By Gregory Hale
Make all the jokes you want about Republicans and Democrats and the government, the reality is the feds are trying to help win the fight against critical infrastructure attacks and they want to help any way they can.
“We are going through organizational changes,” said Brian Harrell, assistant director for infrastructure security, cybersecurity and infrastructure security agency (CISA) at the Department of Homeland Security during his keynote at the SANS Summit 2019 in Orlando, FL, Monday. “It is a struggle. We have 700 people just in my organization; people in every state. So, when it comes to your utility, we have touch points in the field right now for when things go bump in the night.”
The idea of the government and the private sector working together has been a pipedream for the government for years, but the reality is the level of trust just has not always been there.
“The message is starting to resonate where we are not always rocked back on our heels, we don’t give ourselves enough credit sometimes because things are getting done,” Harrell said. “We are good are chasing shiny things, we need to stop doing that. We need to be focused on things we do very well.”
Admitting he was not an industrial control system expert, Harrell mentioned a few of his top priorities in his role.
“First and foremost, my priority is to harden soft targets in crowded places. Like the attack in New Zealand the other day.
“Secondly, school safety and school security. I use my wife as a litmus test. She said she is surprised DHS is not more involved in school security. Going forward we will have a more critical role in securing schools. We will engage schools to have stronger access control.”
He also mentioned updating what he said was the “antiquated” National Infrastructure Protection Plan, which outlines how government and private sector participants in the critical infrastructure community work together to manage risks and achieve security and resilience.
Harrell also talked about IT-OT convergence as something that is happening in the private sector, but woefully behind on the government side.
“Industry is already doing this and the government is not,” he said. “Today’s hybrid attacks, this is a converged attack environment. We need to have discussions across the table with all involved.”
Part of the convergence discussion also has to lead into a discussion about the lack of security professionals that can help ward off attackers.
“We need to have a discussion about the talent shortfall,” Harrell said. “It is difficult to say, come work at the government, we don’t pay that well, we need to find different ways to motivate people to work in the government space. There are a number of veterans transitioning out of the military today, they are looking for a new mission. As you recruit, find the new talent start with some of the veterans groups out there.”
Harrell then mentioned emerging threats facing critical infrastructure. One area was with drones.
“We are a day late and a dollar short when it comes to mitigating the drone threat,” he said. “You don’t own that air space, you need to find out if something is flying about, you have to find out what to do. There is a potential threat of a drone flying over a critical infrastructure. This is not an emerging threat, it is here now. We have to figure out what to do moving forward. We need to be able to protect critical infrastructure and right now we are not.”
He also mentioned the major nation state that is the biggest threat.
“China is the biggest threat for espionage,” Harrell said “We have fully recognized this. There is a full intent to call a spade a spade. Russia is a nuisance, China is a real threat. We need to adopt a collective defense. It has to do with government, companies and people coming together to compare notes.”
It used to be companies would not get together fearing losing a competitive advantage, but when it comes to cybersecurity, everyone is in the same boat.
“Competitive advantage threat; those days are gone,” Harrell said. “This information needs to be shared with the federal government. We need to remove compliance risk from the lexicon.”
Along those lines, the ability for one utility sharing notes and helping others that may be suffering from similar issues could only help.
“What is happening at Dominion Energy could help those at Southern California Edison,” Harrell said.