Where privately owned critical infrastructure providers had balked at sharing threat data five years ago, it's become now a critical, commercial necessity, according to CISA infrastructure official.
The increasing tempo of breaches and cyberattacks on critical infrastructure networks is driving privately owned infrastructure providers to share their data with the Department of Homeland Security's cybersecurity agency in increasing numbers, according to one of its top managers.
Privately owned critical infrastructure providers, like power, banking and telecommunications companies, had been slow to share their data on cyberattacks a few years ago, according to Brian Harrell assistant director for infrastructure security at DHS' Cybersecurity and Infrastructure Security Agency (CISA), because of competitive concerns. Things have changed, he told an audience in a speech at Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security on Aug. 23.
Harrell, along with his boss, CISA Director Christopher Krebs both spoke at the university on consecutive days to engineering students on the importance of cybersecurity and infrastructure.
"The incentive is the amount of information and the mitigation strategy, industry best practices and the intelligence" that are the foundation of CISA's mitigation tools, he said in the presentation. The free tools help critical infrastructure providers shield their networks and meld threat data into shared products they can't get elsewhere, he said.
The threat landscape for sharing threat data has completely changed from three to five years ago, said Harrell. "Today, based off the number of events we're seeing, the lessons learned, the [corporate] filings and the board-level attention is driving companies to seek information early and often and share it."
Critical infrastructure can no longer go it alone in cybersecurity, he said.
"If you're doing this in a silo, or with your head in the sand, you are potentially making the situation worse. The response and recovery times are longer" for companies that are slow to collaborate and discover what happened in a cybersecurity incident, he said.
CISA is focused on identifying and assisting critical infrastructure providers with threats that straddle the physical and cyber worlds. For instance, he said, to CISA an "insider threat" to a critical infrastructure company can be someone exfiltrating data to a competitor, or to a nation state, or in some instances ahead of a violent assault on the facility.
To mitigate that activity, data on critical infrastructure networks could be classified to set off "alarm bells" on providers' networks not only if data leaves the network, but also if data is being used in non-routine ways. Repeated access attempts with security cards at facility doors could be testing for an attack or infiltration, according to Harrell.
Critical infrastructure managers are becoming more aware of those cross-cutting issues, but they have to be more focused on them, he said.
"It's no longer good enough to say, 'We meet with cyber every other Tuesday.' Everything is connected."