Overlapping ICS/OT Mandates Distract From Threat Detection and Response

It's time for regulators of critical infrastructure — including industrial control systems and operational technology — to focus more on operational resiliency.

Mark Carrigan, Senior Vice President, Process Safety and OT Cybersecurity, Hexagon PPM

April 25, 2022

3 Min Read
Concept art illustrating operational technology
Source: Falookii via Alamy Stock Photo

During the past year, the Biden administration has issued several standards and mandates across critical infrastructure sectors, from water to transportation. Critical infrastructure is unique because nearly all United States citizens benefit from a critical national infrastructure (CNI) entity every day — whether they realize it or not. So, when one of those CNI entities is compromised, the impact often is felt on a personal level. Just look at Colonial Pipeline breach: Lines at gas stations were longer than ever as Americans feared a drastic fuel shortage.

The Biden administration's efforts to strengthen these sectors are well-intentioned and certainly demonstrate that the US government is taking cybersecurity threats seriously. These efforts are worthy of recognition because previous administrations haven't always prioritized cybersecurity strength. Intentions aside, however, these reporting mandates and standards are likely to prove ineffective and even dangerous.

Assuming Visibility
One of the main issues industrial control systems (ICSs) and operational technology (OT) systems face today is lack of visibility. You can't secure what you don't have access to, and studies have shown that the vast majority of organizations have limited visibility into their ICS environments — if they have any visibility at all.

These standards and mandates dangerously assume that organizations know they were breached in the first place. If organizations don't have the resources to monitor their ICS environments, they may never know a threat actor is trying to break into their network — or, worse, that a threat actor has already been inside the network for days, months or even years. This obviously makes the 24- and 72-hour reporting mandates impossible to meet. In addition, it appears we are headed toward a hodgepodge of overlapping regulations that will place a significant burden on private enterprises.

Distracting From What's Important
One example of this overlap is Senate bill S.2875 Cyber Incident Reporting Act of 2021 and House bill H.R. 5440 Cyber Incident Reporting for Critical Infrastructure. These bills have overlapping requirements that complicate the reporting process. Organizations will likely be required to determine what category an incident falls into and which government agency should handle it. The resources required to do this should be devoted to improving security rather than navigating the complexities of reporting requirements.

Indeed, complying with standards issued by the government takes significant time and resources that could be used to implement effective security controls, especially when it seems like it takes an actual cyberattack for the government to determine that we need another mandate for another industry.

The Solution
It's time for regulators of critical infrastructure to focus more on operational resiliency. Focus and increase investments on ensuring organizations can respond to attacks, minimize impact, and restore operations quickly. We must begin accepting that not all cyberattacks against critical infrastructure can be prevented. The physical nature of these systems makes it nearly impossible to stop 100% of attacks. However, we still have the capability to respond and recover, and that's where we should focus our efforts.

Finally, it's time to take a step back and define a single critical infrastructure cybersecurity standard. If your industry is defined as critical infrastructure, then, by definition, it requires protection. Let's define a singular critical infrastructure cybersecurity standard now and start enforcing protection, including increased investments in systems to increase visibility and resiliency.

About the Author(s)

Mark Carrigan

Senior Vice President, Process Safety and OT Cybersecurity, Hexagon PPM

Mark Carrigan is responsible for defining and implementing Hexagon’s strategy for process safety and OT cybersecurity solutions. He also is responsible for the Hexagon PPM division’s sales strategy, which includes the Alliance and Partner program, as well as overseeing divisional customer success initiatives to ensure clients receive maximum value from our solutions. He previously served PAS Global – acquired by Hexagon in 2020 – for 20 years in a variety of roles, including Senior Vice President of Technology, Managing Director for the Middle East and Global Sales Leader, culminating as the company’s Chief Operating Officer and Chief Revenue Officer. Prior to joining PAS, Carrigan spent 10 years with Air Products & Chemicals in several technical and commercial roles. An industry veteran, Carrigan has extensive experience in international business, engineering, sales, and technical consulting in the processing industries. He holds a Bachelor of Science degree in Mechanical Engineering from the University of Michigan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights