Industry Feedback from Executive Order on Improving the Nation’s Cybersecurity

  /  ICS Security   /  Industry Feedback from Executive Order on Improving the Nation’s Cybersecurity
cybersecurity

Industry Feedback from Executive Order on Improving the Nation’s Cybersecurity

The recent signing of the Executive Order on Improving the Nation’s Cybersecurity has spurred much discussion among the industry.  IIoT World asked for input from leading cybersecurity experts and organizations regarding the EO, and we’re sharing the discussion with our community. Here are some excerpts from our exchanges on LinkedIn:

 

“Having the EO emphasize the partnership between government and the private sector is encouraging. I have said for some time, and I know many of your followers agree, but we in industry have to remain agents of change. We need to continue to influence governing and regulating bodies to apply and improve the standards, tools and best practices we have already created, developed and adopted. When it comes to ensuring the reliability, resiliency and safety of global critical infrastructure and supply chains, we can’t count on the federal government or yet another Executive Order. My money is on industry– the foremost OT/ICS cybersecurity thought leaders and organizations, including members of the #ISAGCA , who are on the frontlines every day. We can do this.”

Tom Clary,
Director, Global Cybersecurity Communications at
Schneider Electric

 

In my opinion the US government is going in the right direction, it is necessary to have structural changes and substantial investments to close the gap on the majority of the ICS and cybersecurity. It requires a close interaction among the parts (Government, suppliers and asset owners). The fact of the direct involvement of the government on this initiative, associated with the mandatory deadlines on accomplishments, it will motivate investments from the companies on the area. Nobody wants to be the next on the news. As also explicit on the document, the cooperation on sharing information and the risk analysis is critical to the experts support the defenses updates, remediation and proper responses to incidents. Lastly, the initiative to have cooperation among the governmental agencies to create a practical playbook is more than welcome, although we already have some good ones available, to have one with the government seal increases the chances to be applicable to a much broader audience. Hopefully other countries may use this lesson learned before it is too late.

Felipe Sabino Costa, MSc, MBA
LATAM Industrial Cybersecurity Expert,
Moxa

 

I particularly like the desire to make substantial progress:
“Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life. “

Whether it is protecting critical software in a more complete way or securing the software supply or collecting and sharing data about attacks, I think there is ample opportunity to improve – and I think most people would agree the US is extremely vulnerable if not already compromised. Bring on MFA, Zero Trust, and Playbooks to get to implement based on past cyber events.  I say hats off, let’s get to work!

Joe Saunders
Founder and CEO, RunSafe Security

 

I support increases in cybersecurity efforts across the board. There is a lot to unpack in this EO and initial thoughts are positive from my perspective. There are a lot of activities needed to better define specifics and to make rules with impact analysis of the ensuing mandates. We will learn more through the process and better understand the incentives and consequences mentioned throughout the EO. There has been a lot of work by Allan Friedman in NTIA for SBOM that may accelerate rules making and implementation in this area. Other areas may take longer to adjust and some of the expectations may be very optimistic against reality. I wonder how other standards fit into this effort as many certifications and adopted cybersecurity controls are global in nature. A negative could be that this may create yet more specification, testing and certification criteria that may not align with existing or developing works toward the same objectives. How well will this align with the E.U. Cyber Security efforts for Essential Services and other countries looking to achieve the same goals? I am confident this will factor into the rules making process and look forward to participating where possible.

Michael Lester
Cybersecurity Strategy, Governance and Architecture at
Emerson Automation Solutions

 

While it offers more hype than substance, this Cybersecurity EO still addresses many of the challenges that federal network defenders face. Even though many of the actions had suspense dates between 60 and 120 days, increasing threat sharing, modernizing cybersecurity systems, and improving threat and vulnerability detection will have a greater impact over the long-term. Where this EO is most lacking is in properly addressing the people and resource issues faced by all federal government security teams, as well as the overall vulnerable state of the nation’s critical infrastructure.

Ed Cabrera
Chief Cybersecurity Officer, Trend Micro

 

I’ll start with the observation that securing the software supply chain is arguably the major focus of this EO. Almost 1/3 of the document’s policy statements are in the Enhancing Software Supply Chain Security section. This is no surprise after the SolarWinds attack in December infiltrated all five branches of the U.S. Military, the Pentagon, the State Department, the National Security Agency, the White House, and a whole lot of other significant targets. That kind of widespread havoc was certain to set the tone for this EO. (I’ve seen media stories suggesting this EO is a response to the Colonial Pipeline attack, but this document clearly wasn’t written over the weekend. Its scope is much further reaching and broader than ransomware attacks.) 

Eric Byres
CEO, aDolus

 

The May 12, 2021 EO did not address the unique issues associated with control systems. It was evident reading the EO there were no CONTROL SYSTEM cybersecurity experts that either participated or had their input used. In fact, the terms SCADA, industrial control systems, control systems, and cyber-physical systems were never used and IOT was only addressed for consumer applications. Consequently, the EO exacerbated the cultural gap between network and engineering. The EO’s limitations were demonstrated by examining a number of actual critical infrastructure cyberattacks (including SolarWinds and the Colonial Pipelines) and showing the EO would not address the control system-unique issues. (I did not address the inadequacy of the EO responding to unintentional control system cyber incidents). The impacts of not addressing these cyberattacks could have devastating impacts on US federal facilities as well as the US economy (these issues are not unique to the US). The control system cyber security gaps in the EO need to be reconsidered before it is too late. Find more information on this topic.  

Joe Weiss PE CISM CRISC ISA Fellow
Managing Partner at
Applied Control Solutions

 

Additionally, many organizations have published blog posts and articles about this topic. Here are a few of note:

The Cybersecurity Executive Order: What Does it Mean? 
From Trend Micro

Unpacking EO14028: Improving the Nation’s Cybersecurity 
From aDolus

Biden’s Executive Order Will Not Stop Cyber Attacks 
From Edward Moroso, Founder and CEO of TAG Cyber

Be sure to mark your calendar for IIoT World’s ICS Cybersecurity Day on October 6, 2021 which will bring together global subject matter experts to share insights on IIoT technologies and ICS cybersecurity.  Click here for more information and to register.

 

About the Author

This article was written by Linda Hall, Editor and Director of Partnerships & Client Services at IIoT World.

Comments

  • Eric Byres
    May 20, 2021

    @Joe Weiss: The fact that the terms SCADA, industrial control systems, control systems, and cyber-physical systems were never used in the EO, doesn’t indicate that control system cybersecurity experts didn’t participate. Operational Technology (OT) is a reasonable (not perfect) catch-all phrase for the field that you and I are in and is useful shorthand to reduce terminology overload. If I was writing this EO I would have done the same – at 18 pages this EO is so long few people will actually read it, never mind understand it. Maybe the authors could have added OT to Section 10. Definitions and added those terms, but making the EO longer will help no one.

Post a Comment