It's been a full year since the new administration issued its first cyber executive order, “Presidential Executive Order (EO) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” with an emphasis on leadership accountability and a risk management approach to cybersecurity strategies, policies and practices. The EO also placed significant emphasis on the need for agency IT and cybersecurity personnel to expand their organization’s support for securing critical infrastructure (CI) assets. As the one-year milestone approached last week, news outlets attempted to gauge the progress – or the lack thereof – that has taken place since the order was issued. Some highlights included:
- The National Security Council’s delayed cyber-deterrence strategy
- The elimination of the White House Cybersecurity Coordinator
- A new executive order strengthening CIO authority
- Newly published agency strategies that reflect the EO’s mandates
- The American Technology Council’s first year and its greatest accomplishment
If I were to summarize the headlines, I would probably say that progress has been “mixed.” Tripwire recently released a report that is also being considered as an indicator of progress, specifically regarding the EO’s critical infrastructure security mandate. The “ICS Security in the Energy Industry” was conducted in March 2018, and its respondents included 151 IT and operational technology (OT) security professionals at energy and oil and gas companies, 28 percent of which self-identified as “government-managed” organizations. Consistent with the indicators above, Tripwire’s data shows progress as “mixed” or “slow.” On the one hand, we can view the glass “half-empty” (or mostly empty) by the fact that 81 percent of respondents from government-managed organizations still believe a cyberattack could result in a catastrophic event (approx. 10 percent higher than non-government managed organizations) and 64 percent view the probability of a security attack on ICS systems still as “likely” or “inevitable.” Another lack of progress appears to be with the challenges that still dog the industry as a whole. Both government and non-government managed organizations still feel most vulnerable to the age-old challenges of phishing attacks, lack of built-in security and unpatched systems. On the other hand, respondents clearly see promise. When asked if government guidance had helped their ICS security practices, 94 percent of total respondents indicated that government standards and guidelines are helpful best practices and described the guidelines as “excellent” and a “good start.” Another good sign is that over half of the survey’s total respondents say they have increased their security investment because of recent ICS threats. The EO should be credited for recognizing that threats have increased as connectivity and automation increase, and that the threat of disruption or mismanagement of CI assets is becoming common to all agencies. While support and investment at the executive level of government will be the driving force of progress in years to come, I believe we can say with a high degree of confidence that progress is indeed being made. For more information about the EO, download Tripwire white paper “Securing the Cyber EO’s Four Critical Frontiers.”
