Fortinet CISO on securing critical infrastructure: ‘We can no longer bring a knife to a gunfight’
Earlier this year Fortinet hired its first chief information security officer (CISO). The timing makes sense, as the company has grown into a leading security vendor with an integrated, security fabric vision that few competitors can match.
As Fortinet continues to expand its presence in the federal and critical infrastructure markets, CISO Philip Quade brings the credentials and background needed to help lead the strategy. Prior to joining Fortinet, Quade was the NSA director’s special assistant for cyber and chief of the NSA Cyber Task Force. Before that, he was chief operating officer of the Information Assurance Directorate at the NSA.
I recently talked with Quade regarding his new role and the challenges the United States and businesses in general face with respect to security.
Can you describe the state of critical infrastructure?
Quade: Some of the most talented and sophisticated people I know are technologists and operators within the critical infrastructure sectors. And to date, they have architected and operated these systems admirably. But we can no longer “bring a knife to a gunfight.” Many of the technologies being used were not designed with security in mind. There are 16 critical infrastructure sectors that have been cited as vital to our nation. Their disruption or incapacitation would have a debilitating effect on economic stability, national security, public health and safety. These sectors include financial services, energy, water, transportation, communications, chemical, dams and emergency services.
Fortinet CISO Philip Quade
Unfortunately, the critical infrastructure security challenge has not been solved as of yet. The reasons are two-fold: First, the scope/scale of the problem means it’s difficult to decide where to start and to understand what “finished” looks like. Second, no one person or organization owns the problem. Critical infrastructures are primarily owned and operated by diverse private sector organizations.
You mentioned that securing the critical infrastructure segments has stood still for a number of years. Is the problem also moving sideways or is that getting worse?
Quade: The problem has definitely gotten worse. To comprehend the magnitude, one must understand how the overall risk has changed. Today the combination of threat, vulnerability and consequences is off the charts.
- The negative consequences of compromised critical infrastructures, such as a disruption to energy availability or tainted water are as severe as ever.
- Threat actors have become more sophisticated, and they are more able and willing to execute threats against critical infrastructure.
- The vulnerability or attack surface has greatly increased due to the inexorable integration of operations technology (OT) with information technology (IT).
How do organizations adjust their security strategies?
Quade: As these challenges continue to escalate, it’s critical that security and business leaders recognize that business as usual is not enough and a new approach is needed. Here are some guiding principals that are top of mind for me in this new era of security we have entered:
- The industry needs to look at this as a problem that can only be solved over time. We need to establish a multi-year planning and action horizon and steadily march toward it. Rushing into this and trying to solve it overnight will just lead to more problems.
- It’s also key to identify the specific bad consequences that we want to avoid, and engineer them out of our systems.
- By creating automated information-sharing standards and mechanisms, we can better help identify and mitigate the risks due to the dependencies among infrastructures.
- The establishment and practice of private-public partnerships is key for innovative solutions to be shared and for muscle-memory (e.g., relationships, procedures) to be established during normal conditions that can be flexed during times of crisis.
- The industry needs to appreciate how control systems—the types of technology used in many of the sectors—are fundamentally different from those used in IT systems. There is an inherently different approach to securing physical systems (i.e. those not focused on sending bits and bytes) that the application of better IT alone will not address.
- The industry needs to break down the walls between security disciplines, since comprehensive critical infrastructure security requires a fusion of diverse strategy, talent and technology that crosses physical, information and operational security communities.
Thanks for those. It’s a lot to take in. Can you provide some direction on how to get started?
Quade: The journey of a thousand miles starts with a single step. From a national perspective, addressing these challenges requires a handful of action-oriented, altruistic thought leaders and stakeholders who share a common vision of a more secure and resilient critical infrastructure posture to collaborate and develop some meaningful steps to implement this new approach.
At Fortinet, we are using thought leadership exchanges to bring together resources and programs of stakeholders around the most critical, immediate efforts for risk mitigation, while formulating mutually beneficial visions and plans for long-term challenges with common gaps.
In addition to starting specific initiatives, we’re advocating for senior leadership in both government and industry to act on prioritized problems based on actionable knowledge that provides context through both informed analysis and sharing by leveraging those resources and authorities within their span of control. This voluntary, collaborative effort of this now-informal, security-focused critical infrastructure consortium seeks to use integration and influence instead of control to achieve these goals.
The initial focus areas of the consortium are:
- Consequence-based engineering. Need to focus on “bad consequences to avoid” and engineer those consequences out from the realm of possibility. Focusing primarily on the usual suspects and actor intent ignores the unexpected and time-varying nature of threat. Establishing pilots that assume penetration by persistent actors and formulating standards, requirements and objectives can drive more effective, consequence-based engineering.
- Automated information sharing. An information-sharing architecture that works for OT-centric infrastructure is required to enable contextual exchanges across critical infrastructure entities at cyber-relevant speed. This requires strategic technical analysis in advance of threat alerts, rather than just post-event analysis when time and expertise is limited.
- Rethink the workforce. The design of future critical infrastructure solutions cannot separate OT, IT and physical security methods. Creating and scaling a guild model across security disciplines can inform existing workforce initiatives, create new ones where needed, and identify scalability and culture change solutions.
- Sharpen a common vision for securing critical infrastructure. Where needed, we need to establish informal or formal governance constructs that can provide oversight and assistance, and encourage participation and compliance.
Any other thoughts you would like to share?
Quade: It’s hard to overstate how big this issue is. Critical infrastructures are the icons of democracy everywhere. Their security is democracy’s security. By coming together in innovative ways to address this challenge, we ensure that organizational lines do not entangle our rising to the challenge. Addressing this challenge is fundamental to ensuring and maintaining our economic competitiveness, national security, privacy and civil liberties, public safety, and our enshrined value of the unfettered pursuit of happiness.