As Tom Fanning announced at the June 12 CISA conference during his keynote address, public-private partnerships are key to securing our critical infrastructure and hardening the battlefield against attack.
This announcement from INGAA supporting DOE and CISA Secure by Design principles and practices encouraging vendors to share responsibility for cybersecurity outcomes by designing and delivering products that are secure by demand/default sets the stage for greater public-private collaboration to strengthen cyber protections across all critical infrastructure operations.
CISA provides the guidance needed for vendors to implement Secure by Design principles and practices and for Consumers to check that products are Secure by Design by referring to CISA's Secure by Design Software Acquisition Guide. Consumers, especially critical infrastructure operators, should ask product vendors to fill-in the 19 Governance questions contained in the CISA Secure by Design Software Acquisition Guide spreadsheet in order to evaluate vendor commitments to building Secure by Design products. Always remember to "look both ways" before buying and installing a software product, to be safe.
Remember; Risk always exists, but trust must be earned and awarded.Ask for the "Trust Score" before buying a product.
The INGAA Secure by Design announcement is a model for other critical infrastructure operators to follow.
“Insecure software makes it easy for nation-state adversaries and criminals alike to compromise our critical infrastructure and put Americans at unacceptable risk. The good news is that we can do something about it now that will benefit generations to come,” said CISA Cybersecurity Executive Assistant Director Jeff Greene. “The energy sector has a long history of leading the way on early adoption of security practices and this is just another example of that leadership. CISA applauds the companies that have taken action and signed the Secure by Design pledge, publicly committing to take actions that will raise our global cybersecurity posture.”
As Paul Ruppert, President of Berkshire Hathaway Energy Gas Transmission & Storage (GT&S) and current INGAA Chair, put it: “Our industry fully supports Secure By Design and the Supply Chain Cybersecurity Principles. We are committed to defending against adversarial cyber actors, and part of that process is ensuring that the products deployed in our pipeline networks are built with security in mind from the design phase through the product’s lifecycle. We strongly encourage software, hardware, and other technology vendors to sign onto these respective pledges to help secure our nation’s energy infrastructure.”
“We greatly appreciate organizations like INGAA, whose members provide critical energy services throughout the nation, for their partnership in raising awareness to industry’s demand for strong cybersecurity protections across the supply chain,” stated Director Kumar. By raising the bar for the vendor community, we are demonstrating that supply chain security is a top priority for the natural gas pipeline industry.
INGAA members take the security of their assets seriously and encourage all technology and equipment
providers, particularly those with a strong market share in critical infrastructure operations, to take the
CISA and DOE pledges to manufacture their products securely throughout the entire systems’
engineering lifecycle.