From Critical Infrastructure to Elections to Autos: Management of Cyber-Risk Takes Center Stage

There were two major cybersecurity summits in the USA this past week, but only one central message. Whether talking elections and a new DHS risk management center in New York City or discussing cars and trucks and autonomous vehicles in Detroit, cyber-risk management took center stage.

by / August 5, 2018

At a Cyber Summit in NYC this past week, the Department of Homeland Security (DHS) announced that they are establishing a new joint center to provide a centralized home for collaborative, sector-specific and cross-sector risk management efforts to better protect critical infrastructure. The fact sheet regarding this new DHS Center can be seen here.

Here is a quick summary of key points regarding the National Risk Management Center, which will create a cross-cutting risk management approach between the private sector and government to improve the defense of our nation’s critical infrastructure.

  • The center, housed within DHS, establishes an organizational approach to integrate risk management activities, perform joint strategic planning, and most importantly, develop collaborative solutions to reduce risk to critical infrastructure.
  • The National Risk Management Center will: identify, assess, and prioritize efforts to reduce risks to national critical functions, which enable national and economic security; collaborate on the development of risk management strategies and approaches to manage risks to national functions; and coordinate integrated cross-sector risk management activities.
  • The National Risk Management Center’s mission is to provide a simple and single point of access to the full range of government activities to mitigate a range of risks, including cybersecurity, across sectors.

Here are some of the media top stories from the NYC Summit:

  • Wired magazine: DHS Will Shore Up Cybersecurity For America’s Infrastructure“At a cybersecurity summit Tuesday, Homeland Security secretary Kirstjen Nielsen announced the creation of the National Risk Management Center, which will focus on evaluating threats and defending US critical infrastructure against hacking. The center will focus on the energy, finance, and telecommunications sectors to start, and DHS will conduct a number of 90-day “sprints” throughout 2018 in an attempt to rapidly build out the center’s processes and capabilities.”

Also on Tuesday, senators Maggie Hassan (D-New Hampshire) and Rob Portman (R-Ohio) announced a bill to that effect. The so-called DHS Cyber Incident Response Teams Act of 2018 seeks to establish permanent “cyber hunt” and “cyber incident response” teams within DHS. These groups would work on cybersecurity defense for federal agencies and private entities and help respond to incidents.

"By encouraging private sector collaboration with the cyber response teams, this bill will help leverage the expertise of both the public and private sectors to help prevent cyberattacks from happening in the first place and mitigate the impacts when they occur," said Hassan in announcing the bill; the House of Representatives already passed its version several months ago.

  • SC magazine: DHS unveils National Risk Management Center, Nielsen says election interference won't be tolerated“Reiterating that Russia interfered with the 2016 presidential election, Department of Homeland Security Secretary (DHS) Kirstjen Nielsen Tuesday stated the U.S. “will not tolerate this meddling” and announced the creation of a National Risk Management Center that will "identify, assess and prioritize efforts to reduce risks to national critical functions which enable national and economic anxiety."

Speaking to cybersecurity pros attending the DHS Cybersecurity Summit in New York, Nielsen said, “A Category 5 hurricane has been forecast. And now we must prepare."

  • Politico: All the news, big and small, from the DHS cyber summit“The DHS cyber summit in New York on Tuesday offered plenty of news, whether on stage or in chats with reporters prowling the hallways and imploring folks on what comes next. On stage, Vice President Mike Pence was in campaign mode, ripping into the Obama administration over its “silence and paralysis” on cyber threats while saying the Trump administration is giving Americans “the strongest possible defense.” Secretary Kirstjen Nielsen warned that the next major attack on the homeland is more likely to be online than physical. She announced two new initiatives, the National Risk Management Center and a supply chain task force. …”

2nd Billington Global Automotive Cybersecurity Summit in Detroit

Just a few days, later on Friday of this past week, another cybersecurity summit was held in Detroit to discuss our autonomous future and cybersecurity in connected vehicles now. Wardsauto.com reported:

“As General Motors moves toward its vision of zero crashes, zero emissions and zero congestion, GM President Dan Ammann says the automaker and its Cruise self-driving vehicle unit now are investing substantial resources to protect all of the company’s products from hackers.

Moreover, the entire automotive industry has a stake in cybersecurity as it moves toward an age of autonomous vehicles, Ammann says.

‘Autonomous vehicles can provide a major benefit to society,’ he says.

But one incident involving a security breach in an autonomous vehicle could cripple the future development of AVs at every company, Ammann says.

GM’s effort begins with a commitment to hiring more technical talent to address the challenges. In addition, GM engineers every vehicle to protect against cyber threats from the ground up.”

According to Automotive News: "We need robust risk management processes and a cybersecurity culture" that works to identify vulnerabilities and risks, said Heidi King, deputy administrator of NHTSA. "It's about anticipating the unexpected and being ready."

Keynote speeches were given numerous industry leaders and government leaders. Here are four keynotes — from Sec. Michael Chertoff, GM President Dan Ammann, U.S. Sen. Gary Peters from Michigan and NHTSA's Heidi King keynote, Is Cybersecurity Standing in the Way of Public Confidence? — who discuss cybersecurity from a risk management approach.

Former Department of Homeland Security (DHS) Secretary Michael Chertoff

 

GM President Dan Ammann on Auto Cybersecurity — “Safety and Cybersecurity Are One and the Same”

 

U.S. Sen. Gary Peters Keynote Congressional View on Automotive Opportunities and Issues Facing Congress

 

Deputy Administrator Heidi King from the National Highway Traffic Safety Administration (NHTSA) on: "Is Cybersecurity Standing in the Way of Public Confidence?

 

What Does Management of Risk Look Like in a Cybercontext?

So what exactly is risk management — and how does it work in the context of cyberthreats?

There are a variety of approaches for managing cyber risk. One IBM approach, which is outlined by DefenseSystems.com here, is called PRISM. This stands for "Prioritize, Resource, Implement, Standardize and Monitor."

According to their report, implementing PRISM is a multi-step process:

  1. Assess the likelihood of an attack and the impact of damage across the enterprise and prioritize major risk areas and attack vectors.
  2. Annually review individual cyberfactors to determine the agency’s current stage of preparedness and responsiveness to risk 
  3. Examine and rate the resource allocations to reducing cybersecurity risk.
  4. For each risk area, assign a risk score and a preparedness level.
  5. Recommend improvements for each component of the PRISM model, standardize solutions and monitor for compliance.

Other cyber-risk management details were described by many of the sessions at these two cybersummits — but the topic kept surfacing with almost every speaker. I encourage readers to examine the session outcomes and detailed reports. Also, watch these remarks from our nation’s top leaders on YouTube, which provide a good snapshot of where we are on these important cybersecurity issues.

Closing Thoughts

I think several milestones were accomplished this week at these two cybersummit events. A common message at both events: A focus on risk management when measuring cybersecurity protections is vital.

I participated in the 2nd Billington Global Automotive Cybersecurity Summit as a main session panel moderator. Just as in 2016, I felt a sense of urgency regarding cyberchallenges facing our nation and the world in areas ranging from elections, to cars, to every part of critical infrastructure. The supply chain cyberproblems are immense, and it is clear that more needs to be done by both the OEMs and the suppliers.

Another thing is clear, stronger public-private partnerships must be forged to share real-time cyberthreat information and intelligence. The private sector is stepping up in the critical infrastructure areas, and so DHS is creating a new risk management center and action plans.

While progress is clear, there will certainly be security setbacks. Just a few weeks ago, a large data breach exposed trade secrets of carmakers GM, Ford, Tesla and Toyota when a publicly available server at Level One Robotics was accessed by a researcher.

These cybersummits offer a helpful glimpse of where we are as top industries in protecting are most vital national businesses, infrastructures, assets and people in the summer of 2018.

Watch and learn — and get engaged now.