Cybersecurity: Brian Harrell

Deck: 

Prepare, Protect, Respond

Byline: 

Brian Harrell

Author Bio: 

Brian Harrell is Assistant Director at the Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Homeland Security.

Fortnightly Magazine - November 1 2019

PUF's Steve Mitnick: Tell us what your role is.

Brian Harrell: I am the Assistant Director at CISA, the U.S. Cybersecurity and Infrastructure Security Agency. While the name is relatively new, we've been around a long time. We're formerly known as the National Protection of Programs Directorate or NPPD, which was a headquarters function within the Department of Homeland Security (DHS).

In November 2018, we finally became an operational component within DHS, so that has given us a lot of operational autonomy and some authorities to engage private industry to do physical security, cybersecurity, emergency management, and some of those aspects of response and recovery. I was appointed by the President to be the sixth Assistant Secretary for Infrastructure Protection in November, prior to the agency name change.

In terms of our role for cybersecurity with the electricity industry, first and foremost, we work closely with the sector specific agency, which in this case is the Department of Energy. I work with Assistant Secretary Karen Evans, my counterpart.

We work hand-in-glove when things go bump in the night. When utilities are struggling with a malware issue, cybersecurity vulnerabilities, physical security events, emergency management, and response and recovery issues, we are there in their time of need. When it comes to providing subject matter expertise, we provide mitigation strategies, assessments, exercises, and critical information sharing that assists response and recovery.

“The CISA team has the ability to provide immediate recommendations for mitigation measures and industry best practices for prevention, response, and recovery.”

We're not here to tell anybody what to do or how to do it, but we have expertise and insights that can provide value. We have done this for a long time. Our mitigation strategies have been built over the years through the crisis events we've seen, both man-made and natural. 

It has given us a strong position to be helpful in this industry. That's what it's about for me. I come from industry, and one day, I will go back to industry. My thought on that is we need to provide value back to critical infrastructure owners and operators. We do not want to have products and services that are antiquated or create guidance documents that simply collect dust - that isn't helpful. Everything we do needs to move the needle, drive down risk, and make us a harder target.

PUF: What's your typical day like?

Brian Harrell: I have never found myself bored, or sitting around waiting. It is an incredibly large security portfolio. Just to give you just a sense, recently I was at the White House, doing a faith-based houses of worship event with the Vice President and Homeland Security Advisor. The next day, I was down at Hard Rock Stadium, in Miami, where they are going to host the next Super Bowl, and my team walked the NFL, law enforcement, and our state and local partners through a cybersecurity tabletop exercise.

PUF: Talk about the responding aspect when a crisis occurs.

Brian Harrell: The CISA team has the ability to provide immediate recommendations for mitigation measures and industry best practices for prevention, response, and recovery. Whether it's a cyber-intrusion, or a vehicle-borne improvised explosive device, we have staff in the field that can discuss ways to reduce risk and provide a road map for good security. 

We talk a lot about cyber hygiene. If you encounter ransomware or malware on your IT and OT systems, we have the ability to take the indicators of compromise, rip that malware apart, and figure out where it came from and how it entered your system. We can then take this information, without attribution, and turn around an alert to industry where we can provide a strategy on how to respond and recover as quickly as possible.

Our situational awareness is important. We do that a number of different ways. We have a twenty-four/seven watch center. We have significant relationships with our state and local partners, and we work with our interagency federal partners, intelligence agencies, and law enforcement to have a coordinated approach to provide industry timely threat information.

PUF: Talk about your career. You were involved in the development of the NERC GridEx exercises?

Brian Harrell: Many moons ago I was the Director of Critical Infrastructure Protection at NERC, the North American Reliability Corporation. In 2001, we created an exercise known as the GridEx, or Grid Security Exercise, and it has been a resounding success ever since.

The exercise has grown over the years to the best sector specific exercise in America. Early on we had a couple of hundred players, but today they have a couple thousand players and are distributed across the country. The scenario is built off of current events, tries to find gaps, and then provides opportunities for improvement, which will drive a more secure system and provide the most reliable power to the American people.

It's important, because I come from industry, to point to some of the good stuff that has happened within industry. We can highlight significant work within the utility industry, such as the NERC CIP standards, reliability assessments, a robust ISAC, and a design basis threat (DBT) that highlights the current threat profile and issues that utilities and NERC must protect against.

PUF: What are the most important priorities to increase cybersecurity?

Brian Harrell: Education of the corporate C-suite, industry executives, and regulators can drive a culture change. Period. When I speak across the country, I typically focus on five key areas.

Number one, the threat landscape is changing today. As we move further away from the events of 9/11, the Department of Homeland Security is not solely an anti-terrorism mission focused organization anymore. We still do that, but we are also moving and gravitating toward where the threat is. Today's threats are nation state adversaries, hate groups targeting soft targets, and understanding that there are insider threats within our companies.

We have individuals within our organizations, and in our companies, that have institutional knowledge on how to bring us to our knees. They have access to the crown jewels and have the keys to the kingdom. We need to understand that threats can come internally and not just outside perimeter fence for critical infrastructure owners and operators. 

Private industry is on the front lines of battling back these major threats that are coming from nation state actors. The Department of Homeland Security does not own critical infrastructure assets. Eighty-five percent of it is owned and operated by the private sector. So, we need to ensure that we are giving them the tools, the resources, and the expertise to make educated decisions on how to harden their systems and drive down risk.

We need to understand the gaps that exist. Attackers today focus on the margins, on the periphery, in those security and operational gaps. That feeds into my number three, which is cybersecurity, physical security, and emergency management convergence. We've been discussing this for the past ten years, but truly today's threat landscape is hybrid. The cyber threats that we see today have a physical security nexus and impact. Physical threats have the potential to impact cybersecurity operations.

There is a physical and logical nexus happening as we speak and we need to better align our security departments to be responsive to tomorrows threats, and not just the threats of today. The foundation of any security program or plan is the risk assessment. We cannot protect all things but it's important to protect pencils like pencils and diamonds like diamonds. We must take a risk-based approach and invest and provide resilience to what matters most.

That brings me to number four, understanding that risks can be posed by third parties. A lot of times we're focused on our own corporate campus, on our own power system, but in reality, we are dependent on others that may be providing us laptops, drones, key materials, or even transformers. We need to understand how third-party risks could impact our operations and system reliability.

Number five, is information sharing. We've been talking about this for a long time, but in reality, it is information sharing and having these key relationships in place under blue sky conditions that are going to save time when the event has occurred. It's going to provide us the opportunity to quickly come back to homeostasis when the grid is threatened, and we need you to lean on federal partners, law enforcement, industry, and vendors to figure out what the solution is. Let's not create our crisis response plan in the midst of crisis.

PUF: The electric sector is not by itself. If the water system, natural gas pipeline system, or financial system gets attacked, that can have a big effect.

Brian Harrell: That's right. The electricity sector, and big power producers in particular, are often viewed as the most critical sector across the board. To a certain extent, that is accurate, but even the most critical of sectors are dependent on others to accomplish their mission. We need clean water for generation, we need transportation to bring in product for generation, and we need telecommunications in order to communicate with our key systems.

PUF: Leaders throughout our industry and government, what are the most important items they should be thinking about and what can they do to help the industry's cybersecurity?

Brian Harrell: I'll give you three things. Number one, invest in resilience. A lot of our budgets reflect the here and now, but we need to understand that at some point something bad is going to happen. 

Second, remove single points of failure and add redundancy to your systems so when that bad things happens, we have the ability to come back to normal as quickly as possible and restore critical services. Let's not have that single point of failure that if we were to lose that particular five hundred-kilovolt substation, that it would be detrimental to the system.

Understand collective defense. That means we are all in this together. The federal government, private industry, and the American citizen are in this together. We need to change the culture when it comes to security, very similar to what we did back in the '80s and '90s surrounding safety. Today within industry there is a strong safety culture. We need that same culture mentality surrounding security.

Last, I want to start the conversation about how we secure tomorrow. When we're looking at infrastructure security for the years 2045 and 2050, where everything is interconnected, where new threats may have emerged and materialized - we need to put some thought and attention on what's coming next. 

Our budgets need to reflect that, and that's why resilience is so important. We need to start to think and realize that today's threats may not necessarily be tomorrow's threats and we need to start doing a better job of anticipating.

 

Cybersecurity Special Feature conversations: