SecurityInfoWatch.com editors recently engaged Ghousuddin Syed, who is the Vice President of Technology & Infrastructure, overseeing ISN’s Architecture, Corporate IT, Technical Operations, ISO Management Systems, and Products Security Teams. ISN is a global leader in contractor and supplier information management. Since 2001, ISN has helped enterprises proactively reduce risk by qualifying and monitoring contractors to promote safe and sustainable operations throughout the supply chain.
Syed set the tone for our discussion by describing how he thinks Cyber-Informed Engineering (CIE) will help transform how critical infrastructure approaches its ever-expanding cybersecurity threats. According to the Office of Cybersecurity, Energy Security, and Emergency Response, CIE is an emerging method to integrate cybersecurity considerations into the conception, design, development, and operation of any physical system, energy or otherwise, to mitigate or even eliminate avenues for cyber-enabled attacks. CIE concepts use design decisions and engineering controls to prioritize defense against the worst possible consequences of cyberattacks facing critical infrastructure systems and asset owners.
Syed tackles this concept and offers other best practices for enhanced cybersecurity hygiene for most organizations.
SIW: How will CIE help transform the security posture of critical infrastructure?
Syed: Historically, cybersecurity was an initiative that was added onto existing processes to make them more resilient to attack or compromise. For example, updating HTTP to HTTPS or FTP to SFTP. Cyber Informed Engineering (CIE) is a strategy to design cybersecurity risk out of the development and operation of these critical infrastructure systems. Systems engineering best practices show us that planning for security considerations earlier in the lifecycle, instead of retrofitting a current system to be secure, is a better strategy that can reduce cybersecurity risk.
SIW: What are some examples of engineering decisions informed by cyber risk? What does this look like in practice?
Syed: Let’s go back to that classic example of HTTP. Pretty soon after it was introduced, it was widely recognized that having open communications between two systems would not be ideal in most circumstances. Professionals identified this gap and closed it by introducing asymmetric and symmetric encryption algorithms to engineer out the risk of having data exposed to prying eyes. In practice, for a critical infrastructure segment such as nuclear power generation, facilities are typically air-gapped, meaning internal networks are unable to make connections externally. These facilities do not just click disable Wi-Fi in their system settings, but in the design phase of development, professionals will engineer out the ability to make that connection in the first place. This is really what we’re trying to accomplish in the CIE strategy.
SIW: Why is it crucial for critical infrastructure organizations to monitor contractor and supplier cybersecurity risk?
Syed: Cybersecurity risk can manifest in a variety of ways, and it is often the companies that have fewer resources to defend against cyberattacks that make ideal targets for cybercriminals. Contractor and supplier cybersecurity risk is not just limited to companies that have access to a critical infrastructure organization’s networks or systems. ISN collects data on all our contractors and suppliers, and we’ve seen that it’s not just these IT companies causing data breaches. Companies who indicate they perform work for traffic control, catering, rigging, forklift operation and even industrial door repair have publicly disclosed a data breach. This is why it is crucial to implement a cybersecurity risk management strategy that extends across all supply chain participants and scales depending on the level of risk they present.
SIW: What technology and programs can organizations supporting critical infrastructure implement to manage cyber risk effectively across their supply chain?
Syed: We help all organizations, critical infrastructure or not, defend against supply chain attacks by standardizing a tiered, third-party risk management program across all supply chain participants that pose a cybersecurity risk to the organization. We accomplish this by establishing a baseline of cybersecurity due diligence and then increasing that level of review as contractors or suppliers become higher risk. Common first steps in this process are collecting Cyber Questionnaire responses, requiring Cyber Liability Insurance, and reviewing a supplier’s Cyber Risk Rating. As a supplier’s risk level increases, we can verify internal cybersecurity policies through Document Collection and even assess a company’s internal security posture with a Cyber Plus Assessment.
SIW: What does the recently issued CISA guidance mean for critical infrastructure entities using open-source software? How will it affect organizations’ supply chain risk management?
Syed: CISA’s guidance is an excellent initiative. Cybersecurity awareness is paramount, and this encourages organizations to strongly consider the security of Open-Source Software (OSS) in Operational Technology (OT) and Industrial Control Systems (ICS) where some teams may have turned a blind eye to it. CISA recommends companies take common first steps such as implementing measures to manage vulnerabilities and deploy patches. This relates to the broader topic of software bill of materials (SBOM) when discussing supply chain risk management. When we see stronger SBOM adoption numbers across the industry, it will allow supply chain participants to share what components of their software, including open-source software, introduce vulnerabilities into an organization’s supply chain. This level of information sharing across the supply chain will help professionals deliver well-informed cyber risk decisions back to the business.
SIW: The rise of automated and connected process control systems has also increased exposure to cyberattacks that can disrupt utility assets and even impact supply. Most currently installed devices have little to no security functionality; many cannot even be updated or patched. What are some best practices to protect process control systems?
Syed: Process control systems (PCS) are essential to the operation of many critical infrastructure organizations. In these situations where a critical asset cannot be updated or patched, it becomes a conversation about the organization’s risk tolerance. If an asset has a vulnerability that is very simple to execute but is near impossible to exploit given the location or nature of the PCS, maybe the organization doesn’t need to worry about protecting that PCS. If we’re discussing a PCS that’s essential to the operation of the business but can’t be replaced with one that is patchable and has a critical vulnerability – teams will need to engineer compensating security controls that provide sufficient protection to the PCS and reduce the risk level to an amount that is palatable to the organization.
SIW: What does network segmentation mean in the context of operational systems?
Syed: Network segmentation is just a method of separating networks or systems from one another. Architecturally, cybersecurity professionals want to do this to reduce the likelihood of an attacker using lateral movement techniques to move through networks. It’s part of a defense-in-depth (DiD) strategy that makes organizations more resilient to cyberattacks. For example, if an attacker compromised one system directly connected to another via ethernet cable, the attacker could likely move to that other system. On the contrary, if we go back to the air-gapped example we discussed earlier if an attacker wanted to move from the compromised system to a system that was engineered without the ability to connect to an external network, it would be much more difficult for the attacker to reach that system.
SIW: How should security teams work to minimize insider threat opportunities?
Syed: The most important part here is that the initiative needs to align with current business objectives and not be perceived as a witch hunt to discover malicious employees. Insider threats can stem from internal employees, contractors, suppliers or other third parties. Visibility into all areas of an organization’s operations is key to detecting when insider threats arise. Automatic systems that detect and alert to indicators of compromise (IOCs) and anomalies will allow security teams to quickly identify the behaviors of a bad actor. Other cyber hygiene best practices such as implementing principles of least privilege, enforcing security awareness training (SAT), and testing an organization’s incident response plan also allow security teams to be more effective.
More on Ghousuddin Syed
Before joining ISN in 2014, he worked at Yahoo! for 14 years where he served as Director of Engineering for several platforms, including Video, Personalization, and Cloud & Big Data. Before working at Yahoo!, he was a software engineer with the Central Intelligence Agency in Langley, VA.
He holds a Bachelor of Science in Electrical Engineering, with a minor in Computer Science, from Cleveland State University. Ghousuddin is a member of the GIAC Information Security Advisory Board, Southern Methodist University Cyber Advisory Board, and SANS CISO Network and serves on the board at Children’s Health and The Family Place.