Critical infrastructure pain points: The toughest challenges
Accenture Federal Services recently hired cybersecurity expert and former CISA executive, Rick Driggers. He brings more than 30 years of federal government and military experience to AFS and will play a key role in developing cybersecurity solutions designed to protect critical infrastructure.
This was the perfect time to sit down with Rick and learn more about critical infrastructure security as well as his future plans.
You have been in the cybersecurity industry for quite a while. What were your main drivers when choosing this profession?
I would say that I have been in the “critical infrastructure” security industry for a while. When I arrived at DHS in 2003, I initially worked in the Office of Intelligence and Analysis. While there I learned of the Departments critical infrastructure mission and wanted to be a part of it.
I was fortunate to be in Military/Federal Government service for over 30 years spending the last 17 years working in the Cybersecurity and Infrastructure Security Agency whose central mission is the security of our nation’s critical infrastructure and working with other critical Departments and Agencies that share a similar mission such as the Department of Energy, Department of Defense, Transportation Administration, and Health and Human Services to name a few.
The mission and the people were the main drivers for me to remain with CISA for the last 17 years. Our Nation’s cyber and physical infrastructure underpins our national and economic security, public health, and safety, and provides the critical functions our citizens depend on in their everyday lives.
That infrastructure, the benefit from it and access to it, in a way defines our country…it is why the American dream is a reality. That infrastructure connects our towns, cities and States, our health care, education, and transportation systems, and our manufacturing, financial, and communications industries and most importantly families, friends, and communities.
Securing and protecting our nation’s infrastructure is challenging and the complexities are ever evolving. It requires innovation, investments in the near term and the out years, and strong partnerships across industry and all levels of government.
Due to the evolving threat landscape and the ever-expanding attack surface as businesses continue to automate processes and functions our critical infrastructure has become a key target set for criminal and nation state threat actors.
Now that you have joined Accenture Federal Services, what issues do you plan to address first? What are your priorities?
AFS is known for innovation and the relentless pursuit of solutions to solve hard and complex challenges – and doing that by bringing the latest technologies and our mission experience together with proven commercial innovation, as well as drawing additional capability and insights from global Accenture.
My priorities:
- Advance my knowledge of AFS and its innovative capabilities and services we bring to the fight to help defend and secure our nation’s critical infrastructure with a specific focus on operational technology (OT) and industrial control systems (ICS).
- Expand AFS’s world class multi-disciplinary team to assist our clients secure and protect our nation’s infrastructure.
- Explore opportunities to partner with Government and industry across the OT/ICS community.
- End State: To lead an OT/ICS Practice within AFS leveraging the tremendous talent and capabilities across Accenture and with our strategic business partners.
What do you think are the greatest critical infrastructure pain points? How have these evolved over the past few years?
Various Federal Departments and Agencies including the Department of Defense and the Intelligence Community have mandates and authorities to assist critical infrastructure owners and operators secure their networks and systems. These mandates and/or authorities are often implemented as disconnected voluntary programs that share information on threats, vulnerabilities, indicators of compromise, etc.
The Federal government also provides guidance and advice on mitigations, security controls, best practices, and conducts vulnerability/risk assessments, hunt and incident response services and various frameworks to increases cybersecurity.
Many Departments and Agencies also oversee and implement complex regulatory programs that often result in compliance and check list drills vice mechanisms that increase cybersecurity and drive down risks.
And while regulation is not necessarily the problem, the way regulatory authorities and programs are piecemeal across Federal and State and local governments. The patchwork of regulatory programs across multiple Departments and Agencies at the Federal and State and local governments is confusing, can be redundant and often do not change the risk picture.
For example, a single company in the manufacturing sector may have to coordinate across multiple, sometimes 3 or 4, Departments and Agencies to implement and comply with regulatory requirements. Coordination is expensive and requires a lot of time and effort and it does not buy down any risk or enhance the security posture of any one company or asset. Those resources are better spent on cyber resilience.
What information security technologies are particularly important for the protection of critical infrastructure? What should government CISOs pay particular attention to?
There is no specific information security technology that does it all. It is important to have technology that provides visibility across your networks and systems… if you can’t see it, you can’t protect it. So, continuous monitoring of capabilities is essential as is ensuring you have a complete and accurate inventory of system and data assets. Data backups, multi-factor authentication, and patch and update management processes are critically important to ensure a ready cybersecurity posture.
Many of these capabilities are challenging to implement at scale across operational technology environments due to the complexity of functions and operations managed by industrial control systems.
It is important for CISO’s to:
- Have a broad understanding of the organization’s business functions and risk tolerances
- Implement a solid training program to ensure ALL employees understand their responsibility in helping to protect the organizations networks and systems
- Maintain and exercise an incident response plan
- Build a network of trusted partners with strategic business and Government partners.