Cybersecurity is top of mind for the White House and federal agencies amid recent cybersecurity breaches and related concerns on the supply chain. Federal agencies looking to boost security strategies could do so with helpful tools from the Critical Infrastructure Resilience Institute (CIRI).
University of Illinois-led CIRI, a Department of Homeland Security Science & Technology Directorate-commissioned Center of Excellence, dedicates much of its work to improving the cybersecurity posture of the public and private sectors.
The institute’s flagship tool, the Cyber Secure Dashboard (CSD), helps private and public organizations keep track of their IT supply chains and take control of their cybersecurity habits. In an interview with GovernmentCIO Media & Research, CIRI Director Randall Sandone said global supply chain trends like lean inventory management models prompted CIRI to develop the CSD.
“It's really important to understand how sensitive just-in-time inventory regimes are to supply chain disruptions,” he said. “Just-in-time inventory is very financially efficient, but it does introduce a sort of brittleness in the supply chain. One component supplier, maybe a minor component, but if that particular supplier is subjected to a cyberattack and they shut it down for a couple days, it could disrupt the entire supply chain because you can't proceed without that component and don't have a backup supplier (or inventory).”
The CSD harmonizes cybersecurity standards like the NIST Cybersecurity Framework and the Defense Department's new Cybersecurity Maturity Model Certification (CMMC) guidelines to help private and public organizations maintain visibility of their IT supply chains and reduce compliance costs associated with cybersecurity standards.
“What we want to do is reduce risk and enhance overall security of the supply chain by enhancing the cybersecurity of the individual members of the supply chain,” Sandone said. “This project started as funded by the DOD, by the Digital Manufacturing Institute in Chicago — It began outside of CIRI. What we were addressing was a tool to help small and medium manufacturers address new cyber defense requirements. As we got into it, we realized we needed to build a tool that had much more universal applicability.”
The CSD is a cloud-based software-as-a-service (SaaS) solution, but is also available on premise for those with private clouds.
“It's a management product, specifically a cyber risk management product,” Sandone said. “It helps organizations manage the full range of activities to achieve and maintain enhanced cybersecurity postures in accordance to national standards. It brings it all together in a single unified interface.”
Because the CSD incorporates the NIST Cybersecurity Framework into its calculations, it’s uniquely suited for federal agencies.
“An organization can walk through a self assessment (with the CSD), to understand what their current cybersecurity posture is,” Sandone said. “Obviously very few will be 100% compliant from day one, so the self assessment will identify tasks that need to be performed, and then using the tool can assign and schedule tasks, approve if appropriate, and all of this is populated in a plan of action milestones module. If one of the tasks was a quarterly training of some kind, you entered that task and the quarterly training was not accomplished, the status of that particular requirement could go to red, for instance, because the task was not completed. It becomes particularly important when you have a third party come in to identify your cybersecurity status. They can get immediate access to the artifact that demonstrates your compliance.”
In addition to the CSD, CIRI also developed a tool that ranks and prioritizes an organization’s cyber risks and vulnerabilities: the Cyber Risk Scoring and Mitigation tool, or CRISM.
“CRISM is more of a cybersecurity product that can be integrated with the Cyber Secure Dashboard,” Sandone said. “Categorizing and ranking attacks based on their exploitability and impact is what CRISM does, quantitatively analyzing the risks associated with it and generating an attack graph. Based on that analysis, it presents a score, and then it links to the resources you need to address those. It scans against known vulnerabilities in a database it keeps updating from the government.”
CRISM has informed the cyber insurance market, Sandone said, because previously cyber insurance companies couldn’t evaluate “home-grown cyber risk practices” of companies and federal agencies in a standardized way.
In addition to these cyber tools, CIRI is looking ahead to identify and develop solutions for future cyber risks, like 5G and the "internet of things" (IOT) supply chain.
“In a complex IOT architecture, what we want to do is identify the most critical components in that architecture, they can get pretty broad and complex,” Sandone said. “What components in this architecture, if compromised, could cause the most damage? So we’re developing tools to do that. Then we need to look at, who is supplying that component? What risk does that organization and that supplier pose in terms of that component? How can we reduce the overall risk to be more selective with that knowledge in terms of vendor selection of the various components? The impact there is better data-informed decisions on vendor based risk mitigation.”
5G infrastructure, in particular, poses significant cyber risks, he added.
“The next generation of 911 systems — there's going to be a dramatic improvement in 911 — but in the process, it significantly expands the threat surface,” he said. “There's also supply chain aspects. We all know about Huawei and ZTE. So we need to look at the supply chain aspect as well. We think there will be more research needed in industrial control systems cyber. The recent water supply hack in Florida is a classic illustration of how a cyberattack can potentially poison our citizens. We need to control industrial control systems cyber.”
Other current projects include an EMP risk assessment tool to identify ways to shield critical infrastructure from damage in the event of an EMP, using artificial intelligence to examine past disaster responses to inform future ones (for the benefit of FEMA and the Coast Guard), and a joint project with CISA to create a national cybersecurity workforce training network.
“We focus a lot on infrastructure interdependence, where those infrastructure sectors come together,” Sandone said. “DHS has done some really great work in evolving from the old 16 critical infrastructure sectors. Nevertheless there remains this interdependence between say the power grid and water systems, for instance. Oftentimes, no one is looking at that interdependency. Another area I think and hope we'll be able to get into is doing some research and activities in the area of critical infrastructure exercises with municipalities. It's an excellent way to close the loop.”