Follow the healthcare (HITRUST), payments and retail industries (PCI DSS), and self-regulate while you still can.
By: Garret Grajek, CEO, YouAttest
It’s a story that’s swept the world – a cyberattack hit the Colonial Pipeline, halting the lifeline of gasoline and jet fuel flowing from Houston, across the Southeast, and up through the East Coast to New York/New Jersey.
We know the basics – a ransomware attack in the IT network forced the shutdown of the pipeline. The flow of fuel halted. Increasingly dire news stories were augmented with citizen journalists’ and social media content – such as videos of fist fights at gas stations lines and pictures of people hoarding gas in 10-15 plastic gas containers and even in plastic shopping bags.
Grim predictions by experts on imminent potential impacts on air travel and the nation’s supply chain led to the company’s ransom payment of approximately $5 million in Bitcoin.
It has all become part of the American psyche.
Would the same have happened in an internet controlled by the government for ICS (Industry Control Systems) – e.g. in China or Russia? Probably not – or certainly not without a lot more time, investigation efforts and immediate consequences.
Colonial Pipeline, like virtually all of America’s electric, fuel, water and other ICS systems, is on the public internet – and susceptible to the cyberattacks that we have seen in every other industry. These attacks start with password hacking, email phishing, software supply chain attacks, weak 2-factor hacking, the wide use of default admin credentials, etc.
Every tactic that attackers have learned in their cyber assaults on our banking, healthcare, financial, manufacturing and consumer goods and service companies are now being turned against our ICS system.
Is the solution to put all ICS systems on some exclusive and reserved internet system like the SIPRNet (Secret Internet Protocol Router Network) that the US Department of Defense and the US Department of State use to transmit classified information?
Possibly. But maybe ICS can borrow an idea and mechanism that other sectors of private industry have used so successfully when hacked, to thwart further attacks and avoid government interference in their IT infrastructure and communications.
Take the retail industry: they worked with the payment card industry to come up with self-governing standards, eventually called PCI DSS, in response to the notorious TJX hack. The retail industry was woken up by what was at the time an industry shaking attack – where TJX lost 80 GB of data and 93 million customer credit records. The hack was eventually discovered to be due to the use of unencrypted Wi-Fi. Attackers had simply parked next to the building and obtained access to the corporate network, in what seems today to have been an unbelievable security lapse.
Thus the payment industry leaders – American Express, Discover Financial Services, JCB International, Mastercard and VISA – worked together and created DSS 1.0 in December 2004. In 2006, the group introduced v1.1 and called for merchants to establish baseline security mechanisms, including firewalls, and created the PCI Security Council (PCS SSC), an independent group that would oversee the standards moving forward.
The latest PCI DSS update went into effect Jan. 1, 2019. PCI-DSS 3.2.1 now stipulates (12) major sections of factors that a merchant must meet in order to be PCI-DSS certified to handle credit card transactions. These include sections on password policies, network encryption, data encryption, application firewalls and reviews, identity policies and reviews, and access monitoring and polices on access.
PCI-DSS is has been a self-regulating body since 2006 and has been a functional example of an industry addressing security breaches and fraud without overt government interference and regulation.
Another example of an industry addressing its own IT security issues is the HITRUST standard – required by all major US healthcare payers. HITRUST invokes stringent IT Security guidelines, just as PCI-DSS does for merchants, but instead it covers health care providers.
HITRUST was an industry reaction to what many saw as weak compliance regulation stemming from the 1996 US Government’s Health Insurance Portability and Accountability Act or HIPAA.
HITRUST details what was mandated by the providers with a CSF, a Common Security Framework. The HITRUST CSF has 19 control categories, including Information Protection, Endpoint Protection, Wireless Protection, Access Control and Audit Logging & Monitoring.
Enterprises that want to be proven as HITRUST compliant must conduct a HITRUST CSF assessment proving full compliance with the 19 control categories.
It’s important to understand that HITRUST is not enforced by law, but is instead required by many large healthcare companies for any entity wishing to transact healthcare data and PHI (Protected Healthcare Information) across the internet with them. It was developed and maintained by the healthcare industry to ensure security and promote collaboration.
This seems to be the logical path for the ICS industry – to come up with its own set of CSF that is relevant to the systems and controls used by the electrical, fuel and hydro industry. It can be based on the US’s NIST 800-53 rev 5 CSF (cyber security framework) and take input from both the industry-based PCI-DS and HITRUST standards to come up with an IT Security framework that meets the ICS industry needs.
The time to act is now. We in cybersecurity are standing by to help.
About the author:
Garret Grajek, President and CEO of YouAttest, is a certified security engineer with almost 30 years of experience in information security. Garret is recognized in the industry as a security visionary in identity, access, and authentication matters. He holds 13 patents involving x.509, mobile, SSO, federation, and multi-factor technologies. He has worked on security projects for major commercial accounts including Dish Networks, Office Depot, TicketMaster, Oppenheimer, E*Trade, HP.com, and public sector accounts as GSA, U.S. Navy, EPA, and USUHS. He has been consistent in staying ahead of the curve in identity projects including authentication, continuous identity assurance, and now auditing.
Maureen MacGregor, Madison Alexander PR for YouAttest