The Defense Department is expanding the number and types of devices that are covered under its cybersecurity regulations.
DoD’s Chief Information Officer Teri Takai is expected to issue the new regulations in October.
Daryl Haegley, the program manager for business enterprise integration in the office of the deputy undersecretary of Defense for installations and the environment, said Wednesday DoD is updating the 8500 series guidance as part of the evolution of cyber directives. In the 1990s, DoD initially focused on communication security, or ComSec. It then moved to information assurance, and now it’s full on cybersecurity.
So with that full on cybersecurity approach, DoD will tell its agencies and services to focus on more than just email or business systems, but anything that is connected to the network.
“It says specifically that all information services and platform IT need cybersecurity considerations. So now it makes on par the industrial control system world and the information service world,” Haegley said at a panel discussion sponsored by Government Executive magazine in Washington. “They define IT here, information services — your email, the things that travel on servers, laptops and smartphones and those sort of things — information security for that. Then platform IT or operational technology or industrial control systems, those networks also have their own category and they also will need the cybersecurity evaluations.”
Industrial control systems (ICS) are those that run the water, air conditioning, heating, electrical, telecommunications and other facilities or physical security systems.
New risk management framework
Haegley said DoD also is updating regulations that would move the Pentagon closer to the civilian government around risk management, which would be a significant change. The National Institute of Standards and Technology recently updated its special publication 800-37 to address cyber risk management.
“Essentially what the CIO and DoD also helped them understand, the old DICAP process — the certification process that was long and it took a number of years sometimes to get things through. Then once you had a stamp, you were good for three years. You had to check back in in three years,” he said. “That is not keeping pace with what we need for good security practice. DoD is now going to adopt this risk management framework and apply that to its information security and ICS security requirements. In the instruction, it essentially mirrors a lot that is already in that special publication, but there are some nuances.”
DoD created the Defense Information Assurance Certification and Accreditation Process (DICAP) in 2007.
Haegley said he couldn’t discuss the specific differences between DoD’s new risk management framework and the NIST publication because the document still is in draft form.
A third major change in these new upcoming directives is around reciprocity of certifications. Haegley said DoD will tell the military services and agencies to trust each other when approving products or services that meet the new standards.
Reciprocity has been a huge stumbling block for the entire government. Each agency spends tens of millions of dollars redoing cybersecurity accreditations and authorizations. This redundant and wasteful effort is the reason the Office of Management Budget introduced and mandated the FedRAMP cloud cybersecurity approval process.
Moderate level of change
Haegley said the updated cyber regulations will be a significant change in some regards, but just a typical update in other ways. He said the DoD CIO’s office has been collaborating across the department on the creation of the updated policy, so no one really should be surprised about what’s in it.
“It does state that there are cybersecurity implications to anything that is connected. The major change is that it includes platform IT or industrial control systems and that connectivity needs cybersecurity as part of its evaluation. That has not been part of it before,” he said. “But all the other standards of certification requirements, periodicity, skill sets and a lot of roles of what the organizations will do has not really changed that much.”
Haegley said one Navy organization, for example, already is designing systems and putting out requirements saying the new technologies must meet the new risk management framework.
DoD faces a major challenge to apply cybersecurity rules and procedures to industrial control systems.
DoD found it has more than 2.5 million unique industrial control systems across the services and agencies.
Haegley said some ICS are managed by vendors, while others are managed by DoD. Some are more than 20 years old and have been retrofitted to communicate with the network, while others are newer and have that electronic communications ability built in.
Attacks on the rise
The government has been trying to address the threat to ICS.
In May, NIST also released the first revision of its industrial control system cyber standards, 800-82.
The Homeland Security Department’s ICS-Computer Emergency and Readiness Team (ICS- CERT) reported in 2012 that critical infrastructure providers reported 198 cyber attacks in 2011, more than a 300 percent increase over 2010.
ICS-CERT also found many companies were inadequately equipped to handle network intrusions. In 12 of the 17 cases, implementing certain security features, such as limiting log-ins and properly configuring firewalls “could have deterred the attack, significantly reduced the time to detect the attack or at least reduced the impact of the incident,” according to the report.
DHS has not released the 2013 report yet.
The Pentagon has taken steps to ease this burden of updating ICS by bringing the physical security and IT security leaders together.
The convergence of physical and logical security has been a stumbling block for the broad roll out of Homeland Security Presidential Directive-12 smart identity cards across government.
Many agencies use the identity cards as expensive flash passes instead of what they were intended for, which was to ensure the right people are getting into federal buildings.
“We started with getting those stakeholders together, understanding each interests and recognizing that a lot of the legacy ICS systems are now networked and need to be protected in a little bit different way than they had been before,” he said. “We are getting great cooperation. Facility managers, engineers and the public work folks understand there are exploitation avenues that didn’t exist before, and we are seeing cooperation with the CIO and IT professionals to work out a strategy that will work for both entities.”
Security report card
One such strategy is a new checklist that a working group developed over the last year.
Haegley said this checklist will map what the cybersecurity priorities and focus should be for these industrial control systems.
The checklist, which is downloadable from the the Homeland Security Department’s ICS-CERT website, will tell the commander or cybersecurity professional if the systems meet the new requirements. They will get a report showing red areas that need to be updated and green areas that meet the standards.
“We made it as user friendly as possible,” Haegley said. “What’s great about that tool is it incorporates a number of different checklists so regardless of what industry you are in, you will be able to use it. So, it’s very user friendly.”
The new instructions also address the issue of oversight.
Haegley said in the IT community, offices designate people to make sure the systems meet the security requirements. So in the new directives, physical control system owners and operators will have to designate officials to oversee how physical control systems are interconnected and how they interact with the broader set of network connections.
The policy also addresses the skill set requirements for those workers, who deal with the cybersecurity of the industrial control systems.
Haegley said DoD is expected to issue the new cybersecurity directives in October and then there will be some time for implementation and catch up for systems.