A surge in cyberattacks impacting critical infrastructure and the delivery of services vital to the public well-being has spurred much needed legislations to better protect against these threats. More proposals are likely to come. For CISOs of critical infrastructure organizations and those who work on their behalf, the writing is on the wall.
The past 18 were a series of dramatic developments emerged that highlighted the risks in industrial departments.
The digital transformation accelerated and hyper-connectivity created a much larger attacking surface. It also exposed vulnerabilities that are a boon for threat actors. After the pandemic period, the Ransomware also went corporate. The threat actors shifted their focus to factory or pipeline locking-up. The lack of a visible response from the US government prompted the hackers to continue to move the line they intended to cross in a negative way.
In response to this combination of factors, the U.S. coalition government has released an unprecedented wave of legislation focusing on better protection of critical infrastructure.
Here are few questions to CISOs should ask themselves as they consider this legislation and look to improve the security posture of the OT environment.
Removing Barriers to Sharing Threat Information
The CISOs need to ensure that they are using information provided from a specific Information Sharing and Analysis Center (ISAC) or from the cyber security provider to gain visibility into incidents that others see. They also need to ask if they are sharing high-value information back out.
Critical infrastructure organizations have operated in isolation because of the sensitivity of their environments. For information sharing to become a two-way street, barriers need to be removed. By deploying proper anonymization mechanisms, companies can keep their information secure. The new legislation that includes assurances for companies that information shared will be kept confidential and that they will receive liability protection from being sued for revealing they were attacked, will help move information sharing in the right direction.
Also Read: Organizations adopting ‘SASE’ to fight Security issues in Hybrid work mode
Enhancing Software Supply Chain Security
The CISOs need to assess if they have considered leveraging some of these new standards and criteria as part of their software procurement practices?
The National Institute for Standards and Technology (NIST) has been instructed to publish a definition of “critical software” with low levels of limited access, preparation, and implementation, and developer terms to ensure secure encoding processes. Although this definition originally focused on ensuring that the software acquired by the coalition government works securely, it would have the effect of protecting the software used by both the public and private sectors because the same software is widely used. A clear goal is to increase the level of security and integrity across the software industry.
Establishing a cyber-safety review board.
The CISOs and the security team needs to ask themselves: Does their company have a culture of continuous improvement in risk and cyber security that drives learnings from their own failures and those of others?
Just as the National Transportation Safety Board (NSTB) has become the gold standard for understanding ongoing transport incidents and learning to reduce accidents, the online safety review board has the same promise for cyber network services. Having a clean house like the Cybersecurity and Infrastructure Security Agency (CISA), as recommended in a recent bipartisan proposal, updating information after major internet incidents will help reduce the number of internet incidents across all major U.S. infrastructure.
For more such updates follow us on Google News ITsecuritywire News
