In its July 2021 Memo, the White House created a voluntary industrial control systems (ICS) initiative to encourage collaboration between the federal government and the critical infrastructure community. The key purpose of the initiative is “to defend the nation’s critical infrastructure community by encouraging and facilitating the deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and enabling response capabilities for cybersecurity in essential control systems and operational technology (OT) networks.” The memo further elaborated that “we cannot address threats we cannot see; therefore, deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response actions to cyber threats is central to ensuring the safe operations of these critical systems.” New cybersecurity initiative by Homeland Security, NIST to protect critical infrastructure community – Industrial Cyber
The concept of visibility, knowing what assets you must manage and protect, described by the memo is a fundamental aspect of any cybersecurity strategy, especially in regard to critical infrastructure where the costs of a breach may have devastating implications. For this reason, identifying what digital and physical assets in your network is the first basic tenet of The NIST Framework that integrates industry standards to mitigate cybersecurity risks.
NERC has also recognized the importance of visibility for compliance. Visibility of industrial cyber assets include Electronic Access Control or Monitoring Systems – intrusion detection systems, electronic access points, and authentication servers, Physical Access Control Systems – card access systems and authentication servers and Protected Cyber Assets – networked printers, file servers and LAN switches are defined by NERC CIP-002-5.1a: Bulk Electric System (BES) Cyber System Categorization under BERC Identification and Categorization. What are the 10 Fundamentals of NERC CIP Compliance? | RSI Security
How do we define visibility in cybersecurity? According to Marcus Sachs, Research Director for Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, and former Senior Vice President and Chief Security Officer at the North American Electric Reliability Corporation, visibility means knowledge of where you are, or what’s going on. And if you’re a believer in the NIST framework, the first step is identification of your assets. And so, if you don’t know what you own, you can’t protect what you don’t know you have. Visibility of assets, and that includes people. They’re not just wires and blinky light things, but even who has access to what, visibility of files and resources. So, visibility truly starts with knowing what you have. Also, oftentimes it’s a user who detects something that’s not normal, and calls the help desk, and says, “hey, I see something wrong here.” And then alert help desk to say, “okay, could this be a security incident? Or is it just a user problem, or some malfunctioning software?”
Patrick C. Miller, CEO at Ampere Industrial Security and Founder and President Emeritus of the Energy Sector Consortium sees visibility as getting sufficient data from target networks and systems into the analysis engine and then managing that data in such a way as to make it useful and not just “noise.” He notes that visibility is highly dependent on the organization. He believes that visibility starts with a sufficient asset inventory and that without that, the value and effectiveness of visibility goes down. He notes that tailored visibility and a solid asset inventory can be effective and enable IR teams to see what is happening to which systems.
Tom Alrich is Co-leader, Energy Sector SBOM Proof of Concept at National Technology & Information Administration US Department of Commerce has worked in the era of NERC CIP issues since 2008. He is focused on the software aspects of visibility. He notes that the average software product has 135 components in it and that 90% of them are open source. Tom states that lots of products have thousands of components and that each component can develop vulnerabilities. He says that “the end user has no way of tracking those without a software bill of materials (SBOM) that provides visibility into component risks.”
Mary-Ellen Seale, The National Cybersecurity Society, and former Deputy Director of the National Cybersecurity Center at DHS says that one of the things is having visibility of the risk associated with a company or organization at the board level. So, it’s not just an IT guy or an IT team that has visibility or a company, a third party, that’s providing information to that baseline. Visibility requires actually “figuring out what are the critical activities that need to occur? What are the costs associated with that, and how do I present them to leadership to have them correct it?”
Paul Ferrillo, Privacy and Cybersecurity Partner at Seyfarth Shaw LLP, brings a legal perspective with questions that pertain to operational visibility. “Do you know who is using your system? Is it just directors, officers, and employees? Is it vendors? Who’s accessing your system? How are they accessing your system? Is it through mainframe computer? Is it through a laptop? Is it from a BYOB device? Are they who they say they are when they’re accessing the network?
I agree with our expert commentators and with the insights provided in the White House memo, and by NIST and NERC on the topic of visibility. It is a must first step for cybersecurity in any vertical or industry. It is important for both operational teams and incident response teams to have transparent inventories of digital and physical assets to assess any vulnerabilities to threats. Mapping interactions between networks, devices, applications, and cyber-resilience roles of management should be part of any risk management strategy protecting critical infrastructure.