cybersecurity review
By Tim Jones and Alison King, Forescout
The Cybersecurity and Infrastructure Security Agency (CISA) earlier this year announced that the next phase of its Continuous Diagnostics and Mitigation (CDM) program would broaden to include non-traditional technology, such as Operational Technology (OT) and the Internet of Things (IoT), in 2024.
At its 2012 launch, CDM was focused on gaining centralized visibility of traditional IT assets across civilian agencies. Since then, CDM has broadened its scope to include assets in mobile and cloud platforms, laying the groundwork for extending parity in visibility across increasingly complex environments.
While it is not news that the entirety of the enterprise needs to be taken into consideration for risk and exposure programs to be successful in the age of zero trust, it is momentous that a program as large and influential as CDM (which spans 92 federal agencies and boasts 3 million endpoints) is set to embark on securing non-traditional technology assets. So, why now, and what will it take to overcome the challenges inherent in understanding, interacting with, and protecting OT?
Why now?
While the security risks of non-traditional technology are not new, three significant factors have now come to a head, creating the perfect storm to prompt CISA to declare that the next phase of CDM will incorporate OT and IoT. Those factors are A) the knowledge gleaned from the first part of CDM, B) the known increase in threats to critical infrastructure, and C) the evolution of cybersecurity policy.
What will it take to make CDM’s evolution to include non-traditional technology feasible?
One part of the challenge is that OT and IoT are built differently from IT. Non-traditional technology is often assets that don‘t have agents or come from a managed service, which means a lot of custom operating systems. Another part of the problem is the abundance and longevity of non-traditional assets in federal networks. A third challenge is that broadening the scope of CDM’s purview increases the (already large) amount of asset data to track – ensuring the quality of the data is critical.
In preparation for this evolution, it is important to leverage highly scalable technology to handle the influx of new data elements. One single source of trusted data and a solution that can address all three categories of IT, IoT, and OT in a single pane of glass becomes even more critical for the successful future use of artificial intelligence (AI) or machine learning (ML) capabilities, which will depend on clean, structured data.
Once a single source of trusted data has been validated, the first step is identifying all system components. Next is prioritization of what to conquer first, depending on each asset’s risk factor, leading to the creation of a tailored zero trust strategy.
The strategy will be shaped by exploring questions such as: How large is my platform? What is on it? What’s the risk factor of each component? Once the risk factors have been prioritized, agencies will need to take the more challenging step of first making sure that the riskiest assets are not internet-exposed and then coming up with a plan to replace them.
There must be some level of accountability and manageability around those assets in the move towards zero trust, including questioning: What services are on them? What functionality they provide? What kind of data will be moving around inside the enterprise? Those are all going to be components of this evaluation around IoT and OT that CISA is calling out.
Ultimately, for the evolution of CDM to succeed, we need to foster a culture change – transitioning from blanket acceptance of the presence of, for example, the telepresence-connected video camera in the conference room to the exploration of: What’s running on that system? Is that part of my network? Have we segmented that device into a safe environment?
As we start to report back the types of assets coming into the enterprise, we need to dig beneath the surface to determine if they are going to satisfy zero trust requirements.
Tim Jones is Vice President of Public Sector Systems Engineering, and Alison King is Vice President of Government Affairs at Forescout.
