How the 2022 National Defense Authorization Act (NDAA) Impacts ICS/OT Cybersecurity
Last week, Dragos held its first webinar in the Dragos Federal Webinar Series. Our Federal webinar series focuses on several different topics important to the ICS/OT federal community and will feature subject matter experts from government agencies and industry that discuss cybersecurity solutions targeted to OT security defenders. Let us know what webinar topics interest you.
The federal government has the right to protect national security, but much of national security for cybersecurity of critical infrastructure is heavily influenced by the private sector. As part of this mission, both industry and government agencies must comply with federal requirements that are sometimes difficult to navigate. Which brings us to our first webinar on the 2022 National Defense Authorization Act (NDAA) and what it means to industrial controls systems (ICS) and operational technology (OT).
Dragos’s Chuck Weissenborn hosted Daryl Haegley, a cybersecurity control systems expert from the US Department of Defense, and Dave Forbes, a cybersecurity leader from Booz Allen Hamilton, to discuss the 2022 NDAA and its implications for network architecture, asset visibility, and process for control systems in critical infrastructure. Watch the webinar on-demand.
NDAA FY22 Provisions Emphasize ICS/OT Cybersecurity
Let’s take a step back. Every year, Congress drafts and debates an NDAA covering provisions for the Department of Defense (DoD) and defense-related critical activities in other federal departments. Each year the NDAA focuses on a variety of topics. This year there are specific tasks within the cybersecurity provisions that place emphasis on securing Industrial Control Systems (ICS)/Operational Technology (OT) and critical infrastructure.
There were roughly 37 cybersecurity amendments in this fiscal year’s NDAA, many of which will have a positive and increased impact within the ICS/OT space. The NDAA for FY22 addresses a handful of cybersecurity topics and trends respectively addressing roles of the DoD and CISA to implement more robust cybersecurity programs and practices with a heavy emphasis on public-private partnerships to effectively accomplish assigned requirements.
“What we are advocating for, coordination and integration, where it makes sense…. we are not advocating for one-off buy-in because frankly, it limits our ability to take a defense in-depth approach to security…when you try to rush to a solution, you are limiting yourself.”Dave Forbes, ICS/OT Cybersecurity Leader, Booz Allen Hamilton.
Provisions Affecting ICS/OT and Critical Infrastructure
The NDAA has key ICS/OT and critical infrastructure cybersecurity provisions surrounding core topics of: ransomware, incident response, procurement of cybersecurity products and services, public-private partnerships and critical infrastructure.1 Ransomware trended high across the cybersecurity community in 2021 and was noted as the number one attack vector in the industrial sector.2 As such, the Department of Defense (DoD) is tasked with conducting a comprehensive assessment of its ability to disrupt and defend against ransomware attacks and develop recommendations to deter and counter such attacks.1
During 2021 there were a slew of attacks that resulted in rapid incident response across multiple sectors, demonstrating the ever changing and growing cyber threat landscape. From the SolarWinds breach to the Colonial Pipeline ransomware attack and the Pulse Secure VPN and Log4j vulnerabilities, the industrial threat landscape proved wide and vast in 2021. Recognizing exponential increases in malicious cyber events and activity, CISA was tasked to update the National Cyber Incident Response Plan, which hasn’t been updated since 2016, and now will require updates every two years.
This provision also requires CISA to engage with industry on the government’s responsibilities and capabilities regarding incident response. Additionally, CISA has been tasked with creating a National Cyber Exercise Program with the intent to exercise the newly revamped National Cyber Incident Response Plan. The program will rely on current risk assessments and plans to simulate partial or complete incapacitation of a government or critical infrastructure network from a cyber attack.3
CISA in consultation with DoD has been tasked to report recommendations on how the DoD can improve support and assistance across information technology (IT) and networks that support critical infrastructure within the United States that have been affected by cyber threats and vulnerabilities. Within CISA, a “CyberSentry” program will be established to provide continuous monitoring and detection of cybersecurity risks to owners and operators of critical infrastructure.4
As part of the DoD Protected Critical Infrastructure Program (CIP) and under NDAA FY22, DoD will map all mission-relevant terrain in cyberspace for Defense Critical Assets (DCA’s) and Task Critical Assets (TCA’s), across information technology IT and OT systems.3
“There are actions that can be taken now, inaction is not an option, starting somewhere with whatever level of resources you have is pretty important to get the path forward. You make the case by tying it to the mission. The OT connections to the mission platforms that reside on these installations and infrastructure can make or break our ability to respond.”Daryl Haegley, Director of Control Systems, US DoD
United States Cyber Command (USCYBERCOM) will revise Joint Forces Headquarters-Department of Defense Information Network’s (JFHQ-DODIN’s) cybersecurity posture ensuring visibility of OT. With that USCYBERCOM must also ensure OT cyber defense is incorporated into training for the Cyberspace Operations Forces, including development of a joint training curriculum, tradecraft, and operational constructs that support OT-focused Cyberspace Operations Forces.3
The military departments (MILDEPS) have been tasked to make essential investments in OT that support the cyber defense of forces, facilities, and critical infrastructure.3
The Secretary of Defense is responsible for finalizing the Office of Secretary of Defense (OSD) roles and responsibilities overseeing OT cybersecurity across the Department; and defining funding needs to support remediation of cybersecurity gaps in DOD OT.3
How Dragos Can Help
During 2021, Dragos uncovered that 86% of its services customers had limited to no visibility into their ICS environment.2 There is no way to copy IT solutions into OT environments and achieve a successful level of security. The NDAA, in a way, recognizes this concept given references to OT specific requirements that must now be met across the DoD and United States Government.
Dragos offers capabilities that enable customers to build a more defensible architecture through an OT continuous monitoring solution (CMS), such as the Dragos Platform. A CMS ensures customers achieve and maintain full visibility across their OT environment. Additionally, Dragos enables more efficient and effective prioritization and management of OT vulnerabilities.
Dragos also supports customers through a variety of Professional Services offerings such as tabletop exercises, architecture reviews, incident response vulnerability assessments, and penetration testing. Tabletop exercises can assist customers in testing their incident response plan through customized scenarios, while architecture reviews provide a comprehensive topology review intended to eliminate vulnerabilities and make recommendations that improve a customer’s overall OT security posture.
“Focus needs to be on resilience, recommend doing tabletop exercises minimum, but make folks aware you cannot operate without these things.”Daryl Haegley
Any ICS/OT training requirements can also be met through our Dragos 5-Day OT Training Course. Dragos stands willing and ready to assist our government partners and customers with their OT cybersecurity objectives to ensure the safety and security of people, processes, and technology.
Learn more about Dragos product and services offerings targeted to industrial ICS/OT environments at: dragos.com.
Provide Feedback for Future Webinars
We’re calling on all ICS/OT defenders to share what topics they would like to see on future segments of the Dragos Federal Webinar Series. Your opinion will help shape our programming and we appreciate your feedback in this quick, 1-minute survey.
1. C. Hebdon, P. Rosen, K. Growley, E. Wolff, M. Lerner, and M. Gruden, “Cybersecurity provisions proliferate in the National Defense Authorization Act,” Crowell & Moring LLP, 10-Jan-2022. [Online]. Available: https://www.crowell.com/NewsEvents/AlertsNewsletters/all/Cybersecurity-Provisions-Proliferate-in-the-National-Defense-Authorization-Act. [Accessed: 02-Mar-2022].
2. Dragos, “Dragos ICS/OT Cybersecurity Year In Review 2021.” Dragos, 01-Mar-2022.
3. J. Slye (2021, December 16). Defense cybersecurity provisions in the final 2022 National Defense Authorization Act – GovWin IQ. Welcome to GovWin. https://iq.govwin.com/neo/marketAnalysis/view/Defense-Cybersecurity-Provisions-in-the-Final-2022-National-Defense-Authorization-Act/6310?researchTypeId=1&researchMarket=
4. Armed-Services.Senate.gov, “Summary of the Fiscal Year 2022 National Defense Authorization Act,” Armed-Services.Senate.Gov, Jan-2022. [Online]. Available: https://www.armed-services.senate.gov/imo/media/doc/FY22%20NDAA%20Agreement%20Summary.pdf.
Read next blog post
Ready to put your insights into action?
Take the next steps and contact our team today.