Securing operational technology and IoT has just received a new compliance push as the DoD is targeting small businesses in its mandate for Cybersecurity Maturity Model Certification. Katie Arrington, special assistant to the Assistant Secretary of Defense for acquisition and cyber within the Office of the Undersecretary of Defense for Acquisition and Sustainment of the Pentagon, and others have pointed out that top nation states are targeting smaller companies, necessitating the initiative. This need to support small businesses and CMMC did not go unnoticed by Steve Seiden, CEO of Acquired Data Solutions (ADS), who is providing new cyber offerings by blending the experience and expertise his team has developed in engineering OT solutions for the federal market with the addition of new SMEs who made their bones securing our nation’s critical infrastructure. He and his team have learned the importance of ensuring cyber is considered in all phases of the engineering services his company provides. So read the interview below and click the ad to the right –>to learn about the evolution of ADS to become a cyber engineering company and its new offerings to secure OT.
Spotlight on Mr. Steve Seiden
» Title: CEO, Acquired Data Solutions
» Website: https://acquireddatasolutions.com/
» LinkedIn: linkedin.com/in/steve-seiden-012965
Read his bio below.
Chris Daly, Active Cyber™: Please provide some background on Acquired Data Solutions (ADS) and your key areas of market focus and technical capabilities.
Steve Seiden, CEO, Acquired Data Solutions: ADS’s origins and 20-plus year history as an engineering testing company with a specific focus on federal government Operational Technology (OT) environments and equipment suppliers. OT environments include systems or platforms that employ computing resources (i.e., hardware, firmware, and software) that are physically embedded in, dedicated to, or necessary in real time for the performance of the operational mission. Examples of OT systems that are addressed by ADS include weapons systems, training simulators, diagnostic test and maintenance equipment, calibration equipment, security systems, medical technologies, transport vehicles, buildings, and utility distribution systems, such as water and electric.
Our success over these 20+ years can be attributed to our ability to adapt offerings to market changes and to address dynamic technology and regulatory impacts on our customer base. The current pivot, which has been a 2 year evolution, has been focused on the introduction of cyber threat and security automation into our customers’ OT environment due to OT/IT convergence in the market.
Traditionally, safety has been the primary constraint of OT systems, largely driven by the stability of the systems. Cybersecurity has been a secondary consideration for OT systems, if it has been considered at all. Legacy OT systems do not typically contain the standard security controls, now implemented in many IT systems such as cryptography or auditing. This is changing, however, with the integration of IT technology, and adoption of standardized IT networking protocols into OT systems. These changes have added new attack vectors for OT systems that increase safety concerns. These concerns have not gone unnoticed as DHS and NSA have both recently stood up new directorates with a special focus on securing our critical infrastructure from cyberattacks. In addition, a recent survey found that:
“Half of respondents said they had experienced an attack on their OT infrastructure that resulted in downtime of the plant and/or operational equipment. Many organizations also admitted suffering significant business disruptions and downtimes as a result of cyberattacks.”
Another survey found that:
“… risk is worsening, with potential for severe financial, environmental and infrastructure damage,” Siemens and the Ponemon Institute wrote in the report, also noting further down that “the risk that cyber attacks pose to the OT environment is increasing in frequency and potency as malicious actors’ ability to accurately target critical infrastructure assets improves.”
Our efforts at ADS have centered on developing a cyber testing capability, and integrating the OT functional testing methodology with cyber requirements, so that now there is a full system life cycle approach that integrates cyber. The following chart highlights our expertise and offerings to address the cyber threat for OT.
Active Cyber™: How is the new DoD announcement around Cybersecurity Maturity Model Certification affecting your business?
Seiden: The proposed DoD Cybersecurity Maturity Model Certification (CMMC) maps cyber processes and controls standards such as NIST SP 800-53aRev4 across several maturity levels from basic cyber hygiene to advanced. It is intended to be a cyber compliance standard that is cost-effective for small DoD suppliers and integrators to implement at the lower CMMC levels. According to the recent announcement by DoD, the model’s inclusion in DoD contracts will be a “go/no go decision.” Therefore, we see CMMC as an opportunity area to assist our customers in getting prepared to achieve compliance with CMMC and the increasing frequency of NIST RMF requirements in RFPs for systems developed for DoD and other agencies.
CMMC establishes security as the foundation by which companies may be awarded business with DoD. With tight timelines to get compliant, starting in 2020, we expect a high level of customer interest in our integrated cyber/OT testing offering and tooling, such as CyberEvidence, which is designed to demonstrate compliance to cyber standards.
CyberEvidence is an automated penetration and functional testing tool for devices and systems that may be used by designers, integrators, and testers. Our customers want evidence that their devices and systems are secure and safe; that the existing controls are working. The “evidence” generated supports identifying gaps to be reviewed for risk mitigation actions. This is the type of information that CyberEvidence can provide.
Active Cyber™: What is the present state of the CyberEvidence tool and how do you see the tool evolving?
Seiden: CyberEvidence is part of the ADS Cyber Resiliency Suite. This evolving suite consists of security test and instrumentation tools and services designed to provide evidence of compliance to cyber security standards across the system life cycle. The suite consists of the following capabilities:
- CyberAssurance is a service offering that applies attack/fault tree modeling and analysis to assess cyber risks.
- CyberCertainty is a tool that automates parts of the CyberAssurance assessment process
- CyberEvidence utilizes an automated Cyber Resiliency test platform, built on National Instruments (NI) hardware and LabVIEW, to provide the test results to show both the weaknesses and the compliance results.
- CyberFix is a service offering to design countermeasures and safeguards that reduce cyber risks.
- CyberCompliance is a reporting tool that shows how your device or system is compliant to the particular standards or certifications.
The goal is to eliminate or minimize negative consequences of vulnerabilities in an OT system due to a cyberattack or non-cyber technical fault in the operation of the device or system. Often the negative consequences of a cyberattack can be avoided if systems are maintained and updated with appropriate patches. Most of the vulnerabilities that are impacting our nations’ critical infrastructure are known, reported vulnerabilities that if identified have either a patch, update, upgrade, or safeguard available to prevent or mitigate harm. When a patch does not yet exist for a particular device or system, then applying other cyber mitigation techniques will usually be cost effective for achieving compliance.
Our current target focus for the suite is the U.S. military who is leading the way in cyber resiliency. The military’s mission was the first to feel the impact on its cyber-physical systems due to an increasingly connected and adversarial world. We are also targeting the commercial industrial control system (ICS) / internet of things (IoT) and medical device spaces, as these market segments are now feeling the impact as well, mainly through the impact on safety due to a cyberattack. We are seeing these requirements emerge in agencies such as NRC, FDA, and DHS as they try to get a handle on their OT cyber exposure.
For the commercial space, we can configure our CyberEvidence tool to test IoT devices for compliance to the CTIA Cybersecurity Certification Test Plan for LTE-Enabled Devices. Initially we are targeting carriers who need this certification. CTIA is a non-profit industry organization that represents U.S. wireless communications carriers and equipment manufacturers, mobile app developers and content creators. The IoT markets have an enormous need for improving their security posture.
The CTIA Cybersecurity Certification Program helps establish foundational security standards for LTE and Wi-Fi enabled IoT devices, including the IoT ecosystems for smart homes, smart cities, mobile healthcare infrastructure, connected cars and personal devices.
Active Cyber™: Why are you using the National Instruments platform as the foundation for your CyberEvidence tool? What advantages do you achieve from using this platform?
Seiden: NI provides a multifunctional data acquisition test platform that can combine cyber penetration and functional testing on the same platform. CyberEvidence assess vulnerabilities and tests compliance through the NI interface to the unit under test (UUT). NI’s modular platform easily allows for customizing the interfaces to those that are required for the specific UUT, so testing across multiple different devices is cost effective. NI’s platform also allows for upgrades to the UUT or a new interface technology. This makes maintaining the CyberEvidence tool simple to maintain and operate.
Active Cyber™: NIST recently released a final public draft called SP 800-160 Vol. 2 (DRAFT), Developing Cyber Resilient Systems: A Systems Security Engineering Approach which details a cyber resiliency engineering framework (conceptual framework) for understanding and applying cyber resiliency, a concept of use for the conceptual framework, and specific engineering considerations for implementing cyber resiliency in the system life cycle. What approaches and offerings does ADS provide to address the needs of cyber resilient systems?
Seiden: Cyber resiliency is a concept that is applicable to all industries as they take on cyber security issues. Cyber resiliency incorporates requirements across multiple disciplines including cyber security, safety, survivability, and evolvability of systems, along with the basic functions of the system. A system designed with the goal to be resilient must extend functional testing to these other disciplines. And each of these disciplines have trade-offs that need to be considered in all system developmental life cycle phases. For example, for many OT systems, safety will generally always trump security. Therefore, if an ICS is under cyberattack, it must continue to operate safely even if the operation is degraded by the cyberattack.
At Acquired Data Solutions (ADS), we have been tracking this evolution of cyber-physical systems towards resiliency and increased interconnectivity to evaluate the impact of these changes to test and measurement equipment. We have integrated cyber resiliency testing capabilities into our Cyber Resiliency Suite and continue to extend these capabilities.
Active Cyber™: What are your final thoughts about achieving compliance for OT systems?
Seiden: Preventing a cyberattack should be the first priority for any business that sells or operates OT systems, but adversaries are continuously finding new methods and vulnerabilities. Sustaining operations after an attack is always difficult and may take months to recover, impacting the efficacy of your business. Implementing cyber resiliency is becoming an imperative to ensure your business can quickly resume normal operations after any attack. This means integrating security standards within the OT system architecture, design, implementation, testing and the operational environment; using the disciplines discussed. ADS can help you prepare for compliance with NIST RMF, DoD CMMC and future cyber resilience standards to support your critical business needs.
We are seeing new contracts from our clients in the OT and OT supply chain, who are seeing an increase of cybersecurity requirements in Request for Proposals (RFPs) and preparing their organization to be compliant with CMMC.
Thank you everyone for joining us.
Thank you Steve for sharing your views on OT security and the impact your CyberEvidence offering is having on combatting cyber attacks on our critical infrastructure. I look forward to seeing how the roll-out of CMMC will affect those small businesses doing work with DoD. I am sure with assistance from companies like yours, these businesses will find the path to compliance a less painful process, while providing the improvements to security that our critical infrastructure needs to meet the threat of nation state attacks. And thanks to my subscribers and visitors to my site for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing ICS / IIoT and IoT systems, or other emerging technology topics such as augmented reality and spatial web. Also, email firstname.lastname@example.org if you’re interested in interviewing or advertising with us at Active Cyber™.
About Mr. Steve Seiden
Steven Seiden, is the founder and President of Acquired Data Solutions, Inc., a threat management, test and evaluation, and engineering services firm based in Rockville, Maryland. ADS has served several federal agencies including the Transportation Safety Administration (TSA), and federal contractors including Northrop Grumman, TASC, and SAIC. ADS has an extensive background in automated test equipment (ATE), industrial data acquisition, hardware development, including embedded systems and integration. Over the past ten years, ADS has expanded its services to include RF spectral capture and emulation, acoustic and vibration monitoring, RF EMSEC/EMI testing, and measurement, data acquisition, and control systems in the fields of electronic warfare, medical devices, energy, and transportation. Mr. Seiden has also been certified Developer and Instructor for National Instruments, where ADS is a Silver Alliance member.