Dive Brief:
-
The public-private cybersecurity super group, the Joint Cyber Defense Collaborative, is turning its attention to a 2023 agenda that will address risks to vulnerable industries and sensitive elements of civil society.
-
JCDC will assess risk in energy and water infrastructure sectors alongside the use of open-source software in industrial control systems, the group revealed Thursday.
- It also wants to increase cybersecurity and reduce risk for small- and medium-sized critical infrastructure providers. JCDC will collaborate with managed service providers, managed security service providers and remote monitoring and management as part of the effort.
Dive Insight:
Sector-specific risks are a top agenda item, but the JCDC also wants to harden some of the more vulnerable areas in critical infrastructure technology this year.
“While all organizations are at risk of cyber intrusions, we know that certain elements of the ecosystem can be abused by malicious actors to achieve widespread impacts,” Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said in a blog post released Thursday
The JCDC was originally formed in 2021 to help strengthen public-private collaboration to combat ransomware and better respond to attacks against cloud providers. The group was a critical part of the collective response to Log4j and the development of the Shields Up response to Russia’s invasion of Ukraine.
In the next few weeks, the JCDC will launch planning efforts to address open source software in industrial systems as well as scaling resilience efforts among small- and mid-sized critical infrastructure providers, Goldstein noted.
The agenda builds on the federal government's growing concern over open source security thanks in part to the Log4j vulnerability first disclosed in December 2021 and the rise in supply-chain attacks after the SolarWinds attack.
Brian Behlendorf, general manager of the Open Source Security Foundation, expressed gratitude for the initial focus on OSS, but questioned whether the focus should go beyond just ICS.
“OSS usage is deep across many sectors, not just industrial control systems, and many of those sectors will share common underlying software (e.g. the Linux kernel), so it’s partly surprising to see the emphasis on ICS,” Behlendorf said via email.
More recently the security of ICS systems has come into focus since the Russia invaded Ukraine, as state-linked threat actors have targeted several major industries with wiper attacks and destructive malware over the past year.