The Executive Order 14028 has sent ripples through the cybersecurity industry. Since my last blog post where I provided my reflections on the EO, NIST has published their definition of ‘critical software’ in their official white paper published on June 25, 2021.
Operational technologies comprise the industrial hardware and software systems that form the backbone of industry. Manufacturing equipment, building automation systems, facilities management controls, transportation and logistics infrastructure are all essential to managing critical operations.
In the guidance, NIST clearly defines Operational Technology as critical software that must be secured. At Ordr, we know fully the gravity of this situation and have built our solution around this paradigm to give our customers the peace of mind, in knowing that they can effectively identify, manage and secure their critical infrastructure devices in their critical infrastructure in support of this crucial mission for the United States.
From the NIST Whitepaper:
NIST recommends that the initial EO implementation phase focus on standalone, on-premises software that has security-critical functions or poses similar significant potential for harm if compromised.
Subsequent phases may address other categories of software such as:
- software that controls access to data;
- cloud-based and hybrid software;
- software development tools such as code repository systems, development tools, testing software, integration software, packaging software, and deployment software;
- software components in boot-level firmware;
- or software components in operational technology (OT).
EO-critical software is defined as any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:
- Is designed to run with elevated privilege or manage privileges;
- Has direct or privileged access to networking or computing resources;
- Is designed to control access to data or operational technology;
- Performs a function critical to trust; or,
- Operates outside of normal trust boundaries with privileged access.
The definition applies to software of all forms (e.g., standalone software, software integral to specific devices or hardware components, cloud-based software) purchased for, or deployed in, production systems and used for operational purposes. Other use cases, such as software solely used for research or testing that is not deployed in production systems, are outside of the scope of this definition.
The preliminary list of software categories considered to be EO-Critical:
- Identity, credential, and access management (ICAM)
- Operating systems, hypervisors, container environments
- Web browsers
- Endpoint security
- Network control
- Network protection
- Network monitoring and configuration
- Operational Monitoring and Analysis
- Remote scanning
- Remote access and configuration management
- Backup/recovery and remote storage
As an extension of the focus on Operational Technology, on July 20, the Department of Homeland Security (DHS) issued a security directive requiring owners and operators of critical pipelines that transport hazardous liquids and natural gas to implement "urgently needed protections against cyber intrusions."
In an earlier security directive in late May, immediately following the Colonial Pipeline cyber attack, the DHS began requiring US pipeline operators to conduct a cyber security assessment. The May 2021 Security Directive requires critical pipeline owners and operators to (1) report confirmed and potential cybersecurity incidents to CISA; (2) designate a Cybersecurity Coordinator to be available 24 hours a day, seven days a week; (3) review current practices; and, (4) identify any gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.
These are all the right steps toward improving the Nation’s Cybersecurity. We are eager to extend the work we already have underway with many federal agencies and organizations that need to protect their Operational Technology. With the Ordr platform, our focus is on visibility and security for cyber resilience:
- Continuous visibility into all devices and their vulnerabilities (IT, IoT, and OT):
Ordr can help you identify what assets are in your environment. This allows you to examine your entire business process when calculating risk. It is important to not overlook what seem to be simple IT or IoT systems or processes like shipping or logistics, like billing. Those systems are as critical to production, processing, and delivery as any refinery equipment or manufacturing sensors.
- Intelligent insights into how devices are behaving:
We detect known threats via our integrated threat detection engine to identify exploits, active threats and attacker lateral movement tools. We also use machine learning to baseline and map exactly how every device is behaving and what it is communicating to. This is critical to surface unknown threats and anomalous communications, particularly when attackers have already infiltrated your network. Ultimately we have to examine cyber resilience via full spectrum understanding of the flow of device communications (transactions and data) as well as we understand the flow of oil or manufacturing processes.
- Automated policies on existing infrastructure:
The most critical function during an attack on OT environments is cybersecurity resilience, how quickly you can respond to an attack and continue business operations. Ordr not only tells you what device is being compromised, where it’s located, what it is doing and who it is communicating with, we also dynamically generate the policies to mitigate threats on your security and networking infrastructure. We can automate the creation of NGFW policies, ACL blocks, quarantine VLAN assignment, port shutdown, or session termination with one click of a button-- enforced on existing switches, wireless controllers, and firewalls, or via NAC platforms.
Our work doesn’t just stop in the United States. Being a global leader in IoT, IoMT and OT Security, we are proactively embedding best practices, as well as lessons learned, to nations around the world. The US is not alone in their struggle against threat actors that wish to do them harm. This is highlighted in recent events in Germany, Canada, Australia, United Kingdom as well as other many other nations and industries. We are doing our part to make the giant leap towards a better and safer future.
Setup a time with us to start the process today and you’ll be able to see what connected devices are on your network in minutes.