Hacking activity against critical infrastructure has increased in recent years, as documented in reports by KnowBe4 and Check Point Research. The issue has been a major talking point for lawmakers of both political parties.
In a recent interview with StateTech, John Bryant, CISA’s cybersecurity chief for Region 7 (which covers Iowa, Kansas, Missouri and Nebraska), spoke about the agency’s no-cost services available to state, local, tribal, territorial and private organizations that manage CI. Below are excerpts from that conversation.
STATETECH: What resource shortages does critical infrastructure face, and how can they be addressed?
BRYANT: CI consists of a mix of state, municipal and privately owned and managed facilities. Each comes with its own resourcing and sector-specific challenges. They operate in varying, disparate environments, including regulatory, which can introduce issues and challenges for access to those resources. I've worked with some out here in Region 7 that are just very small organizations in a rural area, and they don't have access to all the skill sets they need.
It really needs to be a team effort to address this. It must start at the highest level and work its way down to the local levels, where cybersecurity is prioritized and resourced and where so often cybersecurity is just one of those overheads that organizations can't afford. There must be some sort of prioritization and resourcing there.
Click the banner below to sign up for the StateTech newsletter for weekly updates.
STATETECH: Critical infrastructure supply chains have been a source of risk in recent years. How do you rank that level of risk, and how can it be mitigated?
BRYANT: I would rank it as one of the top targets for threat actors, because it's those supply chains and those vendors that basically have the intel for the network. With that information, bad actors can figure out what type of equipment the CI has, and maybe even what the configurations are. Plus, they're often interconnected so that vendors can help manage and support those devices, and that’s another vector that the threat actor can use to just kind of walk in through the back door.
At the same time, it does fall upon the CI to manage that supply chain. At CISA, we have our Secure by Design and Secure by Demand initiatives that can support those organizations.
STATETECH: What are CISA’s Secure by Design and Secure by Demand initiatives?
BRYANT: Secure by Design is where we work with private sector manufacturers. We ask them to sign a pledge where they take ownership of the security for those products.
Once they sign the pledge, they have a year to report back and let us know their progress. They implement multifactor authentication, and they provide the transparency and the updates for systems or applications, and they can then show that progress and how they’re taking ownership of the security.
Secure by Demand is for the critical infrastructure. We have questions that we share with them. When the CI is making an acquisition, they can ask manufacturers those questions to determine how that vendor prioritizes cybersecurity.
All of this information is available on our website. Customers can see who has signed that pledge and their progress. The federal government can't recommend a specific vendor or product, but the customer can take this information and determine if that vendor can meet their requirements and provide the additional security so they have a better idea, and a better way to make an informed decision.
CHECK IT OUT: Access CISA’s Secure by Demand questionnaire.
STATETECH: How else can critical infrastructure hold vendors accountable?
BRYANT: They can work with the local regional CISA offices and staff. We have one external dependency management assessment which lets us look at how they manage their relationships with their vendors and service providers, and through that, we can make recommendations for them.
Plus, they can work with Information Sharing and Analysis Centers — the ISACs — which cover specific sectors, and many of these are for CIs. Also, all of our services and resources are at no cost. Where we have the regional offices, we even have staff in the local areas that can come onsite and work with them, or they can do it via Teams or other video tools.
Click the banner below to learn how small and rural jurisdictions can overcome workforce shortages.
STATETECH: What other resources does CISA provide for CI?
BRYANT: For assessments, we have vulnerability scanning they can sign up for. We can scan their public-facing devices for vulnerabilities every week, and they receive a report every Monday. They can then prioritize mitigating those vulnerabilities before they become a victim.
We also have tabletop exercises, and we have templates for policies and plans if they need someplace to start.
Threat intelligence is another resource. They can sign up for threat intelligence and alerts through our website. Plus, we can work with them on getting them connected to other groups for information sharing. They also have access to local field staff, and we can introduce them to some of those additional resources, like the ISACs.
LEARN MORE: Get in contact with your regional CISA office.
STATETECH: Who are CISA’s resources for, and are they taking advantage of them?
BRYANT: Our resources are available to state, local, tribal, territorial and private organizations. CIs are eligible for our no-cost services. We serve them all.
As for taking advantage of it, if they're aware of us, our presence, they take advantage of us. I have not seen a CI that was reluctant to work with us once they knew what we offer.
ACCESS RESOURCES: Inquire about CISA’s External Dependencies Management Assessment.
STATETECH: What else is important for CIs to keep in mind?
BRYANT: I would say that, for the critical infrastructure, this really should be a No. 1 priority for them, because we know that advanced persistent threat actors are out there targeting these specific organizations. So, even though they may be just a small CI out in a rural area, they are still a priority target for many of those threat actors.
I would add that we, at CISA, are advisers. We are not auditors. We're not going to come in and shame anyone or throw any kind of fines on them. We are there to help reduce risk and help them to better secure their environment.
