Secure by Design

The Cybersecurity & Infrastructure Security Agency (CISA) recently launched a Secure By Design initiative that provides guidance for software manufacturers to ship software solutions with security as a core consideration from the earliest stages of their development cycles. We talked with CISA’s Matthew Rogers about the process of building out the initiative and how it will impact utility security.

Utility Security Magazine:
Tell us more about what inspired this Secure by Design initiative.

Matthew Rogers:
So, it was in part inspired by a foreign affairs article titled ‘Stop Passing the Buck on Cyber Security.’ Cybersecurity is a global multibillion dollar industry and the scale continues increasing for threats. But as people in the utility space understand, we don’t have the workforce or the ability to scale out to make it more secure. So how do we make software secure by design and make it so end users have to patch less, which makes security much less expensive for that end user as well. How can we make cybersecurity scale better? That means removing classes of vulnerabilities and removing memory safety issues from products in the first place. That will take time, but it will make it better. So, we’ve built out short-term and long-term goals for those companies who take the pledge to create secure by design software.

Utility Security Magazine:
There have been a lot of issues of hacking with utilities. Can you talk more about the threats and how these efforts are helping neutralize those threats?

Matthew Rogers:
We can point to a lot of incidents over the last six months that are driving it, just in the OT space alone. We had the Cyber Avengers group incident and that added exposed programmable logic controllers (PLCs) to Russian “hacktivists” attacking utilities. It indicates that a lot of criminal state-affiliated actors are starting to pick on the same small guys. They are getting to the low hanging fruit. In these cases, it was almost certainly a default password connected to the open internet. A lot of utilities are investing more money into cybersecurity to make sure things like that don’t happen, but at the same time, it really shouldn’t be as hard as it is to have that level of basic cyber hygiene.

It’s little security solutions like this that drive down risk that cause a lot of problems from the manufacturers’ end. You set the password when you’re dealing with the device, or it’s going to be unique per device, so that even if it’s exposed to the open internet, they can‘t brute force it easily.

The initial player focuses on software. We don’t want to accidentally use the very real operational concerns of existing legacy environments as an excuse not to do better. We’re trying to find the right balance of how to do that now.

Utility Security Magazine:
So the Secure By Design Initiative asks OEMs to participate by signing on to a pledge. Can you go into more detail about that?

Matthew Rogers:
There are seven elements of the pledge. [See sidebar for each.] The common weakness is not publishing a vulnerability disclosure policy. People need transparency and vulnerability reporting. People need to understand what kind of vulnerabilities they are seeing over and over again. The real driver for reducing entire classes of vulnerability is a memory safety issue. It’s not that you did a terrible job of patching it the first time. It’s that a lot of companies are playing whack-a-mole, going from one vulnerability to another. When you can solve this or asking how am I programming in such a way that this is occurring across my entire codebase, or how can we change our development environment to cut it out?

Utility Security Magazine:
Patch rates are not high in utilities. Part of that is downtime concerns, which are very real. Getting the cybersecurity people and asset owners and operators to take time to schedule those security patches is difficult to produce at scale. What is the solution there?

Matthew Rogers:
It’s focusing on the most critical thing. There are things that we’ve seen exploited by threat actors — known exploited vulnerabilities we’ve seen out in the wild. We must increase the ability of customers to gather evidence of intrusion when logging in to the baseline version of a product. How do you know that an intruder is not changing the engineering logic? How do you know they aren’t sending firmware updates? How do we make it so that evidence is built in throughout the lifecycle of a cyber incident? How do we make sure that incident responders have the tools they need to either declare the incident from an operator’s perspective and make a meaningful triage of the problem so they can fix it right now? It’s all guesswork without evidence of intrusion.

Our hope is that the industry or groups that are signing on to the pledge can say “we are meeting the metrics. We’re taking customer security seriously.” That means that my organization is less expensive overall. I might have to patch less. The security functionality exists. And I know over time our products will drive down risks so I won’t have to invest a ton of money mitigating controls because I can trust that I have a secured product. That’s the goal.

There are national security reasons and safety reasons. You hope these companies are taking your safety and security seriously. The (Pledge) is a way to show that you are taking safety and security seriously.

Utility Security Magazine:
So, can you give our readers some insight into how you worked with the industry to create this initiative?

Matthew Rogers:
The vast majority was working with the IT sector Coordinating Council. The manufacturers were brought in and they’re serious about it (cyber security). The number one thing we always hear from asset owners is a concern for cyber security. We need to get to a world where the foundation of equipment that you’re purchasing can support proper security foundations. It’s not that the product security people at these OEMs don’t want to do security. Historically, they’ve been serving utilities for decades. Their foundation is from a culture focused on safety and process controls and that comes at the cost of security.

Cybersecurity is fundamentally a trade-off. It costs money. We’re hoping to help. Through interviews with asset owners and manufacturers, you unify demand.

Matthew Rogers, PhD, is an Industrial Control Systems (ICS) Cybersecurity Expert in the Office of the Technical Director at CISA and the lead for the Secure by Design initiative for Operational Technology (OT). He received his PhD in securing legacy OT networks in vehicles from the University of Oxford on a Rhodes Scholarship. Matthew worked as the founding engineer at a vehicle and weapon’s system cybersecurity startup before pursuing broader ICS cybersecurity efforts at MITRE. Matthew’s focus at CISA is on ICS Strategy and how ICS Research & Development efforts can be transitioned to effective tools for Critical Infrastructure sectors.

The pledge is structured with seven goals. Each goal has the core criteria which manufacturers are pledging to work towards, in addition to context and example approaches to achieve the goal and demonstrate measurable progress. To enable a variety of approaches, software manufacturers participating in the pledge have the discretion to decide how best they can meet and demonstrate the core criteria of each goal. This is a voluntary pledge focused on enterprise software products and services, including on-premises software, cloud services, and software as a service (SaaS). The Seven Goals ask OEMs to, within one year of signing the pledge:

1. Demonstrate actions taken to measurably increase the use of multi-factor authentication across the manufacturer’s products.
2. Demonstrate measurable progress towards reducing default passwords across the manufacturers’ products.
3. Demonstrate actions taken towards enabling a significant measurable reduction in the prevalence of one or more vulnerability classes across the manufacturer’s products.
4. Demonstrate actions taken to measurably increase the installation of security patches by customers.
5. Publish a vulnerability disclosure policy (VDP)
6. Demonstrate transparency in vulnerability reporting
7. Demonstrate a measurable increase in the ability for customers to gather evidence of cybersecurity intrusions affecting the manufacturer’s products.