Why funding small security firms to provide nationwide support to all cooperatives and small asset owner operators makes sense for critical infrastructure security
America faces a national security challenge with its smaller critical infrastructure owners and operators such as farmers, electric cooperatives, and water or wastewater cooperatives. While their footprint, staff and number of customers individually are smaller than a larger industrial commercial company or utility, their numbers across each county and state nationwide reaches the thousands. Often, these small owners and operators are a staff of 5 full-time employees managing everything from control systems to billing and ERP systems. They have no in-house full-time security or technical trained staff to do the following:
- Ongoing security assessments
- Annual or quarterly penetration testing
- Threat and attack mapping
- Configuration, change, and vulnerability management
- Factory or site acceptance testing (FAT/SAT)
- Systems security engineering
- Threat intelligence and active continuous monitoring
- Incident response and system or equipment recovery
- Day to day systems administration
Cost is another hurdle these companies face. They usually cannot afford to pay larger security firms or Managed Service Providers (MSP)s to ensure ongoing, year-round support. Even larger owners and operators can usually only afford a security team of 1 to 3 people in most cases. Those 1 to 3 people are typically limited on specialized security experiences focused on embedded devices and control systems, along with their components, protocols, conduit types and applications. Budget to get that limited 1 to 3 person staff professionally certified and trained in specific security skills for specialized digital and electromechanical equipment is also often out of reach.
The solution then becomes allocating much of the funding from EPA, DOE, USDA, state, local and county governments to a central, small, and specialized security firm. The firm would staff well trained, certified, and sometimes lower cost staff, and tools to service all the small asset owners and operators nationwide. This enables mutual critical infrastructure cyber assistance between each of the small owners and operators. This especially applies to cooperatives because the dedicated small firm would have experienced staff who has done some of the following:
- Walkdowns and boots on the ground technical assessments
- Managed and configured devices
- Provided the regular monitoring and collaboration with government
- Offensive penetration testing
- Factory and site acceptance testing
- Systems security engineering
This work would be completed across each region using open source and lower cost, smaller footprint, tools. These could be securely linked back to a read only security operations hub that provides an interface to government (e.g. CISA JCDC, EPA, DOE, USDA), state fusion centers, and community ISACs (Water-ISAC, E-ISAC).
AIT has the national security, mission assurance, intelligence, engineering, critical infrastructure, IT, and ICS OT experienced and certified staff to take on such a mission. At AIT, we would use the funding from federal, state, and local government to:
- Customize, deploy, and maintain security testing, configuration, administration, and monitoring tools
- Provide regular quarterly and annual boots on the ground penetration testing and assessments
- Threat and attack mapping, and road maps for improving not just individual small cooperatives but entire regions across states nationwide
- Help better inform investments from a boots on the ground perspective
- Hire, train, and certify new, lower cost talent. These individuals would reside within and be willing to travel across each state to protect the farms, water cooperatives, electric cooperatives, and adjacent interdependent infrastructures within smaller rural areas throughout all 50 states of America and applicable territories.
Rather than scatter shot approaches that have yet to scale across the country we believe a new approach to the funding should be taken. Incorporating a greater leverage of lower cost, customization of existing and new open-source tools, and a heavy focus on new dedicated staffing should receive a significant investment from federal, state, and local funding programs.
AIT stands ready to provide such services to our communities nationwide for an often-underserved area of America’s critical infrastructure. We believe we are uniquely the right size and well positioned to scale to support the mission much more than larger firms or product vendors. We encourage both government and small asset owners and operators to reach out to AIT’s Cyber Mission Assurance Capabilities (CMAC) ICS OT security team at firstname.lastname@example.org to learn more about how AIT can help. We are always happy to share our ideas and offer our services in the fight to protect America’s most vital resources and infrastructures no matter how small they may seem. We encourage you to share these ideas with your legislators, regulators, sector administrators, peers, and other stakeholders.