By Gaurav Pal, Principal and Founder, stackArmor, Inc.
Disruptions in gasoline supplies due to the cyberattack on the Colonial Pipeline in May 2021 transformed cybersecurity attacks from an “online problem” to a national security concern. This seminal event resulted in the release of the National Cybersecurity Strategy (NCS) on March 2, 2023. The NCS brought into focus the potential for serious economic damage and disruptions to our daily lives from cyberattacks on critical infrastructure. Congress and government agencies are acting with urgency to advise organizations in critical infrastructure sectors such as aviation, water and sewage utilities, education, and healthcare to rapidly address cybersecurity concerns. For this strategy to be successful, however, there is no reason to reinvent the wheel. Our path forward should be informed by lessons learned from successful cybersecurity and risk management programs that have proven track records.
Moving from Voluntary Approaches to Mandatory Requirements
There has been much progress over the last ten years in bringing cybersecurity issues to the forefront of organizations, lawmakers, and government executives. However, the speed of change and investments necessary to deliver “cyber resilience” have not kept pace with the velocity, volume, and variety of continued cyberattacks. We continue to read daily about ransomware attacks and cybersecurity incidents in schools, local governments, and healthcare facilities causing disruptions and hardship. The NCS recognizes that voluntary approaches are not working fast enough and seeks to change the status quo by driving policy changes. One of these changes includes transferring liability for cybersecurity from the user to the technology manufacturers of digital products and services. It also seeks to enforce minimum cybersecurity requirements from voluntary adoption to mandating their implementation under the supervision of government agencies. The goal is to accelerate cybersecurity investments to drive cyber resilience. These policy changes are especially important for the critical infrastructure sectors that include essential services that we all depend on.
Securing Critical Infrastructure is a Big Deal
Protecting our critical infrastructure will require the best and brightest minds to come together because the problem is large and complex. A quick back of the envelope calculation reveals a $20+ billion market opportunity in the United States alone. According to Cybersecurity and Infrastructure Security Agency (CISA), there are 16 critical infrastructure sectors whose assets, systems, and networks are considered vital to the United States. Just to get a sense of the numbers, CISA provides the following data:
- The defense industrial base consists of 100,000 firms that provide products and services to the Department of Defense. Assuming an average spend of $100,000 per year on cybersecurity solutions, that is a $10 billion market for Cybersecurity Maturity Model Certification (CMMC) 2.0.
- On March 7, 2023 the Transportation Security Agency (TSA) issued guidance to the aviation sector on the need to improve their cybersecurity posture. There are around 19,700 organizations in the aviation sector alone – which includes aircraft, air traffic control systems, airports, heliports, and landing strips as well as ancillary service providers like aircraft repair stations, fueling facilities, navigation aids, and flight schools. Assuming these organizations on average spent $100,000 per year, then that sector equals a $2 billion opportunity.
- On March 3, 2023 the Environmental Protection Agency (EPA) advised water and waste water utilities on the need to shore up their cybersecurity defenses. There are approximately 153,000 public drinking water systems and more than 16,000 publicly owned wastewater treatment systems in the United States. More than 75 percent of the U.S. population depends on these systems for their potable water and sanitary sewerage needs. Assuming these organizations on average spent $100,000 per year on cybersecurity, then that amounts to a $17 billion market.
Clearly, the 16 critical infrastructure sectors have a wide variety of cybersecurity needs and will require tailored solutions. Developing the right cybersecurity risk management model and mandating adoption are urgent priorities. To make rapid progress, we should consider leveraging cloud computing, the Federal Risk and Authorization Management Program (FedRAMP), and secure commercially developed innovations.
Steps to Accelerate Cybersecurity for Critical Infrastructure
- Mandate Adoption of Secure and Accredited Cloud Solutions
Cloud solutions that have been accredited for government and public sector use provide a secure foundational set of capabilities. These capabilities can rapidly improve the cybersecurity posture of critical infrastructure sectors. Given the wide variability in cybersecurity quality in non-regulated commercial solutions, FedRAMP or StateRAMP accredited solutions provide a ready-made marketplace of vetted capabilities critical to help protect critical infrastructure. A recent McKinsey survey on cybersecurity showed that highly regulated verticals are migrating to the cloud four times more quickly than non-regulated sectors. It is important to ensure that these regulated entities are using well-secured systems and platforms. Federal cybersecurity grants provided to state and local governments should emphasize the deployment and use of FedRAMP and StateRAMP accredited solutions where possible.
- Adapt and Clone Successful Cybersecurity Risk Management Programs like FedRAMP
FedRAMP was established in 2011 to help drive adoption of secure commercial cloud services for government and public sector use. Since then the program has successfully accredited nearly 300 commercial cloud services and 4,600 instances of reuse by various agencies, helping to save millions of dollars in compliance costs. The FedRAMP marketplace is heavily relied upon by state agencies, financial institutions, and even international agencies as a source for new and innovative solutions that meet the gold standard for cybersecurity. The success of the FedRAMP program has prompted the creation of other risk management programs like StateRAMP and TX-RAMP, among others. It is important for policy makers to learn from the lessons of FedRAMP by developing a data-driven case study. The case study should document cost avoidance from duplicative cybersecurity spending as well as cost avoidance from potential data breaches that might have otherwise happened.
- Develop a Scalable and Effective Cyber Risk and Authorization Management Program
In accelerating the cyber resilience of the critical infrastructure sectors, it is important to adopt approaches that have worked successfully in the past. The FedRAMP Program has enabled the streamlined adoption of commercial digital solutions by public sector organizations. Each Sector Risk Management Agency (SRMA) with oversight of critical infrastructure sectors should consider adapting and tailoring the FedRAMP program architecture based on their unique mission requirements. However, the foundational underlying pillars for FedRAMP’s success include formal authorization requirements and rigorous continuous monitoring processes. Incorporating these two pillars in a cybersecurity risk management program is essential if we want to move from a voluntary approach to a mandated posture. The infographic below provides an overview of how such a model might work.
- Incentivize Investment in New and Innovative Cybersecurity Solutions
Currently there is a lot of focus on large firms to solve the cybersecurity issues in critical infrastructure. This approach might not yield optimal outcomes. McKinsey’s recent cybersecurity survey indicates a cybersecurity solutions pricing mismatch in the Small to Medium Businesses (SMB) segment resulting in lack of adoption of cybersecurity solutions. Encouraging the development of new and innovative solutions by small businesses and start-ups can help address this market gap. For example, small businesses and start-ups could be offered Small Business Innovation Research (SBIR) grants to implement strong security measures and seek FedRAMP authorizations. The SRMAs can be encouraged to sponsor innovative solutions for FedRAMP ATOs thereby unblocking a critical chokepoint in the FedRAMP accreditation marketplace today.
- Harmonize Cybersecurity Requirements and Standards
Currently there is a wide variety of cybersecurity frameworks and standards especially in the critical infrastructure sectors. Over the past few years, the NIST Cybersecurity Framework (NIST CSF) has emerged as a “consensus” standard, with increasing adoption. SRMAs should continue to provide easy-to-use implementation guides that encourage the implementation of security best practices detailed in NIST SP 800-53 that underpins NIST CSF. Additionally, SRMAs should be encouraged to use and recommend the adoption of Open Security Controls Assessment Language (OSCAL) to streamline continuous monitoring reporting. NIST and CISA should consider expanding the use of OSCAL for cybersecurity incident reporting. Using machine-readable cyber-incident documents will make it easier to process, analyze, and respond to incidents through automation and enable rapid post-incident analytics.
What the Experts are Saying
“With the recent enactment of the FedRAMP authorization Act, the federal government has an opportunity to better leverage cybersecurity risk management frameworks that highlight the importance of utilizing commercial cloud technologies. Furthermore, as the FedRAMP program expands to serve more of the federal cloud marketplace, it and associated programs like StateRAMP provide decisionmakers with a faster path to authorization, and it is paramount we learn to effectively leverage what’s provided by these pre-approved secure solutions for critical infrastructure protection.”
— Mike Hettinger, Founding Principal, Hettinger Strategy Group
“The release of the National Cybersecurity Strategy roughly three weeks ago has been widely hailed as an important step towards incorporating stronger defenses into U.S. digital networks. But our Federal landscape is replete with strategies, legislation, White House directives, and so on that have had little impact because there has not been the proper follow-up. As we await the promised implementation plan for the strategy, this short paper provides some interesting thoughts about how to move forward with a strong and proven metrics-based approach.”
— Alan P. Balutis, Managing Partner, The CIO Collective