The Biden administration launched what it called a "bold" 100-day sprint to improve the cybersecurity of electric utilities on Tuesday. The plan was not released in full to the public, or to many vendors who might be instrumental in actualizing key objectives.
A Department of Energy press release describes the plan in general terms. Broadly, it "[e]ncourages owners and operators [of industrial control systems] to implement measures or technology that enhance their detection, mitigation, and forensic capabilities" with a special emphasis on improving OT visibility. The plan also creates "concrete milestones" within the 100 day period to increase visibility and create real-time analysis.
“It’s up to both government and industry to prevent possible harms — that’s why we’re working together to take these decisive measures so Americans can rely on a resilient, secure, and clean energy system," Secretary of Energy Jennifer Granholm said in a statement to accompany the press release.
The press release did not contain key details, like what those milestones are, or any specific schedule for meeting them. But based on publically available information, including the press release and statements administration officials had made alluding to the plan, Dragos founder and CEO Robert M. Lee, praised the effort for overcoming pitfalls of previous industrial security pushes.
For one, he said, the plan is specific to operational technology.
In the past, "when Congress, the president and everybody said 'go protect critical infrastructure — please — it's a national security risk,' all these CIOs and CSOs protected the enterprise of the critical resources," Lee told SC Media. "Well, hold on now. What makes it critical infrastructure is the control systems."
And where past efforts and guidance emphasized preventing attacks, Lee said the 100-day plan emphasized detection and response. He estimated that around 90% of clients considered to be mature before contracting Dragos had no visibility onto OT networks before Dragos came onboard, and only 5% of infrastructure had any sort of visibility nationwide.
"That can sound like they're incompetent. They aren't," he said. "If you actually look at all the frameworks and best practices and NIST and NERC [standards], and advisories from DHS and ICS CERT, everything is prevention. Application security, whitelisting, firewalls, authentication, antivirus, segmentation — everything [critical infrastructure companies] have been told to do is prevention."
SC Media spoke to eight sizable vendors involved in OT security who had not yet seen a plan. Several said that was not from lack of trying. A representative for the Department of Energy referred SC Media to the press release when asked for the full plan and did not respond to a request for more detail. The National Security Council, which released a statement praising the plan, and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, whose executive assistant director for cybersecurity mentioned the 100-day plan in remarks Tuesday morning, both referred SC Media to the Department of Energy.
Eric Goldstein, the CISA executive assistant director for cybersecurity, mentioned the 100-day sprints at an agency ICS security event to differentiate them from Homeland Security's recently announced 60-day cybersecurity sprints.
"The goal of these DHS cyber sprints is to complement the 100-day plans being led by the Biden-Harris administration," he said.
DHS is targeting sprints on issues like ransomware and workforce, while the White House is targeting sectors like electricity or water.
While the White House plan focuses on the end users of infrastructure equipment, Chris Grove, network evangelist for Nozomi Networks, said that users were only half the problem.
"A lot of the operators are caught between a rock and a hard place; They're being forced to secure something that's not really built to be secure and against nation-state attackers and advanced persistent threats," he said.
Indeed, infrastructure security faces challenges tied to lifespan of the systems that perform industrial tasks, which can often be a decade. End users only benefit when they upgrade, and it is cost prohibitive to upgrade early.
Included with the announcement of the 100-day plan was a request for information (RFI) on supply chain security in energy, as the Biden administration looks to update Trump-era policies. Comments will be due June 7. That detail is encouraging, said Grant Geyer, chief product officer for Claroty.
"It's clear from the RFI that the administration is looking to take an apolitical balanced and considered approach to improving cyber safety thought of the electrical grid."
Correction: The story has been updated to note that Dragos founder and CEO Robert M. Lee had not seen the full plan at the time of publication.