Using Metrics that Matter to Protect Critical Infrastructure

Critical infrastructure services in North America face accelerating threats from both nation-states and other sophisticated threat actors. Governments globally are grappling with how to best balance incentives, support, and direct oversight. Meanwhile, critical infrastructure owners and operators face significant challenges with technology, staff resources, and expertise to better manage cyber resilience.

The cyberattack on Change Healthcare has been described as “the most significant and consequential cyberattack in American history.” This event provides a real-world example of the blurry lines between public and private sector targets, and between nation-state and criminal hackers.

Recently, SecurityScorecard participated in a webinar, which explored the best metrics to assess and manage cyber resilience, as well as the role of public-private partnerships in the face of converging cyber threats.

Moderated by John Breeden, contributing editor at FedInsider, the webinar featured SecurityScorecard’s VP of Global Government Affairs, Brendan Peter, and Cheri Caddy, Senior Technical Advisor for the US Department of Energy. 

 

Complex threats and critical infrastructure

The session began by highlighting the complex threat landscape, with organizations continuously adapting to novel attack vectors because of the scope and the pace of threats.

The threat of supply chain vulnerabilities creates an all-too-easy point of entry for adversaries to make their way into organizations, networks, and supply chains. Organizations are only as secure as their weakest link, which means even the ones that invest large sums into security still face vulnerabilities because of third- and fourth-party threats. This is especially apparent in the rise of nation-state actors who target critical infrastructure owners and operators. 

​​SecurityScorecard’s Global Third-Party Cyber Breach report found that 35% of third-party breaches affect healthcare organizations. As a SecurityScorecard advisor pointed out in a previous webinar, healthcare is targeted for multiple reasons, including: tighter budgets and the fact that they are more likely to pay ransomware because of the essential nature of their business. In other words, the healthcare field can’t afford to have life-saving services taken offline for long periods of time. 

Cyber criminals are acutely aware of this and innovating at a rapid pace. For example: the vast majority of critical infrastructure in the United States is owned and operated by the private sector. If a threat actor wants to attack a water system, they may not go directly through the municipal water authority but instead through independent vendors that are providing the equipment.  

 

Partnering with law enforcement 

Many critical infrastructure systems (such as municipal water supplies, energy companies, and more) are managed by organizations with limited resources, shrinking budgets, and outdated systems. Therefore, it’s crucial for these entities to have relationships with law enforcement before they are ever breached. Agencies such as the FBI and the DHS can be key allies, especially if they are brought in early. But it can be hard convincing some operators to report incidents or seek help. This is where cyber regulations can play an important role. 

Peter pointed to an initiative from Cybersecurity and Infrastructure Security Agency (CISA), which would give federal agencies the ability to better respond to cyber incidents and discover weak points in our nation’s infrastructure. First signed into law in March 2022, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), is one of the largest cybersecurity policies in recent history. 

The law would require certain critical infrastructure organizations to report cyber incidents within 72 hours, and ransomware payments within 24 hours. To encourage timely and transparent reporting, CISA guarantees confidentiality will be ensured to the sectors that fall under this mandate. These sectors include: healthcare, financial services, energy, water utilities, manufacturing, and transportation. These sectors make up significant swaths of the nation’s critical infrastructure, which is the backbone of society. For society to function, the public needs to trust that these services and institutions are safe. 

 

Measuring cyber resilience

With cyberattacks on the rise, Peter highlighted the fact that there’s now a greater emphasis on the importance of measuring cybersecurity and the need for a more transparent approach to cyber health. The White House’s new National Cybersecurity Strategy explicitly calls for a “data-driven” approach to cybersecurity. Moreover, the SEC’s cyber regulations, the EU’s Digital Operational Resilience Act (DORA), and France’s Cyberscore Law all seek to provide visibility about the cyber hygiene of organizations across multiple critical infrastructure sectors.

Because there’s so much data out there, analyzing it manually is virtually impossible, and also requires more headcount and budget. Security ratings technology makes sense of this data, and pulls it together in a single view to give a real-time understanding of an organization’s risk profile. 

By giving organizations an understanding of their underlying risk at scale, security ratings can identify weaknesses in the ecosystems of third- and fourth-party vendors as well. While security ratings are a valuable tool, they should only be part of an organization’s overall cybersecurity program. 

According to Caddy, governments and industries need to measure cybersecurity in order to protect our vital systems. But at the same time, budgets are limited, so leaders need to find ways to optimize multi-layered solutions that offer automation and continuous monitoring. This is still a work in progress at the government level because of the complexity of the digital ecosystem. 

Broadly, though, the government is looking at organizations that have a strong cybersecurity maturity model, and asking: 

• Are they aware of their cyber risk? Are they aware and have they identified what their most critical assets are?  
• Do they understand the topography of their network and how things are connected? Do they have that basic understanding?  
• And are they taking steps to understand that risk and then manage that risk? 

It all comes down to managing overall risk; we can’t manage what we can’t see. 

 

Advancing cyber resilience at the federal level

Peter mentioned the fact that SecurityScorecard has partnered with the Transportation Security Administration (TSA) to enable the agency to more accurately monitor and assess the cyber health of the nation’s pipeline, rail, and aviation transportation systems. He noted that the agency had to get very smart very quickly about cybersecurity after the Colonial Pipeline Ransomware attack in 2021. Whereas the agency had been more focused on physical security requirements and capabilities, the attack served as a wake-up call that cybersecurity needed to be a bigger priority. 

SecurityScorecard’s partnership with the agency means working closely with the TSA’s Surface Operations Cybersecurity Assurance Division to provide cyber vulnerability monitoring, security ratings, and threat intelligence for entities the TSA partners with for security resilience. These automated capabilities allow the agency to monitor public-facing Internet applications and services owned and operated by the nation’s critical infrastructure.  

As a result of this alliance, the TSA’s private sector partners receive complimentary access to SecurityScorecard’s comprehensive security ratings, automated assessments, and guidance from industry experts. This enables more effective compliance reporting, improved communication, and informed decision-making. As governments globally struggle to measure and communicate more effectively on cyber risk, the TSA’s usage of security ratings—and the broader SecurityScorecard platform— serves as a model for how other sector risk management agencies can partner with industry to measure and report on collective progress.

 

Know your environment

As the webinar wrapped up, Caddy stressed that awareness should be a key part of any cybersecurity program. Any organization can be a target of threat actors, therefore cybersecurity is everyone’s concern. Because of this, it’s vital for organizations to know their systems inside-out. Organizations need to ask themselves the following questions: how do I take steps to understand what’s most critical to my business, to my organization and how we operate? What would happen in the event that we lost this? If somebody wanted to really give you a bad day, how would they do it?  

She also pointed out the vast array of resources at the federal level that organizations can take advantage of to bolster their cyber defenses. Whether it’s CISA or the FBI, or sector risk management agencies. There is also a network of industry sharing and analysis centers (ISACs) that encourages the two-way sharing of information between public and private sectors. 

 

Final thoughts

Cybersecurity is a never-ending process, one that takes constant refinement and updating. Organizations must continuously monitor their environments, examine interdependencies, and be proactive about cyber threats. 

Having achieved FedRAMP Ready status, SecurityScorecard is committed to the rigorous security standards required by the U.S. government for cloud service providers, and is prepared to support both the public and private sectors in their efforts to measure and communicate cyber risk, while also advancing the nation’s cyber resilience.