Federal agencies have continued to release directives and requirements to improve cybersecurity posture for critical industries. One entity consistently issuing guidance is the Cybersecurity and Infrastructure Security Agency (CISA).
Sparked by the recent uptick in cyberattacks on our nation’s infrastructure, CISA has increasingly promoted preventative cybersecurity measures, including zero trust. In 2021, CISA issued the Zero Trust Maturity Model, a roadmap for organizations looking to adopt zero trust, and some advisories touted preventative techniques.
The agency recently released its 2023-2025 Strategic Plan, which outlines CISA’s goals over the next three years to minimize cybersecurity risks to critical infrastructure, such as energy systems, oil & gas pipelines, and manufacturing, and build resilience. The plan features many promising actions, including maturing CISA’s risk analysis capabilities, expanding regional capacity to better support stakeholders following incidents, and promoting security software and hardware designed with operational technology (OT) and industrial control system (ICS) assets in mind.
In addition, CISA issued a joint advisory with The National Security Agency (NSA) on protecting OT and ICS assets titled “Control System Defense: Know the Opponent.” The advisory explains how cyber actors target OT and ICS, notes how traditional cybersecurity strategies no longer adequately protect against today’s threats, and provides mitigation techniques. For example, CISA identifies remote access as a key vulnerability, and describes methods to secure access points, such as first creating a full “connectivity inventory” of all remote access points in the network.
Threat detection, as reflected in both CISA’s strategic plan and joint advisory, is an important element of any cybersecurity strategy. However, there is an opportunity for CISA and other government agencies to further emphasize proactive, preventative actions in future plans. Most notably, critical infrastructure operators can start building up cyber defenses to block hacks at the source by embracing zero trust, as CISA has already advocated in other resources.
It’s a common misconception that a proactive approach to cybersecurity is impossible, or that current OT environments, which feature a layered mix of legacy and modern equipment, are too complex to implement a zero trust model. CISA could help dispel this myth by providing concrete steps to embrace zero trust defense. We’ve seen this work in practice. In fact, Xage has assisted dozens of operators through adoption of zero trust models. For instance, zero trust enables access into OT/ICS systems without complex firewall rules, RDP, or jump box-managed log-ins.
CISA should integrate its own work on proactive zero trust strategies into its future publications, especially to communicate that preventative cybersecurity does not require operations to rip and replace existing equipment. We are confident that, in due course, CISA will also update or release new plans to reflect these principles already being promulgated by CISA itself and many others.