Cybersecurity threats are evolving just as fast as technology is, and federal cybersecurity experts are implementing supply chain strategies and security standards to help protect national critical infrastructure and connected devices as the threat landscape also evolves.
Strategizing security throughout the technology supply chain is a key way that agencies are approaching overall national security. This is especially the case amid major supply chain-related cybersecurity incidents that have occurred this past year, such as the SolarWinds breach.
“If I’m a threat actor and I want to get the most bang for my buck, and I can gain network access into a software company … if I can breach an update server or an entity that I know is used across the whole government or across the whole of the United States’ networks, I can use that as a jumping off point to attack a variety of organizations,” Homeland Security Investigations Cyber Crime Unit Chief Matthew Swenson said during GovernmentCIO Media & Research’s National Security event Thursday.
As the nation tries to strategize around supply chain security, NASA is trying to get ahead in this area with inventory management practices. First the team tries to understand which pieces of their inventory are high-value assets, then they form cycles where it revalidates its critical infrastructure to continually assess its inventory.
“Every 45 days we actually revalidate our critical infrastructure, and it does change. It’s not just static,” said Mike Witt, associate CIO of cybersecurity and privacy at NASA. “It’s a continual reassessment on our end on that. And then we again revalidate the list every 45 days, and then we actually revalidate the security controls assessments over a 90-day span, and we do that every 90 days continuously assessing our security controls around those critical pieces of our infrastructure.”
Witt emphasized that the revalidation process is important because organizations are constantly standing up new systems, and the technology ecosystem continuously evolves.
With the growth of connected and "internet of things" devices, new security matters arise. Real-time operating systems widely used in IOT devices are filled with BadAlloc vulnerabilities, for instance.
“CISA issued a warning about BadAlloc, in this case with real-time operating systems really having an impact from several vulnerabilities there for both IOT and cyber physical systems across a variety of sectors for every aerospace, robotics, rail industrial control system,” said Cyber Quality Service Management Office Chief Vincent Sritapan at the Cybersecurity and Infrastructure Security Agency, which recently published an advisory about this issue.
Sritapan added that for supply chain risk management of IOT and connected devices, he’s been keeping in mind that IOT software is often built on open-source and other underlying technologies, which often have overlooked vulnerabilities.
On top of supply chain, federal cybersecurity leaders are looking to strengthen security standards across the federal government. The National Institute of Standards and Technology has been creating IOT standards in an effort to create new guardrails as increasing use of connected devices introduces new threats to networks and critical assets.
Although agencies have had preexisting risk management and cybersecurity frameworks in place, NIST launched its cybersecurity for IOT program in 2017 to expand guidance so agencies could manage new risks with IOT devices, said Program Manager Katerina Megas.
“Aagencies weren’t always aware of the requirements of the need to manage those risks that arise out of using IOT,” Megas said. “Federal agencies weren’t always aware of how they might have to adapt or change how they approach cybersecurity because of IOT and some of the limitations around IOT.”
The program developed a core baseline, which Megas said identified what her program saw as core capabilities that any IOT device should provide, regardless of the market or enterprise. From there, the program published NISTIR 8259 to encourage manufacturers to adopt core capabilities in their IOT devices to help set a baseline for their security.
The IOT Cybersecurity Improvement Act of 2020 also directed federal agencies to comply with guidelines NIST published to ensure secure acquisition of IOT devices. Megas said that in the near term, NIST is looking to publish its final guidance to help pave a more secure future of IOT and connected device security across the federal ecosystem.
“In the next month or two, federal agencies should be seeing some more detailed guidelines around how to look at IOT devices and having to derive the baseline or the requirements for those IOT devices that would then get built into their acquisition process and the rest of their risk management process,” Megas said.