Enhanced Cybersecurity Services: Protecting Critical Infrastructure

Enhanced Cybersecurity Services are under development by the DHS to provide information-sharing and defensive strategies against a new generation of cyber threats.

Comprehensive cybersecurity is an unfortunate necessity in the connected age, as malwares like Duqu, Flame, and Stuxnet have proven to be effective instruments of espionage and physical sabotage rather than vehicles of petty cybercrime. In an effort to mitigate the impact of such threats on United States Critical Infrastructure (CI), the Department of Homeland Security (DHS) developed the Enhanced Cybersecurity Services (ECS) program, a voluntary framework designed to augment the existing cyber defenses of CI entities. The following provides an overview of the ECS program architecture, technology, and entry qualifications as described in an "on background" interview with DHS officials.

At some point in 2007, an operator at the Natanz uranium enrichment facility in Iran inserted a USB memory device infected with the Stuxnet malware into an Industrial Control System (ICS) running a Windows Operating System (OS). Over the next three years, the Stuxnet worm would propagate over the Natanz facility’s internal network by exploiting zero-day vulnerabilities in a variety of Windows OSs, eventually gaining access to the Programmable Logic Controllers (PLCs) on a number of Process Control Systems (PCSs) for the facility’s gas centrifuges. Stuxnet then injected malicious code to make the centrifuges spin at their maximum degradation point of 1410 Hz. One thousand of the 9,000 centrifuges at the Natanz facility were damaged beyond repair.

In February 2013, Executive Order (EO) 13,636 and Presidential Policy Directive (PPD)-21 ordered the DHS to develop a public-private partnership model to protect United States CI entities from cyber threats like Stuxnet. The result was an expansion of the Enhanced Cybersecurity Services (ECS) program from the Defense Industrial Base (DIB) to 16 critical infrastructure sectors (see Table 1, page 11).

Enhanced Cybersecurity Services framework

At its core, the ECS program is a voluntary information-sharing framework that facilitates the dissemination of government-furnished cyber threat information to CI entities in both the public and private sectors. Through the program, sensitive and classified cyber threat information is collected by agencies across the United States Government (USG) or EINSTEIN sensors1 placed on Federal Civilian Executive Branch (FCEB) agency networks, and then analyzed by DHS to develop “threat indicators” (see Sidebar 1, page 11). DHS-developed threat indicators are then provided to Commercial Service Providers (CSPs)2 that, after being vetted and entering a Memorandum of Agreement (MOA) with DHS, may commercially offer approved ECS services to entities that have been validated as part of United States CI. The ECS services can then be used to supplement existing cyber defenses operated by or available to CI entities and CSPs to prevent unauthorized access, exploitation, and data exfiltration.

In addition, CSPs may also provide limited, anonymized, and aggregated cybersecurity metrics to the DHS Office of Cybersecurity & Communications (CS&C) with the permission of the participating CI entity. Called Optional Statistical Information Sharing, this practice aids in understanding the effectiveness of the ECS program and its threat indicators, and promotes coordinated protection, prevention, and responses to malicious cyber threats across federal and commercial domains. Figure 1 provides an overall outline of the ECS model.

Figure 1: The ECS model gathers sensitive cyber threat information from across United States government agencies, and develops it into “threat indicators” that can be used to supplement CSP and CI entity cyber defenses.

Enhanced Cybersecurity Services countermeasures

The initial implementation of ECS includes two countermeasures for combating cyber threats: Domain Name Service (DNS) sinkholing and e-mail filtering.

DNS sinkholing technology is particularly effective against malwares like Stuxnet that are equipped with distributed command and control network capabilities, which allows threats to open a connection back to a command and control server so that its creators can remotely access it, give it commands, and update it. The DNS sinkholing capability enables CSPs to prevent communication with known or suspected malicious Internet domains by redirecting the network connection away from those domains. Instead, CSPs direct network traffic to “safe servers” or “sinkhole servers,” both hindering the spread of the malware and preventing its communications with cyber attackers.

The e-mail filtering capability is effective in combating cyber threats like Duqu, for example, which spread to targets through contaminated Microsoft Word e-mail attachments (also known as phishing), then used a command and control network to exfiltrate data encrypted in image files back to its creators. The e-mail filtering capability enables CSPs to scan attachments, URLs, and other potential malware hidden in e-mail destined for an entity’s networks and potentially quarantine it before delivery to end users.

Accreditation and costs for Enhanced Cybersecurity Services

The CS&C is the DHS executive agent for the ECS program, and executes the CSP security accreditation process and MOAs, as well as validation of CI entities. Any CI entity from one of the 16 key infrastructure sectors can be evaluated for protection under the ECS program, including state, local, tribal, and territorial governments.

For CSPs to complete the security accreditation process, they must sign an MOA with the USG that defines ECS expectations and specific program activities. The MOA works to clarify the CSP’s ability to deliver ECS services commercially while adhering to the program’s security requirements, which include the ability to:

  • Accept, handle, and safeguard all unclassified and classified indicators from DHS in a Sensitive Compartment Information Facility (SCIF)
  • Retain employee(s) capable of holding classified security clearances for the purposes of handling classified information (clearance sponsorship is provided by DHS)
  • Implement ECS services in accordance with security guidelines outlined in the network design provided on signing of the MOA

Although participation in the ECS program requires no up-front costs, CSPs may encounter costs related to the requirements of the program. These requirements could include, but are not limited to, costs to adhere with the hardware, software, installation, and configuration requirements of ECS, as well as the construction of a SCIF. However, the DHS projects that these costs will be outweighed by the long-term benefits of the program.

Privacy, confidentiality, and Enhanced Cybersecurity Services

In addition to not disclosing information on CI entities enrolled in the ECS program (including names), a fundamental tenet of the ECS program is that the government takes no part in securing voluntary networks, nor does it monitor private communications or communications content of CSPs or CI entities.

“ECS does not involve government monitoring of private communications or the sharing of communications content with the government by the CSPs,” a DHS official told Industrial Embedded Systems. “Although CSPs may voluntarily share limited aggregated and anonymized statistical information with the government under the ECS program, ECS related information is not directly shared between customers of the CSPs and the government.

“CS&C may share information received under the ECS program with other USG entities with cybersecurity responsibilities, so long as the practice of sharing information is consistent with its existing policies and procedures. DHS does not control what actions are taken to secure private networks or diminish the voluntary nature of this effort. Nor does DHS monitor actions between the CSPs and the CI entities to which they provide services. CI entities remain in full control of their data and the decisions about how to best secure it.”

For more information on participating in the ECS program as either a validated CI entity or CSP, contact the ECS Program Management Office at ECS_Program@HQ.DHS.gov.


[1] Lee, Robert M. The History of Stuxnet: Key Takeaways for Cyber Decision Makers. Retrieved from www.afcea.org/committees/cyber/documents/TheHistoryofStuxnet.pdf. Access date: 10/08/2013.

Sidebar 1: The ECS program is based on the development of “indicators” to identify known or suspected cyber threats.

1 EINSTEIN sensors provide an early warning system, improved situational awareness of intrusion threats to FCEB networks, near real-time identification of malicious cyber activity, and prevention of that malicious cyber activity to the federal government.

2 Threat indicators and ECS services are also available to Operational Implementers (OIs), or entities that have sufficient technical and security capabilities to implement ECS protections on their own networks and systems, but do not intend to offer those services as a CSP to other entities.