning moving. It’s because these systems have received so little attention over the years that criminals are starting to realize their inherent weaknesses and seeking to exploit them. Imagine waking up one day and you have no more electricity, no more water, no more air conditioning, no more phone service, no access to the internet. Water plants, sewage plants, railroads and power grids have all been attacked, and some of these have been attacked successfully.
What processes do you suggest certifying, as part of a comprehensive cybersecurity strategy?
Operating a business is an exercise in risk management. It all starts there. Every decision a company makes carries some risk. And security exists to support the business and mission objectives of the company, not to say “No”, but to ask, “How can we say yes and remain secure?” Conducting a comprehensive risk assessment identifies threat actors, threat vectors, vulnerabilities, hazards and impacts that executives may never have considered previously. Once the risks are identified, they must be mitigated somehow to reduce the negative effects of those threats and their impact on business.
Four basic approaches include risk avoidance, reduction, transference and acceptance. Once you’ve identified the risk environment and decide how best to mitigate it, you can then start to implement a security control framework that will shore up your defenses and protect your critical business information and processes. There are a lot of great frameworks out there. Choosing the right one for your environment hinges on several factors. The key to a successful security management program is solid documentation. Start with company policies, standards, procedures and a solid system security plan for your information systems. Adopt a controls framework such as ISO 27001, NIST 800-53, NIST 800-171 or Cybersecurity Maturity Model Certification (CMMC). Implement these controls and review them continuously.
Who should work towards getting Cybersecurity Maturity Model Certification?
Most companies would benefit from a CMMC implementation. CMMC was designed by the government to be implemented by companies in the Defense Industrial Base (DIB). These government contractors routinely receive, create, store and process government information that needs to be protected, often referred to as Controlled Unclassified Information (CUI).
The object is to protect sensitive information, which most businesses have. CMMC is a tiered model and has three levels of maturity. Level 1 is called Foundational and has 17 security practices that companies should implement. Level 2 is called Advanced and has 110 security practices. Level 3 is Expert and has the 110 practices from level 2, plus several enhanced security practices.
Are there benefits to early adoption of CMMC?
There are many! There’s an illustration called a product adoption curve that describes the timeline of consumers adopting a new product or service in the marketplace. It consists, in order, of innovators, early adopters, early majority, late majority and laggards. Right now, we’re in the early adopter phase of that curve. Adoption is starting to ramp up and those with foresight are taking advantage of the time and availability of existing Certified Third Party Assessment Organizations (C3PAOs) to come in, assess and certify that their information systems meet the required compliance requirements the government has laid out in CMMC.
To provide context, some estimates say that there are 300,000 government contracting companies. Right now, there are approximately 16 authorized C3PAOs. There are way too many companies for the existing C3PAO pool to address. And the Department of Defense (DoD) has stated it can take 9 to 12 months for most companies to correct their information system environments and submit for a CMMC certification assessment.
If companies cannot get CMMC certified in the next year, they risk missing out on the ability to win contracts that have CMMC certification requirements. The DoD has also stated that over the last few years, their assessments reveal that only 25% of companies assessed were fully compliant. Companies need to start today because the lead time to remediate their environments could take 12 months or more, and then the lead time to get assessed by a C3PAO could be many more months as they wait in line with everyone else. Don’t wait for the majority; be an early adopter!
How do you see government guidelines for cybersecurity advancing?
There are a lot of opinions about how the government will advance cybersecurity guidelines for the DIB. In May 2021, President Biden issued Executive Order 14028: “Improving the Nation’s Cybersecurity,” which mandated the adoption of Zero Trust after a series of attacks on critical infrastructure. In January 2022, the Office of Management and Budget (OMB) then issued Memorandum M-22-09: “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles” which advised on best practices for implementing Zero Trust, along with providing mandates for targets that must be achieved by 2024.
I started to see the writing on the wall in 2020, before the executive order was issued. Cybersecurity professionals were starting to pay more attention to Zero Trust, more conversations were being had and there were more debates about the merits of such an approach and the viability of such a plan across the government.
What is Zero Trust? Zero Trust is a strategic approach that eliminates implicit trust in digital interactions and requires continuous validation. It ensures that every person and device granted access is who and what they say they are. Even if they were just validated a few moments ago, they must validate again. As threat actors continue to seek and find weaknesses in our defenses, we must find new ways to operate in a safe and secure manner, in ways that do not hinder but encourage business innovation and growth.