Keep Calm and Find the Overlap
It may seem like the government issues new ICS regulations and cybersecurity guidance for critical infrastructure every few weeks. While there is a flood of information affecting many industries, it’s important not to get overwhelmed.
Whether new regulations are directed at pipelines or water utilities, everyone is in the same boat as many of these recommendations overlap. Regulations are ever-evolving, so focusing on priorities is critical – keep calm and find the overlap!
Maximum Coverage, Minimum Tools
Organizations should first take a step back and focus on the convergence between these different regulatory and compliance requirements. Determine how you can achieve the most coverage with the least amount of tools and overall change.
When government agencies issue new guidance and recommendations, there tends to be the same information recounted repeatedly. Review the documentation to determine where overlap occurs, and then focus on areas that cover the highest number of requirements repeated across those recommendations.
Examples of Overlap in ICS Regulations
Much of the guidance and regulations focus on consistent themes, such as information sharing and the importance of reporting incidents, breaches, and ransomware infections. There will likely be additional requirements and standards issued pertaining to asset inventory, perimeter protection, monitoring and logging, and Zero Trust.
Below are some examples of overlap in recent regulations and government guidance:
ICS Regulations / Guidance re: Information Sharing & Reporting 📝
- White House Executive Order on Improving the Nation’s Cybersecurity (May 2021) – all of Section 2: Removing Barriers to Sharing Threat Information
- TSA Security Directive 1580-21-01 Enhancing Rail Cybersecurity (Dec 2021) all of Section B – Reporting Cybersecurity Incidents
ICS Regulations / Guidance re: Monitoring & Logging 🪓
- (linked from WashingtonPost) TSA Security Directive 2021-02 Pipeline Cybersecurity Mitigation Actions, Contingency Planning, and Testing (Jul 2021) from Section II.B.2.c; “Review and update (or develop, if necessary) log retention policies to ensure that they include policies and procedures consistent with NIS standards for (i) log management; (ii) secure log management infrastructure; and (iii) how long log data must be maintained.”
- National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (Jul 2021) – from Section 3; “We cannot address threats we cannot see; therefore, deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response actions to cyber threats is central to ensuring the safe operations of these critical systems.”
These are just a few of the examples of overlap that you’ll find when digging through documentation.
Suggestions from SynSaber
The above examples of overlap are just a few that we’ve selected from recent documents. Given this, what should organizations do once new government guidance and regulations are issued? And where should their focus be?
Improve Visibility 🕶️
We believe organizations should place high importance on both visibility and monitoring. Doing this helps support infrastructure health and ultimately leads to improvements in safety, reliability, threat detection, response, and recovery.
Organizations should also make sure that they have documented security, reporting, and response processes in place. This will go a long way in minimizing headaches if an event occurs.
Understand Vulnerabilities 🔓
It’s also critical to know your update and patching status and to understand your environment’s potential vulnerabilities. When compliance standards and regulations are issued, chances are they will be focused on the latest exploit, vulnerability, or threat.
In the aftermath of the Apache Log4j vulnerability, guidance was swiftly issued from CISA & DHS on vulnerability mitigation. This example shows how guidance may be reactionary and underscores the importance of taking everything in stride and ensuring organizations understand their vulnerabilities in advance of an event.
In Conclusion: Plan your Work and Work your Plan
While it might sound cliche, it’s essential to have a plan and stick to it. Implementation of new guidance is something that does not happen overnight. Create a roadmap that lays out what your evolution should entail. Implementation is a process. By having a detailed plan that lays out what this process should look like, you are taking a vital step towards meeting future requirements before they are even issued.
Ultimately, when the government issues new guidance and recommendations, it may seem daunting at first. But it doesn’t have to be. Remember that many new guidelines and standards may be rehashes of things you are already doing and that key recommendations likely have overlap across other guidelines. Keep calm, find the overlap, and focus on what gives your organization the most coverage across all regulations.