Energy CISO: Agencies can’t implement zero trust alone
Federal agencies need help from stakeholders outside of government to solve some of the harder technical barriers in setting up zero-trust architecture in their networks, the Department of Energy’s chief information security officer said Wednesday.
Speaking at CyberScoop’s Zero Trust Summit in Washington D.C., Paul Selby urged technology manufacturers and experts to work with federal agencies to develop technologies and protocols that address the limitations of legacy systems — including operational technology — that are still prevalent in the energy sector.
“There’s no question that the legacy environment and the technical debt in the government is a huge problem, and we need the vendor community to help us overcome this,” Selby said.
Since 2021, federal agencies have been required to implement zero trust principles to their IT. Because zero trust is more of a concept than a prescribed set of technologies or solutions, each agency’s journey has looked different depending on their needs and legacy IT environment.
Selby’s department oversees the nation’s energy policy, manages nuclear infrastructure and works hand-in-hand with thousands of private companies and independent utilities. Because of that, he described his IT environment as “complex,” with the complexity multiplying as remote work grew during the COVID-19 pandemic.
Cherilyn Pascoe, director of the National Cybersecurity Center of Excellence at the National Institute of Standards and Technology, said that companies who sell to the government must do more to make their technologies interoperable with other products.
Since 2021, Pascoe said NIST has worked with over 100 different technology vendors to develop a zero trust implementation guide for federal agencies, eventually narrowing the list down to 24.
“One of the things that we noticed is that when we first started the project, all 24 members said they could integrate with each other. As we continued down that path, we quickly learned that was not the case,” Pascoe said. “We also learned that there were security capabilities that were missing that we thought we were going to be able to leverage in some of our example builds that we were unable to demonstrate.”
Selby also highlighted ongoing “cultural and organizational resistance” to the zero trust mandates in federal agencies, as well as other cybersecurity initiatives, attributing this to a larger failure by practitioners to communicate effectively with stakeholders beyond “screaming louder” about the problem.
“Fear, in and of itself, is not changing the landscape inside cybersecurity,” Selby said.
