An upcoming executive order in response to the hacking campaign that involved SolarWinds will include standards to improve software transparency.
The top White House cybersecurity official is working with the Securities and Exchange Commission, as well as the Environmental Protection Agency, the energy sector and industrial control system specialists on a plan to protect critical infrastructure.
The operational technology, or OT, behind the systems that treat drinking water and run electric grids, subway systems and other essential services is a major source of concern as growing internet connectivity has increased their vulnerability to malicious hackers. Last month, an unidentified actor’s attempt to manipulate the chemical content in a Florida water treatment plant to dangerous levels provided a prominent example of how poor visibility into systems can cause not just digital, but physical harms, of tremendous scale.
“Because of the difference in mission impact, risks, threats and culture, a deliberate and specific OT cybersecurity approach is required to secure our industrial infrastructure,” Anne Neuberger, deputy national security adviser for cyber and emerging technology, said.
Neuberger spoke Friday during a virtual summit on industrial control system security hosted by the SANS Institute, which she thanked for already contributing to the plan and promoting security in the sector.
“If you can't see a network, you can't defend a network, and if you can't see a network quickly, you certainly don't have a prayer of defending the network. And that applies, as we said, to both IT and OT,” Neuberger said.
The initial scope of the plan will focus on operational technology that affects the largest numbers of Americans or have an impact on national defense, gas, electricity, pipeline, water and chemical systems, Neuberger said, noting collaboration with the Environmental Protection Agency, and Tom Fanning, CEO of Southern Company and a leading representative of the private electricity sector who is a member of the Congressionally mandated Cyberspace Solarium Commission.
The commission, which includes key lawmakers, recommended amending the Sarbanes-Oxley Act of 2002 to improve cybersecurity oversight and reporting requirements for publicly traded companies through the Securities and Exchange Commission. And on Wednesday, the commission's division of examinations listed information security and operational resiliency, with specific references to cybersecurity, among its priorities for 2021.
Neuberger said the White House is also talking to the SEC “before we actually launch [the] plan to kind of ensure we're getting that voice, and we have common goals and we talk about the most effective ways to execute.”
The hacking campaign that compromised at least nine federal agencies and 100 companies taught officials the importance of visibility into systems and software. Neuberger said the government needs insights from companies not just after breaches have occurred, but on the quality of products they’re putting into their operations in order to avoid intrusions in the first place.
“We have to fundamentally shift our mindset from incident response to prevention and invest our time and our resources, accordingly,” she said.
She said an upcoming executive order in response to the hacking campaign will include standards to make it easier for buyers of software to make better security decisions and specifically mentioned an initiative at the National Telecommunications and Information Administration promoting a software bill of materials.
“Today, as a network owner, if we're trying to buy a technology, network management software, we have no way to know the cybersecurity practices that were used in building that network management software or the level of risk we're introducing to our networks by buying a particular software versus a competitor one,” she said, describing the intention of the executive order. “That's what we need to change, because if we have that visibility, whether it's a software bill of materials … or other areas, then we can make decisions that put money on cybersecurity and say we value it.”