DHS Sharing Classified Threat Information With Service Providers
The U.S. Department of Homeland Security is sharing classified information with managed services providers in a bid to strengthen the security of private sector owners of critical infrastructure.
Currently AT&T and CenturyLink are approved service providers under the agency's Enhanced Cybersecurity Services program, but the agency is seeking to establish ties with other MSPs, said DHS Assistant Secretary Andy Ozment of the Office of Cybersecurity and Communications, a division of the National Protections and Programs Directorate, responsible for ensuring the security and reliability of communications infrastructure.
Speaking at the recent annual Forum of Incident Response and Security Teams (FIRST) Conference in Boston, Ozment said past attempts to share data have been hampered by communication gaps making it the information unreliable and outdated. The direct link puts threat intelligence data in the hands of providers managing systems at private-sector businesses before criminals change their approach, he said.
[Related: Security Expert: Industry Is Failing Miserably At Fixing Underlying Dangers ]
"We are threading the needle by engaging private-sector, managed security service providers by setting up this infrastructure to help them," Ozment said.
Under the Enhanced Cybersecurity Services program outlined by Ozment, the DHS guidelines require business owners to gain validation as a critical infrastructure entity. Service providers can get additional information to seek approval to offer cybersecurity services using intelligence data under the ECS program. The threat feed could be a win for service providers if they can gain approval without the government imposing too many restrictions on how the information could be used, service providers interviewed by CRN said.
President Obama issued an executive order on cybersecurity last year in response to cybersecurity legislation that failed to gain approval after it was widely opposed by privacy advocates and Republican lawmakers. Privacy groups joined some technology industry luminaries who feared it could impose overarching surveillance powers while some Republican lawmakers opposed the measure, citing cost concerns associated with increased regulation. The Obama cybersecurity directive establishes voluntary guidelines for businesses in 16 critical infrastructure sectors, including manufacturing, agriculture, information technology, water and healthcare. Many of those sectors are midsize, private-sector businesses that rely on service providers to oversee critical IT systems, Ozment said.
"We’ve got the attention of large businesses and I see changes in how they run their operations but the small and medium will be a challenge to us," Ozment said.
The DHS is also developing sector-wide risk assessments in partnership with the private sector as part of implementation plans established by the National Institute of Standards and Technology. The NIST Cybersecurity Framework, a set of voluntary minimum security guidelines and related activities, were created under the Presidential Executive Order. The order establishes priorities to strengthen five high-level security areas: identify, protect, detect, respond and recover. Some businesses have industrial control systems, specialized programs that monitor and control temperature, chemical mixtures and other sensitive internal processes that are in dire need of attention, Ozment said.
"The U.S. government now has a clear approach focused not on regulation, but cooperating with the private sector," Ozment said. "We talked to regulators and don’t see a need for additional regulations at this time."
NEXT: Security Basics, Incident Response Sorely Needed
Solution providers said the effort to bolster the protection of critical infrastructure facilities is sorely needed. Many of the facilities are owned and operated by small regional businesses that don't often consider their systems at risk, lack IT teams, run outdated systems and frequently lack the funds to adequately address physical repairs.
Service providers are lucky to find an incident response plan at all, said Rob Kraus, director of security research at Solutionary, a managed security services subsidiary of NTT Group. Kraus, who analyzed 2013 security incidents handled by teams at NTT's global subsidiaries, found that businesses need to do a better job at identifying and addressing vulnerabilities and configuration weaknesses. Establishing better, basic security practices is the first part of an effective security program and sharpening incident response processes comes next, augmented by service providers, Kraus said in a recent interview with CRN.
Small and midsize businesses often believe they are immune to targeted attacks, solution providers said. Ozment highlighted an incident that was aided by the agency's newly created Industrial Control Systems Cyber Emergency Response Team, which addressed a compromise at a public water utility. Throughout the entire incident, he said, water utility officials couldn't understand why anyone would want to attack the facility.
The attackers saw a poorly protected computer at the water utility as an opportunity to gain initial access and ultimately infiltrated the control system framework before the compromise was detected, he said. Like many attacks, the method the criminals used to gain access was not sophisticated, Ozment said. The access control mechanism in place was susceptible to a brute force attack.
"We still have people who are clear and obvious targets and still think this is not going to happen to them and that’s a real challenge," he said.