The Biden administration’s recent cybersecurity executive order that calls for leveraging federal buying power to ensure that software products purchased by government agencies is more secure than ever will benefit the market not just for software behind information technology but also for industrial control systems, an official on the White House National Security Council said on Thursday.
Even though the executive order isn’t directed at operational technology (OT), the directive will ultimately benefit the security of software that is critical to industrial control systems in two ways, Jeffrey Greene, acting senior director for Cybersecurity at the NSC, said during a panel discussion hosted by the Center for Strategic and International Studies (CSIS).
First, he said, is by improving the security of IT technology by requiring federal agencies to purchase software that meets security standards developed in line with mandates in the directive. As an example, Greene highlighted the ransomware attack disclosed earlier this month by pipeline operator Colonial Pipeline, pointing out that “as we know now, or currently understand it, a purely IT event that caused the shut down on the OT side because of legitimate concern that the threat could jump.”
Colonial Pipeline’s temporary suspension of its pipeline system led to fuel shortages along the East Coast.
The second way the cyber directive will strengthen the security of OT, which refers to the control systems that power the machinery of industrial systems inside of water utilities, electrical grids, and other critical infrastructures, is through federal purchases of software that runs control systems, Greene said.
“We buy SCADA software, so, that software is going to have to be built to the security standards that we put out there generally speaking,” he said. “So, I think this will help in the same timeline that it helps IT security it will help control system software security.”
SCADA refers to supervisory control and data acquisition, which is a system of software and hardware that that controls industrial systems.
Greene and other panelists representing industry pointed out that if the federal government leverages its buying power to force companies into building security into software upfront rather than later through patching, companies are more than likely to create secure software products for all their customers, not just the government.
Kelly Bissell, global security lead for Accenture [ACN], told the panel that if the government changes its purchasing requirements to incentivize the development and purchase of secure software, “it will bleed very, very quickly into the private sector because…you’re not going to have two different versions of the product.”
Prior to the panel discussion, Anne Neuberger, the deputy national security advisor for Cyber and Emerging Technology on the NSC, told the CSIS audience that the development of the cybersecurity executive order included “input and ideas” from the private sector, which pressed home the theme that the government can influence the market for secure software through its acquisition requirements.
“And one key piece we heard again and again was there’s such a missed opportunity to use federal procurement to drive a secure market, and that’s really what we try to set here,” Neuberger said. “And, looking at federal acquisition, to say across the federal, DoD, let’s put that in place.”