Recently, there have been a number of cyber breaches that highlight the continuing importance of maintaining basic cybersecurity practices, sometimes more broadly referred to as cyber hygiene.
Take, for example, the recently hacked water treatment plant in Oldsmar, Fla., that reportedly didn’t have a firewall, had personnel sharing passwords, and utilized an outdated operating system – Windows 7 (although experts don’t believe that an OS exploit was involved in this attack). And while it wasn’t a factor in the SolarWinds breach, a security researcher discovered in 2019 that the simplistic password of Solarwinds123 was used for accessing their update server.
In addition, many of the ransomware attacks that we’ve been reading about over the past few years could have been avoided if cybersecurity basics like encryption, multifactor authentication, and a data back-up system had been implemented.
These are just a few recent examples. However, if you were to assess most cyber breaches, the story is likely to be very similar. Cybersecurity basics were not in place.
Imagine how different things might have been for these victim organizations if they had only:
- Implemented network firewalls
- Updated software regularly
- Implemented strong password policies
- Implemented multi-factor authentication
- Implemented encryption
- Implemented user security training
- Backed up critical data
Security requirements like the above aren’t a silver bullet. To be fair, there are no silver bullets with cybersecurity. However, requirements like the above will go a long way toward improving cybersecurity by making the adversaries’ job much more difficult.
Critical Infrastructure and Supply Chain are Targets
Recent adversarial focus on critical infrastructure and supply chain puts our country and citizens at great risk. Cyber-attacks designed to poison water supplies, hold patient data hostage, and contaminate software used to manage critical IT systems and data are just a few recent examples of how harmful cyber-attacks have become. We should also expect the stakes to increase over time as bad actors continue to figure out how to inflict physical harm via cyber.
Guidance and Assistance
The good news is that organizations like NIST have free resources to help organizations implement critical infrastructure and supply chain cybersecurity programs. Some examples:
- The NIST CSF is a highly regarded framework used to help organizations establish a cybersecurity risk management program. Originally designed to support critical infrastructure sectors, the CSF is also being adopted by a wide range of organizations to establish cyber risk management programs. Also, the CSF was recently updated to address supply chain risks. Commercial organizations and more than 20 countries have embraced the CSF.
- NIST SP 800-161 is a standard specifically designed to manage technology-based supply chains. 800-161 controls can be used in conjunction with the NIST CSF.
- NIST SP 800-171 is a set of security requirements used to help manage controlled unclassified information (CUI) across nonfederal systems within organizations that contract with the federal government (particularly DoD). 800-171 consists of slightly more than 100 security requirements that cover 14 basic security areas. While this special publication may be focused on a particular audience, these requirements can essentially be used by any organization to establish a cybersecurity program to ensure cybersecurity basics are accounted for. The CSF can also be used in conjunction with 800-171 requirements to enable a structured cyber risk management program.
All of these standards are made available for free by NIST. There are also commercially available software solutions designed to help operationalize these standards and offer varying degrees of automation for things like collaboration, asset inventory, control validation, report generation, and continuous monitoring.
Are Cybersecurity Mandates Needed?
For many, regulation is a dirty word. However, sometimes regulation is necessary. Will voluntary adoption of cybersecurity practices ever work absent mandates and regulation? Does it make sense to trust in voluntary adoption for something as important as cybersecurity, which is needed to protect our water systems, healthcare systems, power grid, down-stream supply chains, and other critical resources?
It might be time to mandate and regulate cybersecurity practices for critical infrastructure and supply chain organizations to ensure minimum standards are in place. Doing so will make our adversaries’ job much more difficult and help make critical infrastructure and supply chains more secure.
Resourcing is Key
Free resources like those from NIST are one thing, but the ability to apply them is another. Organizations’ security and compliance teams must be properly resourced, which may not always be the case. Even basic cybersecurity practices require some level of expertise, and implementation requires time and effort.
Government recognition of importance is essential. Greater coordination between federal government, state and local, and critical infrastructure sectors for support, assistance, and reporting is necessary. Specifically, more support from the federal government to help small organizations implement and manage cybersecurity programs is likely necessary.
Minimum cybersecurity standards must be table stakes for critical infrastructure and supply chains. Not having basic security capabilities in place should disqualify an organization from handling sensitive information and delivering critical services. Furthermore, there should be consequences for organizations that are shown to be negligent. Basic cybersecurity practices like those addressed in the NIST standards will go a long way toward making critical infrastructure and supply chain systems much more secure. It’s time to take basic cyber hygiene seriously.