Protecting Critical Infrastructure with CISA and NIST Cybersecurity Guides, “Gordian Knot” Assessment, and Automation

Cybersecurity Awareness Month was in October and The White House proclaimed November to be Critical Infrastructure Security and Resilience Month. This announcement follows recent news that specific critical infrastructure sectors will be prioritized for cybersecurity risk management with new requirements, starting with transportation and followed by communications, water, and healthcare. The U.S. Administration is also expanding cybersecurity assessment and initiatives to the chemical sector over the next 100 days.

People in cybersecurity have a variety of opinions about awareness months, some rather humorous, as a Washington Post article titled, “The dread, sincerity and comedy of Cybersecurity Awareness Month,” points out. However, the national focus on critical infrastructure risk assessment is timely and urgent. Government leaders have stressed that a new way of thinking is required and solving the challenges of unrelenting cyberattacks and workforce shortages will require a “whole-of-nation” approach. In reality, we are facing a global crisis and alignment with the international community is also vital.

U.S. financial institutions were impacted by nearly $1.2 billion in costs associated with ransomware attacks in 2021 according to data reported to the U.S. Treasury Department, which is an almost 200% increase over the previous year. On November 1, 2022 The White House actually wrapped up a two-day ransomware summit where participants agreed to stand up a voluntary International Counter Ransomware Task Force to serve as a base for coordinated disruption and threat sharing. And data from industrial cybersecurity firm Dragos shows that ransomware continues as one of the most threatening financial and operational risks to industrial organizations.

Healthcare continues to be a top target due to the leverage cybercriminals feel they can wield because of the life-threatening potential of ransomware attacks. The Cybersecurity & Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and Department of Health and Human Services (HHS) released a joint Cybersecurity Advisory (CSA) in October to provide information on the “Daixin Team,” a cybercrime group actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations.

The FBI Internet Crime Complaint Center (IC3) data showed that across all 16 critical infrastructure sectors, the HPH Sector accounts for 25% of ransomware complaints.

According to the article, “White House Sets Sights on New Healthcare Cybersecurity Standards,” Anne Neuberger, deputy national security advisor for cyber and emerging technology in the Biden Administration, said at a recent event that the U.S. is ‘pretty much last in the race’ when it comes to putting in place basic security standards for critical infrastructure compared to peer countries. She went on to say that HHS is “beginning to work with partners at hospitals to put in place minimum cybersecurity guidelines.”

Organizations often don’t know they have been breached or are about to be caught in the cross hairs of an incoming cyberattack. Recent industry reports found that hackers are selling access to 576 corporate networks worldwide for a total cumulative sales price of $4 million, with the average time to sell corporate access just 1.6 days. And the Raspberry Robin worm is being used to deploy other payloads like ransomware. Microsoft Defender for Endpoint found that around 3,000 devices spanning nearly 1,000 organizations have encountered at least one Raspberry Robin payload-related alert in the last 30 days. 

Critical infrastructure also faces major legacy system and connectivity challenges, with employees being targeted as well as vulnerabilities in older systems and new Industrial Internet of Things (IIoT) devices. Juggling intense monitoring tasks is causing security pros to struggle with information overload. Risks are compounded by both employees and leadership who don’t understand threats or take them seriously.

The CTO of Riverside County recently made a humorous point at a conference about a Seinfeld episode where he said, “I’m pretty sure I have a lot of elected officials using the George Costanza model where ‘Bosco’ is their password for everything,” referring to when George’s ATM code was his favorite chocolate-syrup brand.

The stress on security teams is taking a toll. One article reported that one-third of cybersecurity staffers are considering changing jobs over the next two years. And a Wall Street Journal article cited an (ISC)2 report that said “companies don’t have enough cybersecurity staff to be effective. Almost half said their teams didn’t have enough time for proper risk assessment.”

Leadership must support the collaboration of cybersecurity, risk management, data governance, and supply chain staff to brainstorm how best to combat the threats to crucial data and systems.

A FedScoop article titled, “Biden Administration Seeking ‘Bold and Ambitious’ Ideas from Cyber Workforce RFI Says WH Official,” refers to a federal request for information on how best to grow the depleted United States’ cyber workforce. The Office of the National Cyber Director (ONCD) included an option to submit “Gordian knot” out-of-the-box suggestions and is asking for fresh ideas from cyber students and practitioners – not just vendors.

Deputy National Cyber Director for Technology and Ecosystem Security, Camille Stewart Gloster, said the government can’t do it alone: 

“That’s why it’s a whole-of-nation strategy; that’s why we’re engaging all of you … [M]uch of this will be a charge to industry, a charge to the education sector, a charge to a bunch of discrete stakeholder groups to take their piece and run with it.”

The “Gordian knot” reference is an interesting one as it refers to an Ancient Greek legend and metaphor about solving an insurmountable problem by looking for simple, creative, or decisive approaches. In the legend, whoever unties an oxcart’s impossibly tangled knot will rule Asia. Alexander the Great supposedly solved it by either cutting the knot with his sword or by just loosening the linchpin. Stanford University actually has a Gordian Knot Center for National Security Innovation.

Gordian Knot

In 2015 following the data breach of the U.S. Office of Personnel Management, Robert Duncan, a former CISO at Euronext and currently Group CISO at Ardagh Group, wrote an article on LinkedIn, “The Gordian Knot: Cyber Security.” He referenced the popular 1983 WarGames movie about a teen hacker who almost starts a world war, and says in the article:

“Firms are still not paying enough. They are cutting corners, not hiring the right people, underinvesting and running huge risks, or dealing with a poor corporate security culture. The problem is simply a Gordian Knot. Current approaches, ‘best practice’, and solutions are failing, and change is needed.”

He suggests that change can occur by “focusing on complexity and gradually reducing it.” What was true then is still true seven years later. The examples Duncan gives essentially have to do with proactively rooting out foundational problems by inventorying your assets (people, technology, data, etc.) and conducting risk assessments to determine true needs so you can simplify and prioritize controls.

In the fictional movie WarGames the U.S. government invests in a new missile launch system by making assumptions that an unemotional computer would be more secure and consistent without evaluating it fully for potential human risks – such as its emotional programmer creating backdoor access or potential tampering by hackers. 

Essentially, the method of simplification is to start with comprehensive cybersecurity risk assessments of assets, including human assets and risks. Controls are implemented according to risk appetite and risk tolerance.

Government and business leadership are waking up to how essential it is to perform ongoing risk assessments so that cybersecurity evolves beyond check-the-box activities. To do a proper assessment requires current inventories of assets and realistically and honestly analyzing potential threats. Visibility, communication and collaboration, and an understanding of potential bias are all critical for the risk assessments to be as accurate as possible.

Automation tools are being used by threat actors to leverage their attacks, and now organizations must prioritize intelligent automation as a tool to help perform accurate risk assessments and manage the onslaught of data and social engineering that is taxing the human limits of both security teams and employee awareness.

Intelligent Automation Helps Meet CISA and NIST Cybersecurity Goals

To support critical infrastructure cybersecurity, in late October 2022 CISA released its much awaited cross-sector Cybersecurity Performance Goals. These 37 voluntary goals are meant to act as a guide for critical infrastructure partners to help prioritize investments in cybersecurity, while also implementing the NIST Cybersecurity Framework.

However, some analysts commented to Cybersecurity Dive that the new guidelines confirm that most critical infrastructure operators aren’t even doing the basics today, and CISA said that the lack of basic protections such as multifactor authentication, stronger password management, and maintaining backups “repeatedly exposes critical infrastructure to damaging cyber intrusions.”

A few of the areas of focus in these goals include Securing Sensitive Data, Asset Inventory, Network Segmentation, and System Backups. Credential protection is also heavily emphasized. The importance of breaking down both communication and data silos can’t be over emphasized. In CISA’s new guide, the recommendation for “Improving IT and OT Cybersecurity Relationships” is:

“Organizations sponsor at least one ‘pizza party’ or equivalent social gathering per year that is focused on strengthening working relationships between IT and OT security personnel, and is not a working event (such as providing meals during an incident response)”

There is a lot in CISA’s new guide to digest beyond pizza, and intelligent automation will be necessary to help efficiently manage alerts and data, as well as communicate between departments about the changing risk landscape. The article, “How Embracing Automation Could Change the Future of Work,” found that almost 95% of respondents now consider intelligent automation a key component of their digital transformation strategies.  

The author states that since “4.2 million Americans quit their jobs this past spring, organizations may need to make the workplace more flexible – and in the industrial sector – we need to remove mundane, repetitive tasks to allow workers to focus on innovation.”

In a Halloween-themed article, we discussed the “scary skeleton” threats of legacy systems, the “Frankenstein” dangers of AI bias, as well as the benefits of intelligent automation to help manage asset risk assessments:

The skeletons and Frankensteins of cybersecurity and how risk assessment can help

For healthcare and other critical infrastructure with legacy systems, asset risk management is “paramount to effective Zero Trust Architecture” according to a Help Net Security article. Visibility is critical because that is truly the basis for all communication, collaboration, and feedback about what is working and what needs to change. Intelligent automation is a useful tool to help create visibility for risk assessment.

The National Institute of Standards and Technology (NIST) has also been continuing to develop guides with industry feedback to help prioritize growing cybersecurity risks.

NIST recently published “NISTIR 8286C: Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight,” which is the third companion piece that supplements the risk management guide NISTIR 8286, “Integrating Cybersecurity and Enterprise Risk Management (ERM).” This series provides additional details regarding the enterprise application of cybersecurity risk information. A fourth companion piece, 8286D, is currently in draft form.

We recently wrote an article that addresses NISTIR 8286 and how important the asset identification and communication aspects of it are to modern cybersecurity:

Cyber resilience requires managing human risks and leveraging innovation and automation

The first companion piece in the series, NISTIR 8286A “Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management,” lays the foundation for the success of later steps. A few key points from that document are:

Collaboration – “Effective management of risk throughout the enterprise depends upon collaboration and cooperation at each level.”

Risk Identification – “The value of each asset of a given system (e.g., information type, technical component, personnel, service provider) is appraised to determine how critical or sensitive it is to the operation of the system (see Section 2.2.1). Subsequent risk decisions depend on an accurate understanding of the importance of each resource to the system.”

“For each of these components, the practitioner identifies threat sources that might have a harmful effect (see Section 2.2.2) and the vulnerabilities or conditions that might enable such an effect (see Section 2.2.3).” 

“In many cases, security controls may be applied to mitigate risk by reducing the likelihood or impact of a risk to a tolerable level.” 

“If an unacceptable cybersecurity risk cannot be adequately treated in a cost-effective manner, that risk must be avoided. Such a condition may require significant redesign of the system or service.” 

“Risk identification represents a critical activity for determining the uncertainty that can impact mission objectives.” 

Inventory and Valuation of Assets – “The first prerequisite for risk identification is the determination of enterprise assets that could be affected by risk (part A in Figure 8). Assets are not limited to technology; they include any resource that helps to achieve mission objectives (e.g., people, facilities, critical data, intellectual property, and services).” 

Automation Support for Inventory Accuracy – “Accurate and complete asset inventory is an important element of CSRM, and the measurement of that accuracy is often a key performance measurement for CSRM reporting.”

“The use of automation helps to ensure that enterprise asset inventory is current, accurate, and complete.” 

Reducing Unwanted Bias in Threat Considerations – “While cybersecurity threat discussions often focus on the intentional and adversarial digital attack, it is important that all risk practitioners consider a broad array of threat sources and events. 

In addition, while highly unlikely scenarios might not need to be listed (e.g., a meteorite crashing into the data center), risk managers should avoid dismissing threats prematurely … practitioners will benefit from identifying and overcoming bias factors in enumerating potential threat sources and the events they might cause. Consideration of these factors will also help reconcile reactionary thinking with analytical reasoning.” 

Table 4 in NISTIR 8286A describes some of these biases and methods of addressing them, including the biases of Overconfidence, Group Think, Following Trends, and Availability. 

The NIST guides’ focus on managing human bias is often overlooked and is really a critical risk management step due to the ever-evolving nature of cyberthreats. We recently published several articles on the importance of collaboration and critical thinking to counteract habits, assumptions, and human bias like group think:

 
In these articles we also address the NIST and CISA guides emphasis on inventorying assets and using intelligent automation to improve the accuracy of the risk assessment process. Current-state asset inventory and unbiased threat assessment are foundational for “Gordian Knot” action because they form the basis for collaboration and feedback about the actual environment, enabling you to “see the forest for the trees.” You can then focus on what paths are most beneficial to protect the most important assets.

Zero Trust and Data Governance Benefit from Automation

Mapping and understanding your organization’s DAAS (Data/Assets/Applications/Services) is a critical starting point to choosing the best pathways for a Zero Trust journey. An effective Zero Trust approach means you conduct a baseline risk assessment of your environment so that you understand, prioritize, monitor, and manage your assets – which per the NIST Guide are your “people, facilities, critical data, intellectual property, and services.” To stay on top of growing data and threats, automation will be important to consolidate tedious, data-intensive tasks with speed and at scale.

Data governance requires data protection from both a security standpoint and also from a data quality standpoint. Without understanding and mapping data sources, lineage, flows, and data sprawl, data-based decision-making is at risk because you don’t know that your data is comprehensive, current, or accurate. Over-retained, over-shared, and duplicated data also creates security and compliance risks and increases storage costs. Real-time, automated data indexing must be used to keep dwindling human resources focused on strategic tasks.

For unstructured and structured data, automated indexing of all data stores for visualization, filtering, and tagging down to the actual file content level is necessary to implement the policy-driven data classification and least-privilege access required for Zero Trust and data governance projects at scale. A recent Forrester research report also found that data discovery and classification is essential to the success of Zero Trust microsegmentation projects.

Data content and file attributes should be fully indexed and searchable in a single pane view with function-based dashboards to inform data management and control processes. Data needs to be identified, tagged, and classified to implement least-privilege access, as well as retention and compliance policies. Security and management systems should easily integrate. Access to mission-critical infrastructure controls and data should be clearly restricted by mapping data flows, user access, and privileged accounts as part of the inventory and risk assessment process.

Gordian Knot solutions require big-picture, current-state understanding. If as a nation we want to protect our data and critical infrastructure from modern cyberthreats, then we must prioritize current and ongoing risk assessments. We must also use real-time tools that empower leadership and staff to clearly evaluate and manage human risks, as well as the system and connectivity vulnerabilities, of our most vital systems and data.

Anacomp’s data discovery and intelligent document processing solutions help provide continuous data asset visibility and automate multiple functions for data ingestion and inventory, risk assessment, compliance, data tagging and classification, and digital transformation. Know and understand your current and ongoing data landscape to ensure the success of cybersecurity, risk management, data governance, compliance, cloud migrations, and analytics projects.

You can see what risks are hiding in your data estate by testing out data discovery on your own data with a free 1 TB Test Drive of Anacomp’s D3 AI/ML Data Discovery & Distillation Solution.

This article is an updated version of a story that appeared in Anacomp’s weekly Cybersecurity & Zero Trust Newsletter. Subscribe today to stay on top of all the latest industry news including cyberthreats and breaches, security stories and statistics, data privacy and compliance regulation, Zero Trust best practices, and insights from cyber expert and Anacomp Advisory Board member Chuck Brooks.

Anacomp has served the U.S. government, military, and Fortune 500 companies with data visibility, digital transformation, and OCR intelligent document processing projects for over 50 years.