ThreatConnect Podcast host Dan Verton recently had the pleasure of speaking with Bob Kolasky, Director of the National Risk Management Center at the Cybersecurity and Infrastructure Security Agency (CISA) during a recent ThreatConnect Podcast, where he gave his insights on systemic cyber risk and critical infrastructure.
There have been nearly a thousand documented and reported open-source critical infrastructure ransomware attacks in the past 2 decades. The actual number is likely much higher, however. During the past 7 ½ months, we’ve seen some of the biggest ransomware attacks in history and it’s becoming clear that critical infrastructure owners and operators need to adopt a risk-led cybersecurity program
Dan Verton: TSA has issued this new mandatory guidance for pipeline operators. Can you tell us anything about the new cybersecurity guidelines and whether or not this may signal the possibility that other sectors will be receiving similar mandates?
Bob Kolasky: Speaking specifically to TSA Security Directive Two, what’s important to understand is it is a security directive that has been established based on existing TSA authorities and that TSA has the right to put requirements on transportation modes, in this case, pipelines in liquid and natural gas pipelines, has the right to put requirements when the national security needs demand it. Through the two security directives that TSA has issued we should recognize that, given the liquid natural gas pipeline threat environment, it’s time to put some of those requirements on pipeline companies. That’s what Security Directive Two does.
Security Directive One, which came out about a month and a half ago, was all about information sharing and requirements to report incidents. This one’s about elevating the baseline level of security. These are all good and smart things to do. A lot of pipeline companies have been doing these in the past, but we want to make sure they’re doing it. We want to address, to your point, the crisis of confidence and give the federal government visibility and set the requirement to do smart things in cybersecurity for liquid natural gas pipelines. That’s what TSA did through the security directive.
Does this signal future things coming? We, in the federal government, certainly want to evaluate where existing authorities can push higher levels of cybersecurity. We’ll be doing that, but at this point, there are no plans for additional authorities, pending congressional action.
Dan Verton: We’ve heard about the launch of your Systemic Cyber Risk Reduction Venture at DHS. What’s the latest on that initiative? Could you give us a brief rundown of what it is you’re trying to achieve there?
Bob Kolasky: Sure. The Systemic Cyber Risk Reduction Venture, which is being run out of the National Risk Management Center and the Cyber Security Infrastructure Security Agency, it’s an attempt to drive best practices at enterprise risk management into national security cyberspace at the national level. I hope that’s happening at the corporate level as well. There are three elements of the venture: the first of which is mapping cyber risk in terms of critical functionality.
Ultimately, what we’re trying to do with the venture, is take those national critical functions, which we’ve defined publicly, 55 national critical functions, things like: the ability to generate electricity and conduct elections and move material by pipelines, and evaluate how that happens and where cyber incidents can cause potential loss of functionality or the greatest potential loss of functionality. So what I would advise everyone to do is look at the critical processes you’re trying to manage risk against, understand those critical processes, and prioritize risk mitigation based on the key areas where that can break down.
The next stage, which I think will take a longer amount of time, is really to begin to qualify and quantify loss of functionality and potential exposure from cyber attacks, into a set of metrics that are consistent so that we can attach what we know about the importance of functions, possible cyber vulnerabilities, where threat actors are going, risks, into more of an overall exposure framework so we understand where our risk is from a metrics community.
Then the third element of the venture is associated with where there are systemic solutions. Where are there big-scale solutions that will mitigate risk across 55 national critical functions or a significant number of that so we’re just not thinking of a function by function approach? This connects with the conversation about improving core fundamental security of industrial control systems as one of those cross-cutting systemic solutions. Then furthermore, within that, doing things like helping train engineers about engineering more cyber-secure systems and operating that environment, and thinking about engineers as a national asset for cybersecurity.
That’s the kind of cyber systemic solution where instead of locking down vulnerability by vulnerability, you work at something that’s systemic and fundamental, like training a better cadre of individuals and we’re going to be in a better place for risk exposure. So we’re using the venture as a way to generate great ideas for systemic solutions to help prioritize from a risk context.
Dan Verton: How does this program, cyber risk reduction venture, work with infrastructure owner-operators on quantifying the risk, prioritizing what they should focus on in a way that it’s not just a one-point-in-time initiative?
Bob Kolasky: One of the things that we’re trying to do with the venture is not just think about how to work with owners and operators of critical infrastructure, but work with levers of industry that will help reduce risk in addition to the traditional security professionals. DHS has a long history of public-private partnerships with owners and operators of critical infrastructure, but those are often around security and not fully around business, risk management, or core function risk management.
So what we’ve done with the venture is start to think about bringing in more Chief Risk Officers to board-level conversations. The board needs some ability to look at risk from an economic model to compare it to other things that boards could be investing in. I think there have been improvements in the treatment of cyber risk as an enterprise risk issue in the way that is part of an overall enterprise risk governance process for critical infrastructure companies. So it is now starting to be priced into [insurance policies] but that needs to continue to happen.
It’s important to recognize the cyber insurance market and see that we’re at an inflection point for the cyber insurance model, where it’s begun to function more as a risk transfer function than a risk mitigation function. That’s traditional, right? You buy insurance to transfer your risk.
But from a national perspective, we’re hoping that the more that things are getting insured, not only is it transferring risk off the books of a firm to somebody else, but it’s actually the insurance companies are creating incentives to ensure that companies that are taking good practices, that are reporting incidents to the government, that have good playbooks in place, or at least pricing that into their prices so that their good behavior is incentivized. The exposure writ-large that the industry had to the ransomware over the last year seeds a lot of the models, and they recognize that some of this has to be rebalanced or there are some existential concerns for the industry.
Hear more from Bob Kolasky and two other world-class experts who spoke with us about cyber risk management and critical infrastructure in our most recent ThreatConnect Podcast episode – “Mitigating Cyber Risk In Critical Infrastructure”.