With one year under its belt, the newly established Cybersecurity and Infrastructure Security Agency is ready to take the next steps in protecting the nation’s industrial control systems.
“This Saturday, Nov. 16, marks one year of the Cybersecurity and Infrastructure Security Agency from when it was established. I’m very proud of what my agency has accomplished over the past year,” said Richard Driggers, CISA’s deputy assistant director for cybersecurity, at CyberCon2019. “That being said, we’ve entered into our second year. We aim to accomplish even more.”
Without regulatory authority, the Cybersecurity and Infrastructure Security Agency needs to gain the trust of agencies and state and local partners.
In that first year, the agency has developed a list of critical functions, contributed to election security efforts and worked with industry to protect the supply chain, with a special focus on 5G technology. Now, the agency wants to refocus its efforts on securing national industrial control systems, said Driggers.
CISA already provides a number of services for securing industrial control systems, including multiple types of vulnerability assessments, malware analysis and critical product evaluation.
“We will continue to do those things, but we have to think more strategically, particularly about industrial control systems,” said Driggers.
The agency is centering that strategic effort around four pillars: asking greater contributions from the industrial control systems community; driving technology innovation; building deep data capabilities; and looking over the horizon.
“The threat landscape is evolving. The vulnerability landscape is evolving. The adversaries’ tactics, techniques and procedures and their tradecraft is evolving. And we also know that the infrastructure landscape is going to continue to evolve,” said Driggers.
“Those types of infrastructure that we are worried about protecting against today are going to be different in the future,” he added. “Ten, 15 years ago we weren’t worried about securing the cloud. Today we are. So we have to be focused over the horizon to make sure that we can be ready with our technologies, be ready with the types of defensive capabilities that we’ll put into place.”
To do that, CISA needs partners.
Driggers said CISA has established an interagency working group to ensure the agency is taking a whole of government approach to solving the industry control systems challenge. That group is working with DoD, the Department of Energy, the Department of Transportation, the FCC, the NSA and more in those efforts.
The working group has four main focuses: developing standards; understanding the supply chain; improving detection of threats and response; and building the cybersecurity workforce.
And once the government’s house is in order, relatively speaking, CISA will engage more fully with industry, said Driggers, who added CISA will be speaking with private-sector leaders toward the end of this year in advance of a working group executive committee meeting early next year, where they will “bring in some senior leaders from private industry to talk to them about the challenges and the risks” and to hear from them.
Building partnerships with industry will be key to securing industrial control systems, said Driggers.
“This is not something that the government is going to be able to do by ourselves. It is critical that we work very, very closely with the private sector and industry."