The New National Risk Management Center: What’s Good. What’s Still Needed

Homeland Security secretary Kirstjen Nielsen announced the formation of a new National Risk Management Center last week. Wired and other publications covered the news. The Center will focus on risk management across sectors, defending US critical infrastructure against hacking by evaluating and sharing threats. Initially, the Center will focus on the energy, finance and telecommunications sectors.

According to Nielsen, the Center will serve as a focal point for cybersecurity within the Federal government. As she said, “We are reorganizing ourselves for a new fight.” The timing of the announcement is auspicious. The same week, senior intelligence and homeland defense officials warned of “pervasive” Russian efforts to disrupt the 2018 elections. Legislation intending to further bolster cyber defense is also in the works in Congress. Finally, it seems, Washington is taking concrete steps to improve the nation’s overall cyber security posture.

These moves resonate with arguments made in two books that every serious student of American cyber vulnerability should read. As David Sanger astutely notes in The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age, the United States suffers from a serious imbalance between its offensive and defensive cyber capabilities. While the US possesses what are probably the most powerful cyber weapons in the world, according to Sanger we are at the same time too big and too vulnerable to defend. The Center is a step towards correcting this dangerous imbalance.

Ted Koppel, in Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath, brings specificity to Sanger’s perspective. His book explores the frightening risk exposure in the nation’s power grid. The proposed National Risk Center is another incremental move aimed at remediating this potentially devasting problem.

Homeland Security secretary Kirstjen Nielsen

The cyber security industry is rising to the occasion as well. From the point of view of Katherine Gronberg, VP of Government Affairs at ForeScout, “The National Risk Center should be an improvement over the current model of sharing threat intelligence amongst government agencies and infrastructure providers. Threat sharing was a good start, but we need to do more, to be more proactive. The new Center should be a good vehicle for change in this regard.”

Katherine Gronberg

Like a number of firms that deal with security for critical infrastructure, ForeScout engages in dialogues with Federal cyber security policy makers. In ForeScout’s case, the government seeks their input due to the company’s expertise in security for the Internet of Things (IoT), particularly solutions for Operational Technology (OT) and the networked devices found in SCADA systems.

The challenge, as Gronberg sees it, is for operators of Infrastructure Control Systems (ICS) in Ccritical infrastructure like power utilities, to make the best use of the threat data they will get from the National Risk Center. “Getting from point A, where you have good threat information and a collective interest in improving security, to point B, where you actually have stronger security, is a multi-layered process,” said Gronberg.  “You have technology, public policy, corporate security policies and of course, you have money,” she explained.

As Koppel pointed out in “Lights Out,” a reluctance to invest (or the inability to invest) is one of the major obstacles preventing power companies from upgrading security. This is not an insurmountable problem, however, as Gronberg sees it. “Of course, it’s easy for me, as a vendor, to say that power companies should spend money,” she shared. “However, as we work with critical infrastructure providers, we can often find ways for them to beef up their defenses without the kind of large-scale investment they might have imagined was necessary.”

“A lot of companies that operate in the electrical grid have been told they have to replace much, if not all of their security infrastructure—that they must do hard installs of huge numbers of devices to mitigate threats against ICS,” Gronberg said. “This can look prohibitive. Now, though, there are new, less heavy weight options.”

Companies like ForeScout are introducing innovations in countermeasures to protect ICS with relative economy. Using a more passive approach, the agentless ForeScout solution offers visibility into all networked assets without having to scan them. ForeScout, like its peers, is aligned with the new NIST standards, that recommend continuous monitoring of critical infrastructure. “If you identify an issue with a device,” Gronberg said, “You can know right way what its type is, who made it and if its deviating from its baseline. You can take action quickly. You don’t want a server that you don’t recognize on your network, for example.”

Such fast response is essential for utilities that are engaged in “just in time” delivery of power. The Koppel book highlights the risks inherent in the just in time mode of the power grid, expressing concern that the US electrical system could be vulnerable to a “Stuxnet” type attack where power transmission capacity is overloaded by malicious actors while monitoring systems are simultaneously blinded to what is going on. Solutions like ForeScout put in place monitoring that can flag suspicious activities in ICS before they cause real harm to equipment and people.

It’s important to have an informed, balanced perspective on the risks, though, according to Gronberg. “Is it really possible to ‘take down’ or ‘infect’ all of the grid at once? The simple answer is that this would be very, very difficult for any adversary to do today, and I don’t believe it is possible today.  The electric grid of the continental US States is serviced by three regional interconnections (Western, Eastern and Texas).  Within the regions there is interconnection from the standpoint of power transmission, however, the individual IT networks of power companies are not.”

Thus, she reasoned, “An ‘infection’ (i.e. malware) cannot spread like ‘wildfire.’” She added, “The key thing to focus on is that our adversaries appear to be targeting control systems, and we know that they are persistent. So, whereas it is not possible today for them to create an attack that would infect wide swaths of our power infrastructure in one fell swoop, they may be intent on penetrating them methodically over time.  As we discussed, we need to be concerned that our adversaries seek not just the ability to interrupt power, but the ability to destroy infrastructure with the (presumed) intent of being able to disrupt parts or all of American society.”

Finally, she cautioned, “Right now, the physical systems that comprise our power grid do not have the redundancy to withstand destructive attacks (localized or widespread) and this is one reason why, as I mentioned, DHS has announced a greater focus on identifying and managing risk to the critical sectors — not only the grid, but also financial and telecommunications and, eventually, the others.”