New National Cybersecurity Strategy
On March 2nd, 2023, the White House released a new National Cybersecurity Strategy. At this point, it has been more than four years since the last National Cybersecurity Strategy was released, back in September of 2018. Notably, this new strategy is being launched after the COVID-19 pandemic which accelerated digitalization and connectivity due to people having to stay home and work from home. Now, we are in an era where digital technology has become much more integrated into our lives and the amount of personal data being collected has grown exponentially. The theft of this data is also increasing rapidly, opening up new channels through which malicious actors can monitor, scam, and extort individuals. In addition, the trend towards digitalization, particularly through software-defined everything, has made already complex and fragile systems even more vulnerable. Furthermore, as critical infrastructure such as factories, power grids, and water treatment facilities gradually adopt digital technologies like wireless devices and the Internet of Things (IoT) to replace traditional analog control systems, the Biden administration is concerned that this trend will make important infrastructure more vulnerable to attack, thereby affecting people’s lives.
Major cybersecurity events such as SolarWinds (2020), Microsoft Exchange Server data breach (2021), and Log4Shell (2021-2022) have taught us that the world is entering a new stage of deepening digital dependence, which also increases the risks associated with insecure systems. In response to these changes, the U.S. government aims, not only to improve its defense capabilities, but also to disrupt the primary threats to U.S. national cybersecurity, especially nation-state hackers involved in geopolitical conflicts and criminal organizations conducting ransomware attacks. To mitigate the risks of cyberattacks, the Biden administration’s National Cybersecurity Strategy focuses on five pillars [1]:
- Defend Critical Infrastructure
- Disrupt and Dismantle Threat Actors
- Shape Market Forces to Drive Security and Resilience
- Invest in a Resilient Future
- Forge International Partnerships to Pursue Shared Goals
Comparing the Old and New Cybersecurity Strategies
The new National Cybersecurity Strategy continues to push the focus of previous policies, including collaborative defense of the digital ecosystem, space system cybersecurity, national artificial intelligence initiatives, and safeguarding the nationwide 5G network. However, in response to new technological trends, evolving threats, and changing international policies, the national strategy places greater importance on new infrastructure investments, digitalization, decarbonization of energy systems, protecting the semiconductor supply chain, and modernizing security technology. For critical infrastructure, leadership companies in various industries and practitioners in operational technology (OT)/industrial control systems (ICS) are particularly significant. The following are three important strategic shifts [2]:
1. Giving more responsibility to “most capable” enterprises:
This strategy report believes that end-users, such as small businesses and individuals, currently bear too much responsibility for cybersecurity. A single individual having a momentary lapse in judgment, using outdated passwords, or clicking on a suspicious link should not be in a position to impact national security. Instead, whether in the public or private sector, the U.S. government will ask the “most capable” and “best-positioned” actors (large enterprises) to provide security and resilience for the digital ecosystem. This group of people would include data owners, system owners and operators, and builders and service providers of these systems.
2. Realigning incentives for long-term investments:
In addition to giving more responsibility to enterprises, the U.S. government is also providing incentive policies to strengthen the establishment of market forces, and reward security and resilience in public plans. These were also implemented in the hopes of cultivating strong and diversified cybersecurity talents, coordinating strategic cybersecurity research and development investments, and promoting collaborative management of the US digital ecosystem. The U.S. government aims to protect existing systems while investing in and building a future digital ecosystem that is more organically defensive and resilient.
3. Increasing the importance of cybersecurity for OT and IoT:
In the past, cybersecurity discussions primarily focused on protecting IT systems. However, with next-generation networking technologies breaking down the boundaries between the digital and physical worlds, many factories, power grids, water treatment facilities, and other critical infrastructures are rapidly adopting digitalized and online Operational Technology (OT). The new National Cybersecurity Strategy emphasizes the need to establish more defensive and resilient capabilities for both IT and OT systems. Additionally, the U.S. government is committed to improving federal cybersecurity through long-term efforts to implement a zero-trust architecture strategy and modernize IT and OT infrastructure.
The Main Highlights of the Strategy for OT/ICS Cybersecurity
The Biden administration has released a national cybersecurity strategy for the next decade, aimed at creating a more resilient cyberspace. The strategy report focuses on five pillars to establish and strengthen cooperation, introducing new funding to not only roll out numerous security enhancements but also promote a safer future. Of particular interest to us are the new measures for OT/ICS and their potential impact on the industry [1]:
1. Defend Critical Infrastructure
The first pillar aims to implement a sustained, effective collaborative defense model to establish basic security and resilience in digital systems, while evenly distributing risk and responsibility. The Biden administration believes it is necessary to reduce end-user security responsibilities, requiring capable participants to assume greater responsibility for the security and resilience of the digital ecosystem. Regulatory agencies will also develop new cybersecurity requirements and regulations to promote large-scale security practices, and the government and industry will collaborate to develop a cybersecurity regulatory framework to meet security and operational continuity requirements.
For OT/ICS practitioners in various industries, the new cybersecurity requirements and regulations being formulated by the US government have significant industry implications. We see many critical sectors in the US expanding the use of minimum cybersecurity requirements to ensure national and public safety. For example, cybersecurity requirements have been ushered in by the Transportation Security Administration in critical sectors such as oil and gas pipelines, aviation and railways, and the Environmental Protection Agency has also spearheaded cybersecurity requirements for water treatment systems.
Legacy OT/ICS endpoints are often the weakest links because many of them perform important operations or decisions on production lines, but their software and firmware are no longer updated, meaning new vulnerabilities cannot be repaired. For example, every Windows XP or Windows 7 system is a vulnerable target. Therefore, the modernization of federal IT and OT systems is specifically mentioned in the first pillar, promoting the replacement or upgrade of IT and OT systems that cannot defend against complex cyber threats. However, one of the obstacles to revitalizing legacy assets is that traditional antivirus solutions require constant online virus engine and virus code updates, and file scanning requires a lot of computer processing and memory usage. This often causes OT endpoints to be overloaded, and many anti-virus vendors cannot provide solutions for end-of-life operating systems. To solve this challenge, new endpoint protection mechanisms are needed to protect endpoints from malware infections or unauthorized changes and provide security hardening features such as USB lockdown, data lockdown, operation lockdown, and configuration lockdown.
However, for critical industries, the issue of greatest concern is the high cost of cybersecurity. In this regard, the US government has begun to encourage regulatory agencies to use “international cybersecurity standard requirements” and minimize unique specification requirements to reduce the burden of regulatory coordination. In addition, the US government also encourages regulatory agencies to ensure necessary cybersecurity investments are incentivized through rate-setting processes, tax structures, or other mechanisms. For example, on September 16, 2022, the Department of Homeland Security (DHS) announced the first national cybersecurity grant program specifically for state, local, and territorial (SLT) governments to help industries afford the cost of implementing cybersecurity.
2. Disrupt and Dismantle Threat Actors
The second pillar of the strategy announces that the United States will take a more aggressive approach to combating cyber attackers. The strategy states that the United States will integrate diplomatic, information, military, financial, intelligence, and law enforcement tools to actively combat and sanction malicious attackers, including implementing travel bans and prohibiting financial services. Through collaboration between the public sector and businesses, the Biden administration will strengthen efforts to combat malicious attackers.
Specifically, the strategy discusses measures to counter ransomware attacks. Ransomware threats are constantly increasing (such as Lockbit 3.0), and this trend is highlighted in the OT/ICS Security Annual Report released by TXOne Networks in February 2023 [3]. Ransomware operators pose a threat to national security, public safety, and economic prosperity. Their targets include hospitals, schools, pipeline operations, government services, and other critical infrastructure and essential services. Often, they use security havens such as Russia, Iran, and North Korea to control victims’ networks and rely on cryptocurrency payments for ransom and money laundering.
Given the impact of ransomware on critical infrastructure services, the US government emphasizes that it will take four actions using its national power to respond to the threat: (1) use international cooperation to combat the ransomware ecosystem and isolate countries that provide havens for criminals; (2) investigate ransomware crimes and use law enforcement and other powers to disrupt ransomware infrastructure and operators; (3) enhance the ability of critical infrastructure to withstand ransomware attacks; and (4) address the problem of virtual currency being misused for ransom payments and money laundering.
3. Shape Market Forces to Drive Security and Resilience
The third pillar aims to shape market forces to promote security and resilience. The document points out that persistent system hacking attacks and personal data theft indicate that market forces alone are insufficient motivation for best practices in cybersecurity to be widely promoted and become industry standards. Therefore, companies that choose not to invest in cybersecurity will affect those that do prioritize cybersecurity, and disproportionately impact small businesses and vulnerable communities. Therefore, the US government will hold data managers responsible for protecting personal data, promote the development of more secure IoT devices, and review relevant laws to hold companies accountable for damages caused by cybersecurity errors and software vulnerabilities. The federal government will also use public procurement and grants to encourage companies to focus on product safety, as these companies can be financially rewarded for boosting their cybersecurity.
With several major software supply chain attacks, such as SolarWinds Orion, Microsoft Exchange, and Log4Shell vulnerabilities, the government and industry have recognized that too many suppliers have ignored best practices in secure development, by using products with insecure default configurations or known vulnerabilities and taking on potential risks from unvetted or unknown third-party software or open-source software. The same issues also exist in OT systems. To further incentivize the adoption of secure software development practices, the US government will encourage coordinated vulnerability disclosure across all technology types and industries, especially in promoting further development of SBOMs, and develop a process to identify and mitigate risks from unsupported software that is either widely used or supports critical infrastructure. The government will also work with the private sector and open-source software communities to continue investing in the development of secure software, including memory-safe languages and software development technologies, frameworks, and testing tools.
Procurement contract requirements have always been an effective tool for improving cybersecurity by prompting federal suppliers to strengthen software security development. Executive Order 14028 “Improving the Nation’s Cybersecurity” expands on this approach, explaining how contract requirements for cybersecurity need to be strengthened and standardized within federal agencies. Continuing to develop, implement, and test cybersecurity requirements through procurement pilots can lead to novel and scalable approaches. On the other hand, the US government has expressed interest in collaborating with Congress and the private sector to draft legislation that will assign liability for software products and services. This law will prevent dominant software manufacturers and publishers from evading responsibility through contracts and impose stricter standards for high-risk software scenarios. Additionally, the government aims to foster secure software development by creating an adaptive security harbor framework that shields companies developing and maintaining secure software products and services from liability. Drawing from established secure software development practices, such as the NIST cybersecurity framework, this framework will evolve over time to encompass emerging secure software development tools, software transparency, and vulnerability discovery.
The above strategies are in line with the OT Zero Trust concept promoted by TXOne Networks. We believe that, before OT assets are transported to factory facilities, suppliers should scan each asset and establish an OT health record (including SBOMs) to demonstrate that the equipment does not contain malicious software or exploitable vulnerabilities, and asset buyers should also conduct device integrity and security configuration checks. This is similar to the customs inspections typically required for international flights. TXOne Networks recommends that supply chain security be achieved through cybersecurity inspection tools before new equipment enters the factory and critical infrastructure.
4. Invest in a Resilient Future
The fourth pillar of the U.S. government’s cybersecurity strategy focuses not only on addressing current cybersecurity issues but also on building next-generation technologies and infrastructure to create a more secure and resilient network. Through investment in both the public and private sectors, the government aims to build next-generation telecommunications, digital identity, operational technology and industrial control systems, distributed clean energy technologies, and develop strategies to mitigate issues such as intellectual property theft and election interference. Additionally, the U.S. government recognizes the growing importance of quantum computing, which has the potential to render current encryption methods obsolete and will accordingly prioritize the development of quantum encryption technology.
Regarding forward-looking technology investments, there are two key aspects. First, through federal priority research and development of defensive and resilient system architectures, with operational technology and industrial control systems as one of the focus areas. Second, to prevent and mitigate cybersecurity risks in existing and next-generation technologies, investment will focus on securing three specific categories of technology, including high-tech industries such as semiconductors, quantum information systems, and artificial intelligence; pharmaceutical industries such as biotechnology and biomanufacturing; and energy industries such as clean energy technologies.
As the United States invests in next-generation energy infrastructure, the government will tactically seize this opportunity to also proactively establish cybersecurity by implementing a Congress-designated National Cybersecurity Engineering Strategy, rather than developing temporary measures for security controls after these connected devices have been widely deployed. This demonstrates their foresight and changes the dynamic from reactionary solutions after the fact to proactive solutions before problems can arise. Regarding technology application investments, priority will be given to cybersecurity research and development of next-generation technologies such as post-quantum encryption, digital identity solutions, and clean energy infrastructure. Cybersecurity fortifying efforts include distributed energy resources, smart energy generation and storage devices, advanced cloud-based grid management platforms, and transmission and distribution grids designed for high-capacity controllable loads. The U.S. Department of Energy has established two major programs, the Clean Energy Cybersecurity Accelerator (CECA) and the Energy Cyber Sense program designated by the Bipartisan Infrastructure Act, to ensure future clean energy cybersecurity.
5. Forge International Partnerships to Pursue Shared Goals
The fifth pillar aims to attract international relationships through collaborative efforts. The Biden administration will work with the United Nations and other countries to develop security frameworks and support the expansion of the Budapest Convention on Cybercrime for three main reasons: Firstly, to combat specific authoritarian regimes’ destructive behavior on the internet through international alliances and partnerships between like-minded countries. Secondly, to enhance the ability of US government partners to resist cyber threats during peace and crisis periods. Thirdly, to work with allies to build secure, reliable, and trustworthy global supply chains for information and communication, as well as operational technology products/services.
The complex and globally connected supply chain of production drives the technological products and services that promote the development of the US economy. The US is increasingly reliant on foreign suppliers to provide critical resources and services, from raw materials and components to finished products, and even virtual services, resulting in a multi-pronged systemic risk to the US digital ecosystem. To mitigate these risks, the US government must closely coordinate and cooperate with allies and partners to develop critical components and systems, with those allies that share the same values and vision as the US.
As an example of the telecommunications supply chain, the US has been working to develop secure, reliable, and trustworthy supply chains for 5G and next-generation wireless networks through initiatives such as Open RAN and other critical technologies. The US federal government is introducing new industry and innovation strategies, including the Bipartisan Infrastructure Law, to protect US information technology and advanced manufacturing supply chains (such as the semiconductor supply chain) while restoring critical product manufacturing to the US and its trusted partners.
The United States will work with allied countries and partners through regional cooperation partnerships such as the IPEF, Quad Critical, and emerging technology working groups as well as the TTC to identify and implement best practices for managing cross-border supply chain risks and prioritize transitioning to reliable suppliers in partner countries and regions. The State Department will further accelerate these efforts through a new International Technology Security and Innovation Fund to support the creation of secure and diversified supply chains for semiconductor and telecommunications industries.
Conclusion
The US government is taking a multifaceted approach to cybersecurity, focusing on five pillars. The first pillar of this approach prioritizes the security of federal networks and critical infrastructure. It involves investing in modernization, defense, and resilience measures. The second pillar aims to combat cybercrime, with a particular focus on the threat posed by ransomware and Ransomware as a Service (RaaS). This involves actively disrupting the flow of money to criminal organizations. The third pillar promotes or establishes appropriate industrial cybersecurity regulations and standards. It also creates incentives for implementation by offering subsidies or new infrastructure investments. The fourth pillar focuses on developing next-generation cybersecurity technologies. This includes reducing system vulnerabilities in the digital ecosystem, investing in quantum computing and clean energy, and building a strong national cyber workforce. Finally, the fifth pillar promotes global cooperation on key technologies and secure supply chains to create safe, secure, and trustworthy global supply chains.
The release of this National Cybersecurity Strategy marks a new beginning, as securing OT/ICS cybersecurity for critical infrastructure and strategic manufacturing industries becomes increasingly important. Industry leaders need to understand the steps they must take to protect their OT/ICS systems. The engineering team at TXOne Networks is committed to helping industry OT/ICS security leaders streamline critical infrastructure regulatory processes, deploying location-based OT Zero Trust solutions to ensure secure supply chains, and sharing our latest OT/ICS threat intelligence and practical experiences to contribute to a global collaborative defense of digital ecosystems.
Reference
[1] House, W., “National Cybersecurity Strategy”, The White House, March 2023.
[2] House, W., (2). “FACT SHEET: Biden-Harris Administration Announces National Cybersecurity Strategy.” The White House, March 2023.
[3] TXOne Networks, “Insights Into ICS/OT Cybersecurity 2022”, TXOne Networks, Feb 27, 2023.