State of the States:The Role of State Governments in Protecting the Cybersecurity of Critical Infrastructure

www.GlobalCyberPolicyWatch.com

March 2019

1

State of the States: The Role of State Governments in Protecting the Cybersecurity of Critical Infrastructure

Executive SummaryThe national security of the U.S. is inherently tied to the cybersecurity of the 16 critical infrastructure sectors that the Department of Homeland Security has designated. While national cybersecurity initiatives are currently in place to provide key resources to critical infrastructure sectors, the federal system of government in the U.S. means that there is a limited role for state and local governments to affect the cybersecurity of the critical infrastructure.

As the cyber threat environment continues changing, however, it is important that state and local governments don’t try to over-regulate cybersecurity with prescriptive laws or guidelines. Instead, the federal example of providing overview frameworks and voluntary guidelines should be followed while states develop their own approach to cybersecurity. Voluntary guidelines have been especially effective in the natural gas pipeline industry’s cyber-readiness through the Transportation Security Administration’s (TSA) “Pipeline Security Guidelines.” TSA’s guidelines have encouraged near industry-wide compliance and in many cases oil and natural gas companies exceed the recommended defenses. This issue brief outlines the role that states and local governments play in helping to protect critical infrastructure.

Key Points:• The cyber threat to critical infrastructure is

increasing. Recent reports by the Federal Bureau of Investigation and Department of Homeland Security detail the threat environment clearly, and critical infrastructure industries are building up their defenses and cyber workforces to meet growing needs.

• Private – public coordination benefits both parties. The federal cybersecurity landscape is complex and shifting between new agencies addressing cybersecurity and infrastructure security (CISA) and federal frameworks that are regularly updated (NIST Cybersecurity Framework). However, through voluntary guidelines and important private-public partnerships, the federal government works with the private sector critical infrastructure operators to improve cybersecurity. For example, the Transportation Security Administration’s (TSA) “Pipeline Security Guidelines” have encouraged near industry-wide compliance and in many cases energy companies exceed the recommended defenses.

• Local government efforts to improve cybersecurity should complement the current cybersecurity environment, not complicate it. States don’t need to start from scratch when working with critical infrastructure operators and owners. Instead, they can model state-level operations on federal frameworks and follow the lead of implementing voluntary guidelines instead of prescriptive regulations. Voluntary guidelines have been especially effective in improving the natural gas pipeline industry’s cyber-readiness.

• State governments can and should serve as an added layer of protection. A reported 23 of 50 states have cyber security task forces in place. The benefits afforded by cyber-interconnectedness are jeopardized if states do not fulfill their cybersecurity responsibilities. In order to maintain resilience and defend against current and future threats, state and local governments, the federal government, and critical infrastructure owners and operators must work together to continue protecting the homeland from foreign adversaries and cyber attacks.

1

2

I. BackgroundToday, reports of increased cyber threats face every industry and every type of business, including the government. As our society moves forward, adapting to the latest technology tends to further expose industries and individuals to cybersecurity vulnerabilities, the question remains: how can we best protect the country from this increased risk?

Critical infrastructure operators, often private businesses, face a unique risk. These operators are oil and natural gas pipeline companies, chemical companies, metal and machinery manufacturers, financial service providers, and more. If these sectors are impacted through a successful cyber attack, there would be a debilitating effect on the economy, national security, and/or public safety. Because of this, the Cybersecurity and Infrastructure Security Agency (CISA) at the U.S. Department of Homeland Security (DHS) has centralized cybersecurity protection for these sectors.

Cyber threats to U.S. critical infrastructure are becoming increasingly more strategic and targeted, putting our national security at risk. The amount of damage caused by both physical and cyber attacks could amount to millions in the public and private sectors.1 Beyond the economic impact, the threat to electrical grid operations and power plants could shut down hospitals, security systems, and stock exchanges.2 The World Economic Forum named cyber attacks as the third-largest threat facing the world after natural disasters and extreme weather in 2018.3 The reliance on, and connectedness to, the internet has increased the exposure to nefarious cyber activities. The threat of cyber warfare grows daily as the scale and sophistication of cyber attacks on all critical infrastructure sectors increases. The evolving technological environment requires proper security controls to combat today’s and tomorrow’s security threats. Efforts to safeguard critical infrastructure have been made by federal agencies and regulations, but there is still a clear role that states can play to improve the overall cybersecurity of critical infrastructure sectors.

1 https://www.agcs.allianz.com/assets/PDFs/GRD/GRD%20individual%20articles/022014/GRD-2014-2-CyberRisks.pdf2 http://globalcyberpolicywatch.com/category/reports/3 http://www3.weforum.org/docs/WEF_GRR18_Report.pdf

State and local governments provide the first line of defense in the event of a catastrophic attack. However, there is a disconnect between state and local governments, the federal government, and the critical infrastructure operators. States can take major strides towards an improved cybersecurity posture by following the federal example, tailoring and supplementing it, and then implementing deliberate cyber and critical infrastructure security strategies to meet that state’s unique needs. While some states are leaders in cybersecurity and set a great example for others to follow, more could be done nationally to improve cybersecurity and better protect critical infrastructure. The states should follow the lead of the federal government by advocating for increased adoption of voluntary best practices and established cybersecurity guidelines. Every level of government has a role to play in helping to improve the cybersecurity of critical infrastructure.

States can take major strides towards an improved cybersecurity posture by following the federal example, tailoring and supplementing it, and then implementing deliberate cyber and critical infrastructure security strategies to meet that state’s unique needs.”

“

3

II. Cyber Attacks on Critical InfrastructureThe threat of cyber attacks on critical infrastructure is very real. In January 2019, the Office of the Director of National Intelligence (ODNI) released its annual Worldwide Threat Assessment of the U.S. Intelligence Community. The Assessment presented cyber as the most crucial threat to the global community. American adversaries, like China and Russia, are increasingly expanding their cyber operations to negatively impact the U.S. economy and political systems. Furthermore, they will increase attempts to threaten and steal information, influence citizens, and disrupt U.S. critical infrastructure.4

The latest intelligence shows that the Chinese government is working to disrupt critical infrastructure through extended, long-term cyber attacks on critical infrastructure sectors like the natural gas industry. Russia’s agenda focuses on disrupting critical and military infrastructure through cyber attacks during a crisis, and are localizing attacks on specific regions and infrastructure sectors “to create substantial damage.”5 Furthermore, the threat of foreign interference in the electoral infrastructure is constant and indicates the vulnerability of American systems.

4 https://www.dni.gov/files/ODNI/documents/2019-ATA-SFR---SSCI.pdf5 https://www.dhs.gov/cisa/critical-infrastructure-sectors6 https://www.securityinfowatch.com/access-identity/access-control/article/12427447/americas-critical-infrastructure-threats-vulnerabilities-and-solu-

tions7 https://www.realclearpolicy.com/public_affairs/2018/11/07/defense-in-depth_cybersecurity_in_the_natural_gas__oil_industry_110902.html8 https://www.eia.gov/tools/faqs/faq.php?id=207&t=39 https://thehill.com/opinion/cybersecurity/357902-more-must-be-done-to-protect-americas-nuclear-power-plants-from10 https://pulitzercenter.org/reporting/nuclear-power-plants-have-blind-spot-hackers-heres-how-fix

Beyond direct impact to critical infrastructure facilities and operations, cyber vulnerabilities also face the product of those operations, like electricity or clean water. Critical infrastructure facilities are generally concentrated in one geographic location, meaning that a successful attack could cripple entire facilities, disabling those plants which could be the main provider in the industry. For example, about 43 percent of America’s oil refineries lie on the coasts of Texas and Louisiana.6 The interdependence on the power grid and the proximity of operation locations makes energy systems attractive targets for cyber attacks.

As a result, cybersecurity is a top priority for all critical infrastructure operators, but especially the liquefied natural gas (LNG) and oil industry. Oil and LNG companies have increased protections of control systems and operational technology to improve the industry cyber posture. Recent reports indicate that most, if not all, operators have adopted the National Institute for Standards and Technology (NIST) Cybersecurity Framework, industry-specific standards, and collaborates across public and private sectors for sharing information and key-best practices.7

Conversely, other energy industries struggle with improving cybersecurity due to some inherent weaknesses. Aging nuclear plant facilities present unique challenges. The Energy Information Administration reports that there are 60 commercially operating nuclear power plants with 98 nuclear reactors in 30 U.S. States, supplying about 20 percent of the nation’s electricity. 8,9 As these aging facilities receive new components for updates, the materials often contain new embedded software from the supplier’s product that could potentially disguise malware as a trusted computer program.10 Furthermore, the digitization of systems has resulted in systems not being completely air-gapped, providing access to hackers to potentially shut down electricity distribution systems.

American adversaries, like China and Russia, are increasingly expanding their cyber operations to negatively impact the U.S. economy and political systems.”

“

4

Cyber attacks on nuclear plant facilities are a huge concern among plant operators and policy makers alike. In 2015, there were numerous cyber attacks against nuclear power plants, water and electric systems in the United States. The FBI and DHS claimed Russian hackers gained access to nuclear infrastructure to infiltrate plants and wreak havoc on the control systems.11 With evidence tied to Russian hackers, it is now clear that foreign attackers have the ability to harm U.S. critical infrastructure systems.12

Increased threats targeting critical infrastructure operators require a systematic and coordinated effort by federal, state and local governments, and private industry to address known vulnerabilities and defend against future attacks. Today’s environment leaves plenty of room for greater coordination.

11 http://globalcyberpolicywatch.com/nuclear-energy-cyber-vulnerabilities/12 https://www.nytimes.com/2018/03/15/us/politics/russia-cyberattacks.html?mtrref=www.google.com13 https://olemiss.edu/depts/ncjrl//pdf/StateCybersecurity.pdf14 https://securityintelligence.com/what-can-we-all-learn-from-the-u-s-department-of-energys-cybersecurity-strategy/15 https://www.belfercenter.org/sites/default/files/files/publication/Understanding%20Federal%20Cybersecurity%2004-2018_0.pdf16 http://www3.weforum.org/docs/WEF_GRR18_Report.pdf

III. Federal Cybersecurity Efforts - OverviewBefore understanding the role that states play in protecting critical infrastructure, it’s first necessary to review the federal cybersecurity environment. The federal cybersecurity landscape is complex as agencies share responsibility for the protection of the federal and civilian cybersecurity environments. This results in overlapping federal strategies, guidelines, and frameworks that the private sector is left to decipher and implement. DHS’s cyber strategy lays out its two main goals which are to create a safe, secure, and resilient cyber environment and promote cybersecurity knowledge and innovation through risk identification, vulnerability and threat reduction, effective response, and strengthening security.13 Meanwhile, the Department of Energy (DOE) calls for high-quality IT and cybersecurity solutions to improve the cyber posture of energy industries, while also using functions of the NIST Cybersecurity Framework.14 The NIST Framework consists of five core sections to identify, protect, detect, respond, and recover from cyber vulnerabilities.

As a whole, the federal government spends tens of billions of dollars on information technology (IT) and cybersecurity.15 Federal cybersecurity plans either focus efforts on securing IT infrastructure through IT initiatives or on efforts to improve the security of control systems. The Government Accountability Office (GAO) identified four factors of risk facing control systems:

1. Control systems are adopting standardized technologies with known vulnerabilities;

2. Systems are connected to unsecure networks;

3. Insecure connections; and

4. Knowledge of how to use the Supervisory Control and Data Acquisition (SCADA) systems are open to the public.16

As a result, cybersecurity is a top priority for all critical infrastructure operators, but especially the liquefied natural gas (LNG) and oil industry. Oil and LNG companies have increased protections of control systems and operational technology to improve the industry cyber posture. Recent reports indicate that most, if not all, operators have adopted the National Institute for Standards and Technology (NIST) Cybersecurity Framework, industry-specific standards, and collaborates across public and private sectors for sharing information and key-best practices.”

“

5

In response to this report, DHS developed the Automated Critical Asset Management System to assess vulnerabilities in critical infrastructure, and has made it available for free for states to help develop state-level cyber security policies and best practices. Additionally, the Transportation Security Administration (TSA) at DHS created the cybersecurity pipeline guidelines in 2018, which are voluntary guidelines that the industry is in the process of adopting.17

Beyond providing useful voluntary guidelines, the cyber frameworks and federal-level cybersecurity laws provide strong examples that states can use to improve their cyber postures. For example, the Federal Information Security Management Act (FISMA) codifies and updates the federal government’s cybersecurity practices. By doing so, FISMA provides a clear “model, process and set of security controls” that can improve state and local security management.18 Furthermore, the Cybersecurity and Infrastructure Security Agency (CISA) is responsible for protecting both federal and civilian networks from physical and cyber threats, and provides analysis, incident response, and defense capabilities to federal government; state, tribal and territorial governments; and the private sector. CISA provides cybersecurity tools and plans that states can use and follow to ensure security and resilience efforts.19 Federal legislation lays the foundation and provides resources for the state and local governments to use.

DHS recognizes 16 critical infrastructure sectors that are of national security importance to the country. Each works to provide specific cybersecurity recommendations, but the reality is that the federal government can’t do this alone and needs the help of its partners at the state and local levels.20 Local governments have limits on cybersecurity efforts based on funding challenges and intelligence limitations. States are now trying to “catch-up” in their cyber efforts and should follow and implement the frameworks already developed by the federal government.

17 https://globalcyberpolicywatch.com/examining-the-authorities-impacting-critical-infrastructure-cybersecurity/18 https://statetechmagazine.com/article/2018/10/how-states-need-tackle-cybersecurity19 https://www.us-cert.gov/about-us20 https://www.dhs.gov/cisa/critical-infrastructure-sectors21 https://sentinelips.com/wp-content/uploads/2015/11/Pell-Center-State-of-the-States-Report.pdf22 https://www.nytimes.com/2018/03/27/us/cyberattack-atlanta-ransomware.html

IV. State of the States - Local Government Cybersecurity and the Impact on Critical InfrastructureStates and local governments address their cyber challenges uniquely. According to a Brookings Institute study, 49 out of the 50 states in 2015 had strategic IT reports, but states lacked in response to cyber threats. States should, and many do, create comprehensive plans to respond to cyber threats by adopting the NIST cybersecurity framework; creating strategic pathways of authority; conducting threat assessments, and having a framework to respond to cyber attacks.21 Cybersecurity weaknesses at the state level were evident in 2018 when Colorado, Connecticut, and North Carolina were all victims to ransomware hacks. Even worse, Atlanta, Georgia faced a cyberattack that crippled the government for weeks.22 A 2018 Deloitte-NASCIO cybersecurity study found that only 23 states have, or had, cyber task forces, only solidifying the importance of state-level cybersecurity initiatives. While the cyber posture of state and local government needs improvement across the Union, the local governments still play a critical role regarding the cybersecurity of critical infrastructure operators.

A 2018 Deloitte-NASCIO cybersecurity study found that only 23 states have, or had, cyber task forces, only solidifying the importance of state-level cybersecurity initiatives.”

“

6

American critical infrastructure operators - pipeline companies, financial services companies, communication functions, and more – are mostly privately owned (85 percent), and there is a fine line between too much and not enough government involvement.23 Helping to improve the cybersecurity of these sectors by providing, tools, best practices, guidance, and support, should be a top priority not just for the federal government but also state and local governments. State and local governments serve as the first point of contact and form of defense for cyber attacks. States therefore have a responsibility to provide the necessary resources to critical infrastructure operators, while not complicating support through restrictive and prescriptive regulations.

State and local governments can fill the gaps between the federal agencies’ frameworks by tailoring regulation, policies, guidelines, and recommendations to meet the state’s political, economic, and geographic needs. Federal programs like the NIST Framework and the Federal Risk and Authorization Management Program (FedRAMP) are frameworks that states can follow. These frameworks provide standardized approaches to cybersecurity, with FedRAMP focusing on cloud security.24

State and local governments are critical for developing public-private partnerships and fostering a robust information sharing environment that feeds key information to the infrastructure operators. The Multi-State Information Sharing and Analysis Center (MS-ISAC) is a crucial information sharing organization that impacts the prevention, protection, response, and recovery of local governments.25 In addition to ISACs, sector specific councils provide additional information sharing opportunities. For example, the State, Local, Tribal, and Territorial Government Coordinating Council (SLTTGCC) provides the following functions:

23 https://www.fema.gov/pdf/about/programs/oppa/critical_infrastructure_paper.pdf24 https://www.fedramp.gov/25 https://www.cisecurity.org/ms-isac/26 https://www.dhs.gov/sltt-gcc

• Senior-level, cross-jurisdictional strategic communications and coordination with partnership from DHS to agencies and critical infrastructure owners and operators;

• Participating in planning efforts regarding the development, implementation, and revision of the National Infrastructure Protection Plan (NIPP) and Sector Specific Plans (SSP);

• Coordinating issue management between participants, and coordinating with DHS to support efforts to plan, implement, and execute the nation’s critical infrastructure protection mission.

• Provide DHS with information on state, local, tribal, and territorial-level critical infrastructure protection initiatives, activities, and best practices.26

Participation in the MS-ISAC and other industry-specific ISACs and sector coordinating councils is a critical part of cyber defense for the private sector. Through the private-public partnerships that government partners establish, the critical infrastructure operators are able to provide clear updates and prove the effectiveness of voluntary guidelines that allow industry to be innovative in their cybersecurity protections.

While the federal government provides an umbrella approach to the cybersecurity of critical infrastructure, the states and local government can provide location-specific guidelines and further encourage the adoption of the voluntary guidelines that have already been established at the federal level.

7

V. State Case StudiesAcross the country, states have been implementing a variety of programs to improve state-level cybersecurity and provide better resources for critical infrastructure sectors. To date, 23 states have created a specific group, whether a taskforce, commission, or advisory council, to tackle cybersecurity issues.27 Three states demonstrate different approaches to state-level cybersecurity. However, all three emphasize the importance of information sharing, not just within government, but also with their private sector partners.

ArizonaIn Arizona, cybersecurity operations are run between the state government and a nonprofit coalition of businesses and universities. The Arizona Cyber Threat Response Alliance (ACTRA) came out of an FBI program started in the early 2000s to share information about cyber threats between the public and private sectors. ACTRA runs a 300-hour training program with cyber threat curriculum in a real-world simulation and is written directly in their emergency defense program. Beyond the training, ACTRA has a strong emphasis on cyber workforce development, facilitating communication between the tech industry, academia and law enforcement.28 Given the known cyber workforce shortage facing all industries, the focus on developing a pipeline of cybersecurity professionals is a model all states could follow. Furthermore, some programs also conduct discussions on cybersecurity for businesses and universities, in conjunction with the state government, in order to better understand the “state of the state.”29

27 http://www.ncsl.org/research/telecommunications-and-information-technology/statewide-cybersecurity-task-forces636129887.aspx28 https://statescoop.com/three-ways-state-governments-are-approaching-cybersecurity-well/29 http://knowledgecenter.csg.org/kc/content/cybersecurity-strategies-across-states30 https://www.dhs.gov/CISA31 https://www.newamerica.org/cybersecurity-initiative/reports/cybersecurity-states-lessons-across-america/chapter-2-three-approaches32 https://nj1015.com/protecting-pope-francis-from-cyber-threats/33 https://www.newamerica.org/cybersecurity-initiative/reports/cybersecurity-states-lessons-across-america/chapter-2-three-approaches

New JerseyNew Jersey runs their cybersecurity efforts on a more bureaucratic level. The state’s Cybersecurity & Communications Integration Cell (NJCCIC) was modeled after DHS’ Computer Emergency Response Team (CERT) to lead cybersecurity issues at the state level, and for smaller cities and townships that lack cybersecurity capabilities.30 NJCCIC has been recognized as the leader in the state for its four-branch approach to addressing cyber vulnerabilities.31 With the NJCCIC as a full government agency, it further facilitates intra-government communication at the state level. However, as a government agency, it does reduce the two-way information sharing that private-public partnerships can better facilitate.32

WashingtonWashington has opted for a multidisciplinary approach to tackling the state’s cybersecurity, by establishing a Chief Information Security Officer who reports to the Chief Information Office, and then sharing other responsibilities among emergency management agencies. The shared services model, beyond demonstrating the importance of effective information sharing, also enables more compliance and visibility across agencies. Furthermore, this model also allows more actors to react and control a situation, should a problem arise.33

Through these three models, states can more effectively provide the key resources necessary to the critical infrastructure operators, i.e. private businesses, to address cyber risks without adding additional regulations.

Given the known cyber workforce shortage facing all industries, the focus on developing a pipeline of cybersecurity professionals is a model all states could follow.”

“

8

VI. Constantly Changing Threat EnvironmentToday’s cyber threat environment is constantly changing, with increasing cyber attacks from non-state actors and foreign adversaries, further prioritizing the need for improved industry and government cybersecurity. Given the increased digitization and connectedness of control systems, operational technology, and IT systems used across critical infrastructure sectors, improving cybersecurity is essential to the economy and continued safety of the homeland.

The changing threat environment provides a constant challenge to the cybersecurity professionals managing the day-to-day security. However, the federal government provides useful frameworks and voluntary guidelines that have already been shown to improve industry cybersecurity. Furthermore, state and local governments can use the same frameworks to localize them to meet the specific needs of the locality. States and local governments are also a key component in the information sharing environment needed to ensure that all parties are aware of the threats facing the industries today, and the resources available to mitigate attacks.

The individuality of each state and local government strengthens the nation’s cybersecurity posture. In order to continue protecting this, the guidelines and frameworks established at all levels of government must remain flexible to allow for individual responses to cyber threats. While states should provide resources specific to the state’s unique requirements, the 16 critical infrastructure sectors, and the operating companies within, face different challenges on a daily basis. Cybersecurity solutions are not a one-size fits all, and shouldn’t be, which must be remembered as states and critical infrastructure sectors work to improve their cybersecurity postures.

While states should provide resources specific to the state’s unique requirements, the 16 critical infrastructure sectors, and the operating companies within, face different challenges on a daily basis. Cybersecurity solutions are not a one-size fits all, and shouldn’t be, which must be remembered as states and critical infrastructure sectors work to improve their cybersecurity postures.”

“