Securing a mission-critical infrastructure means improving DevSecOps process to focus on vulnerabilities.
As Gartner recently observed, “Concerns are growing for the security of cyber-physical systems (CPS) in mission-critical infrastructure, whether “brownfield” CPS from OT/IT convergence or “greenfield” CPS from digital efforts.” With cyberattacks increasing 3,900% between 2013 and 2020, organizations need all the help they can get. And a coordinated strategy that includes CPS security covering operational technology (OT), the Internet of Things (IoT), the Industrial Internet of Things (IoT), and overall IT security is key to securing your data.
Right now, if anything, we are behind the eight ball on securing our nation’s data. And we may not be moving fast enough in response. As Gartner goes on to say, “The traditional network-centric, point solution security tools originally deployed in critical infrastructure operations are no longer adequate to account for the speed and complexity of the emerging threat environment.”
In other words, you can mitigate risk. But you cannot mitigate a gamble. And it is a gamble to continue doing what you’ve been doing all along. How long can you manage to outrun hackers using the current approach you use now? You need to take a longer, more holistic view. The good news is that effective technology, tools, and processes are there. The bad news is that compliance deadlines may not come soon enough. The time to move quickly and put strategies in place is now to be secure today and prepared for whatever may come tomorrow.
What resources are in place to help secure mission-critical infrastructure?
“The challenge before us is to determine the most effective and efficient implementation across our diverse landscape of operating environments that optimizes limited resources and minimizes impact to innovation and agility,” says Navy CIO Aaron Weis as he develops a roadmap for implementing DevSecOps in the military. DevSecOps is a growing area of specialization in information technology, meant to standardize and adopt security best practices.
Part of that approach in the Department of Defense is DISA’s Security Technical Implementation Guides (STIGs)— a cybersecurity methodology for standardizing IT security controls and protocols within networks, servers, computers, and logical designs to enhance overall security. All DoD uses this standard and increasingly the federal civilian world, which also uses a comparable standard published by the non-profit Center for Internet Security (CIS) and will be subject to a Cybersecurity Maturity Model Certification (CMMC) in the coming years. STIG, CIS, and CMMC all provide detailed checklists and guides to follow to harden your system against attack.
For example the federal government has also introduced a software modernization strategy for the DoD. The White House has outlined a Zero Trust approach to cybersecurity. And the federal IT dashboard for GSA technologies and project information is getting overhauled as we speak. All of this is part of a concerted effort to secure our systems and stem the tide of attacks.
That sounds like an overwhelming amount of CPS security work.
It is. And that is why owners and operators of critical infrastructure are already looking for new solutions. Finally automation provides the answers.
Automation can reduce a week’s worth of STIG/CIS/CMMC compliance work to about an hour, dramatically reducing the time it takes to receive an (ATO). And running the software 24/7 can perform continuous diagnostics and monitoring (CDM) to ensure baselines remain secure. Automation ensures the “C” in CDM enables agencies to scan complex environments and enforce low-level security configurations. Having a secure storage location for all security configuration documentation is imperative for agencies to streamline their audit processes and reduce human error risks.
Implementing Zero Trust strategy empowers IT staff to manage, remediate, and update security control configurations using automation to save time, minimize risks, protect the integrity of your systems.
We have the technology. Now we need momentum.
Security and risk management leaders are struggling with too many security tools, little integration of data, or an incident response that fails to address the convergence of IT/OT. Software vendors need to prepare for more stringent governmental oversight of the software supply chain from coding through delivery and installation. And government agencies need to harden systems while speeding ATOs so that the most secure tools are always online for them.
Some of the best minds in security are putting together the processes, standards, and tools that will lead us into the next era. And some in the DoD are already excelling using the tools and technology we have today. But the glue that makes it all stick is automation. It answers time issues, complexity, cost, compliance, and effort (not to mention morale in the mind-numbing manual processes.)
Now is the time to move forward. Feel free to reach out if you get stuck anywhere in your process. But if you haven’t taken your first step yet, do it now. And if you are many steps in, keep on trucking.