On October 31, 2018 the Securing the Enterprise Conference at MIT brought together cyber security experts from business, government officials, and academia to discuss the cyber threats facing public and private enterprises. We met with Dennis McDermitt, the Chief Information Officer for Massachusetts, who shared a few thoughts on how states can improve cyber-security for critical infrastructure. 

Conventionally, states have prioritized the prevention of cyber-attacks. However, the volume and diversity of attacks makes fully eliminating cyber-threat nearly impossible. Mr. McDermitt suggested organizations should place a greater focus on detecting and responding to cyber-attacks. This includes identifying and protecting the most vital assets, while implementing incident response protocols if and when an attack occurs. 

Broadly, Mr. McDermitt echoed other panelists’ view that organizations need not eliminate cyber-risk entirely; only make the cost to the hackers higher than the expected payoff. One common approach – “red-teaming” – asks organizations to self-hack to identify vulnerabilities. This has been widely adopted in the realm of information technology, though less so with respect to critical infrastructure, which is operational technology. The key difference is that operational technology is considerably more sensitive and red-teaming these devices could damage or disable the infrastructure. However, a careful red-teaming exercise on a subset of critical infrastructure that is more resilient to such testing could strengthen utilities’ capacity to respond to evolving threats.

Ransomware attacks are one threat which recently struck Atlanta and Denver. In these situations, Mr. McDermitt asserts, entities under attack should never pay ransom. Acquiescing to ransom demands simply increase attackers’ incentive to attack again in the future. Making this type of decision, though, requires a clear chain of command, which Mr. McDermitt plans to establish within his own agency through an administrative directive. While we understand this stance, there are operational realities that restrict many critical infrastructure organizations from following the advice to not pay ransom as noted here.

Other states have addressed this challenge through legislation, regulations or executive orders establishing reporting requirements, tasking an agency or person to create a cybersecurity plan, and in a few cases, outlining incident response protocols. However, Mr. McDermitt noted, designing and implementing new legal requirements is a blunt tool for responding to highly diversified cyber threats and targets. 

Some states are grappling with the diversity of threats by directing agencies or utilities to align their cybersecurity plans with national templates such as the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. While Mr. McDermitt has assisted in developing such frameworks, he questioned their efficacy, given that critical infrastructure governance varies widely among the states.  Further, there have been some operational barriers to adoption of such frameworks as noted in this recent GAO report.

Nevertheless, knowledge sharing among agencies and jurisdictions can be very important for limiting risk. Sharing descriptions of technical interventions, in particular, may be more effective than promoting best management practices. Mr. McDermitt noted that while educating employees on how to respond to phishing attacks is important, implementing advanced phishing filters can reduce the number of emails that reach employees by orders of magnitude. The Center for Internet Security’s list of 20 controls (CIS-20) is one frequently referenced resource regarding this approach.

Another approach is the formation of an inter-agency cybersecurity commission or Information Sharing and Analysis Center (ISAC), tasked with facilitating inter-agency communication and/or developing recommendations. A stumbling block, however, is the division of powers within every state. Further, ISAC participation is weak across many sectors. This severely impacts their efficacy. Speaking from experience, Mr. McDermitt noted how communication and coordination within large commissions can hamper the development and implementation of recommendations. Instead, Mr. McDermitt recommended much smaller commissions of officials with technical expertise who are empowered to wield enforcement authority.

These approaches are but a few which, like cyber threats, are diverse and shifting quickly. Future posts will explore these approaches in greater detail and highlight opportunities for states to safeguard critical infrastructure.