Despite recent White House efforts to bring some standardization to federal cybersecurity, agencies are still taking different paths to secure their systems and data.
Speaking at the July 18 AFCEA Energy and Earth Science IT symposium in Washington, D.C., Sean Kelley, chief information security officer at the Environmental Protection Agency, said when it comes to his agency’s approach to system security for something like the Internet of Things, it’s all about compliance and “shooting the wolves close to the porch.”
“Internet of Things is one of those things that is in the back of my mind as a worry. We’re looking at it, but do I think it’s high enough on the priority scale of what I should be looking at every day? No, I don’t,” Kelley said. “I think what we have to focus on is how do we make sure those that aren’t doing this right or aren’t doing things right … [that] they are doing the right things. Then we can really start to move from a reactive to a proactive posture. I understand why it exists. It’s there for a reason. I would say today it’s still very much needed. That’s only because I want to see a shift to a proactive posture, which is looking at … how do we get our people to the right level of expertise, get our processes mature enough where they can support these technologies, and bring in the right technologies to support all of that together and bring it together.”
Robert Powell, the senior adviser for cybersecurity in NASA’s office of the chief information officer, pointed out that compliance is a means for managing risk.
“I tend to think in the realm of risk,” Powell said. “I think that you can get so overly focused on compliance and trying to get a good grade or a good score, or be green or what have you, when really what we need to be focused on is risk. If you forget that basic principle of how do I manage risk, why do we even have a risk process in place? If we’re going through compliance exercises at the expense of not focusing on risk, then that’s a broken model.”
As for its approach to IoT, NASA started an internal working group focused on industrial control systems.
“Our agency does recognize how critical IoT devices, such as ICS, are to our mission,” Powell said. “We do have to ensure there are security best practices in place.”
While IoT can help agencies like EPA collect and share large quantities of environmental data, each internet-connected device linked to that digital dialogue poses a security threat or provides a medium for a threat like a botnet.
“The problem is when you start looking at botnets, and you start looking at the attacks of today, most of them are automated,” Kelley said. “Once I allow the Internet of Things or any sensor or research device on the network, it’s just like an insider user, it’s the biggest threat that I have inside the network.”
Once a bad actor is in, they don’t even have to be all that sophisticated to move through a system to gain administrator privileges, Kelley said.
The White House’s cybersecurity executive order requires agencies to take an enterprise approach to cyber risk assessment and mitigation, while the National Institute of Standards and Technology has its risk management framework to serve as a best practice guide for agencies.
Thinking in the realm of risk might make sense for an agency like NASA, which leans on international partnerships, sharing and connecting devices and systems, and also has a budget nearing $20 billion.
But for EPA, which is looking at a spending plan anywhere from $5 billion to $7 billion for fiscal 2018, there’s not much room to push for the fences.
“I was in a leadership meeting the other day and they said security’s recognized as the biggest disabler of our business,” Kelley said. “I said with $5.2 million, I agree, because that’s my annual budget. I said when you increase that, or I can take a percentage of everybody’s budget in this room, then we can have a better conversation about how we can enable the business. That’s really what we want to be.”
“I don’t think anyone’s security [officer] nowadays wants to be the ‘no person.’ We want to be someone who says how do we enable this, how do we take a calculated risk that isn’t so high that we know we’re going to get burned,” Kelley added. “No one wants to be the next OPM. No one wants to be in front of Congress, no one wants to have their reputation destroyed because they allowed something where they knew it was going to happen and they bowed to the pressure. But again, the other side of it, we want to enable the mission, not just on the commercial side, but the government side. We want to look at how do we do this and do it securely.”
Brian Tillet, principal and director of security for Cisco, agreed that security shouldn’t be a “Dr. No, it should be a ‘Yes, but,’ or ‘Yes, how.’”
“Looking at the types of things you need to protect and how to build a program around that, how to actually understand what that is, how to make sure that people understand that,” Tillet said. “Do we actually have ROI in security? I will argue that absolutely we do. There’s actually two definitions, you’ve got return on investment and you’ve got risk of incarceration. And you have to figure out which one most applies to you.”