Critical infrastructure cyber security is in the spotlight thanks to the new Presidential Executive Order on Cyber security. No matter what you think about the U.S. politics, most would agree that it’s good to see government taking action that increases the urgency for improving the cyber resiliency of critical infrastructure such as the electricity grid. Building upon on the first Cyber security EO13636, signed in 2013, this order specifically addresses “publicly-traded critical infrastructure entities” and all critical infrastructure sectors.
Section 2 of the order calls out the need to improve cyber risk management efforts. If you work for an electric utility or other industrial critical infrastructure operator, you should be aware that recent advances in technology can greatly help with risk management for operational technology environments, and do so in a way that is simple and safe to implement.
Executive Order on Strengthening the Cyber security of Critical Infrastructure
While the scope of the entire Presidential Executive order covers the cyber protection of three areas, federal networks, critical infrastructure, and public online systems, 6 items are highlighted for critical infrastructure:
- Supporting the cyber security risk management efforts of the owners and operators of critical infrastructure
- Providing support for the critical infrastructure at greatest risk of attacks that could result in catastrophic effects on public health, safety, economic security or national security
- Supporting transparency of the cyber security risk management practices of public critical infrastructure entities
- Promoting resilience against botnets and other automated distributed threats
- Assessing electricity disruption incident response capabilities
- Analyzing the cyber risks facing the defense industrial base
The Executive Order (EO) is about requiring various federal agencies to work with each other and operators to produce reports for the President, and fairly quickly too, with deadlines ranging between 90 and 240 days.
How does that affect you? Well it’s a pretty sure bet that the management teams of all electric utilities and energy companies are going to be calling on their operations and cyber security staff, whether in OT or IT, to summarize their risk management practices and plans, and to do so very quickly.
When considering what you are doing now, and what you can possible do to quickly improve, be aware of how passive anomaly detection and real-time visibility solutions can rapidly identify and report on the security posture of your operational systems.
Improving Risk Management with Passive Anomaly Detection
You may not be aware that over the past few years a new category of ICS cyber security products has become available. Offerings in this area, led by Nozomi Networks’ Guardian, use Machine Learning and Artificial Intelligence to quickly learn and model large, heterogenous Industrial Control Systems (ICSS) automatically, creating baseline security and process profiles.
There are two aspects of this that are particularly relevant for enabling rapid risk assessment:
- Guardian is completely passive and poses no risk to network communications or processes. It connects to network devices via SPAN or mirror ports, and installs non-intrusively with no downtime or network disruption.
- The inventorying of your assets and the modeling of your network and its processes is extremely quick. Within minutes you gain visibility to your ICS in a way you likely have never seen before. In the experience of our customers, operators are always surprised that when they see their system with the Guardian interface. Often they immediately recognize a connection or device they didn’t know existed. Because the deployment is complete within two hours, they gain immediate visibility, with dashboards and reports at their fingertips.
Specific capabilities are called out in the EO. Here’s how our solution aligns with them:
- Anomaly Detection (section 1,b,i)
After automatically learning your system our anomaly detection enables real-time monitoring identifies incidents such as: - Malware attacks, including complex or zero-day ones
- Unauthorized behavior, such as remote access, configurations, downloads
- States of concern, such as communication failures, malfunctions and new assets
- Mitigation and Recovery from Incidents (section 1,b,i)
- Dashboards that consolidate alerts into context-aware incidents
- Real-time querying of any aspect of network or ICS performance
- Forensics assistance via ICS incident replay and archiving
- Vulnerability Mitigation (section 1,b,iv)
- Automatic identification of devices with vulnerabilities, including severities
- Clear, summarized visibility of vulnerability risk
- Ability to sort vulnerable assets by vendor or other attribute
Be Ready for Management and C-Level Reviews of Cyber Security
There will be lots of discussions about cyber security at U.S. electric utilities and operators in the next few weeks and months. You will obviously want to do your own analysis of the Executive Order and what it means for your operation. If risk management and incident response for your critical ICS environments are high priorities coming out of that exercise, be sure to consider how the latest anomaly detection and monitoring solutions can help. We’d love to implement a Proof of Concept of Guardian at your facility to demonstrate its capabilities. These can be up and running well within the timelines of this Executive Order.
At Nozomi Networks we are 100% focused on improving cyber security for critical infrastructure control systems, so whether you’re driven by the urgency created in this Executive Order or by the desire to address the escalating cyber threats to industrial control systems around the globe, Nozomi Networks is ready to help you right now.