The White House is drafting an executive order tied to the SolarWinds hack, geared toward software security with particular attention in the software supply chain of critical infrastructure.
"The level of visibility has to match the consequences of the failure of the systems," said Deputy National Security Advisor Anne Neuberger, during the SANS ICS Security Summit Friday.
Organizations should be familiar with the cybersecurity practices of a vendor before the software is adopted. Transparency in cybersecurity and risk will determine the value of a solution. The amount of trust in technology organizations is "proportional to the visibility we have," said Neuberger.
The role the private sector will play in public sector collaboration will determine how well industrial control systems (ICS) and operational technology (OT) environments will be able to stop malicious activity in real time. But it's first up to the government to reduce friction that makes cross-sector partnerships difficult.
"If you can't see a network, you can't defend a network. And if you can't see a network quickly, you certainly don't have a prayer defending a network," said Neuberger. Critical infrastructure is a prime target for adversaries intent on disrupting IT and OT systems. The Biden administration is also building a "plan of high-impact activities" that are quickly executable for ICS/OT that impact the public, she said.
But OT security is unique to secure compared to IT. "It doesn't work to simply take IT solutions and drop them into OT. Something new is needed," Duncan Greatwood, CEO of Xage Security, told Cybersecurity Dive in an email.
ICS and OT environments are composites of legacy and modern tech. Some of the technologies intertwined in OT environments have "have multidecade lifetimes," and inherent resistance to centralization, said Greatwood.
Cyber in the White House
President Joe Biden's National Security Council (NSC) is steeped in cybersecurity expertise, a welcome change in the White House, experts say.
The administration's overall cybersecurity literacy is "unusually high," said Robert Lee, co-founder and CEO of Dragos, during the summit. "We've even got the national security adviser and the press secretary tweeting out about patching vulnerabilities in Windows. It's just not normal."
The Biden administration is prioritizing cybersecurity, in part because of high-profile incidents including the SolarWinds hack and Microsoft Exchange. It's a change of pace to have cybersecurity so integrated in the NSC because historically there has been a gap between federal officials and modern tech, according to Greatwood.
The federal government knows cybersecurity is important, "but they often don't know why or how. Nonetheless, cybersecurity for critical infrastructure has been on the agenda for some time," said Greatwood. The SolarWinds incident, and the Oldsmar, Florida hack brought cybersecurity and physical-cyber "close to home for many."
Given the emphasis the White House and Congress are putting on cybersecurity, industry should expect regulations and requirements. "I think the sectors, sometimes especially in industrial, are almost intimidated to move, knowing that they might make the wrong move," said Lee.
In order to break through cross-sector partnership barriers, officials need to understand the needs of each critical industry. Engaging with the private sector is vital to "really understand the uniqueness [that] power is different from water, which is different from chemical," said Neuberger.
Some sectors are easier to work with in terms of providing government insights and visibility. The Biden administration will have to navigate how to delegate what ICS-dependent industries are given the federal government's immediate attention. "I've seen previous administrations and policy folks come out and say we love everyone, we love everything, we're going to do everything, and then they don't do much," said Lee.
Prioritizing critical industries will be done in part by "90-day spins," where the most significant issue gets the first phase of attention, and then rolls out into second, third and fourth phases, Neuberger suggested. Larger utilities impacting larger populations will receive priority.
The government will have to assess what incentives and disincentives exist to maintain fruitful private/public sector partnerships throughout the phases. "It's more a matter of scope and setting multiple steps, learning in each step. We learn by doing and then applying those lessons with each successive step," said Neuberger.
Such is the case for SolarWinds. The White House previously said the investigation is expected to take months, though it could be longer. The hack's involvement of so many sectors indicates the breach extends beyond espionage and more disruption.
During the SolarWinds investigations, experts found poor OT visibility and a lack of network activity logs in impacted industrial industries. "That was one of the things that was eye opening for us as we started combing through the lessons from SolarWinds," said Neuberger. Logging should be routine, otherwise response is weakened and slowed.
On Thursday, Microsoft uncovered three new strains of malware related to SolarWinds. However, according to Neuberger, finding novel malware is harder to do without regular logging.