We recently had the pleasure of speaking to Emilio Salabarria on the PrOTect OT cybersecurity podcast. Emilio is an accomplished expert in both emergency management and cybersecurity, and currently serves as the Deputy Senior Executive Advisor at Cyber Florida.
On this episode, Emilio touched on several important topics including risk assessment programs for securing critical infrastructure in Florida, small counties protect against a cyber attack by through training and tabletop exercises, and how cybersecurity assessments play a central role in improving organizational resilience.
Cyber Florida, also known as the Florida Center for Cybersecurity, is tasked with conducting a cybersecurity critical infrastructure risk assessment for the state of Florida Legislature. The goal is to submit actionable recommendations to the state legislature, governor, and Florida Cybersecurity Advisory Council. The assessment utilizes a CSET tool, which has 156 questions, including a ransomware readiness assessment. Cyber Florida aims to attract all 16 sectors and 54 sub-sectors in Florida, as all sectors are interconnected, and an attack on one could impact others. The survey is anonymous, and only demographic information such as zip code, employee and customer size, and revenue is collected to assess the consequences of an attack on a specific sector.
No other state has done this before; this is the first of its kind. Early trends show that 49% of those completed the tool use multi-factor authentication (MFA). Considering that over 90% of all cyber attacks are that human machine interface, somebody clicking on something that shouldn't, implementing MFA statewide would greatly reduce the state’s vulnerability. That was one of the early recommendations that Cyber Florida made to the state.
Another early find is that roughly 49% of the entities that completed 90% or more of the CSET tool do not exercise their response and recovery plans with third parties, such as contractors, vendors, and suppliers. This is concerning because the supply chain is critical, and if one of your suppliers cannot fulfill your orders, it could lead to serious business consequences.
Emilio mentioned the questions he receives about the CSET tool - what is it, where is it, and who is storing it? The CSET tool used in this assessment was specifically designed for South Florida and has been downloaded onto a server at the University of South Florida, where we are the custodians responsible for securing and analyzing the data. As part of our IT department and academia, we are collecting the data, and we will include it in the report, which we will send to the State of Florida to take action. Cyber Florida’s call to action is for all critical infrastructure entities in Florida to participate and have their voices heard. There is a possibility that there may be some regulation, mandatory requirements, executive orders, or legislation that could arise from the report. That's why it's crucial for CI entities to participate and to have
their input included in the CSET tool's survey. The CSET tool questions are not overly in-depth; it's a simple yes or no survey comprising 156 questions that do not ask for any proprietary information. Cyber Florida then will analyze it and work with MITRE to formulate the report, analyze the data, conduct focus groups, and engage in outreach to reach the relevant audiences. It's important to note that Cyber Florida is conducting the survey, not the state.
The state of Florida recognized a need to improve cybersecurity. They were eager to take action, but new they had to take smart action. Cyber Florida’s research and risk assessment enables the state to take informed and effective actions to improve their cybersecurity posture. Conducting a thorough risk assessment provides insights into current state of cybersecurity in Florida, which could inform the allocating of grant funds and potentially enact laws, regulations or mandates to bolster the state's cybersecurity. Cyber Florida’s goal is to make Florida the most cyber secure state in the nation, and this risk assessment, along with their training component, is a critical step in achieving that objective. The state has allocated additional funding to support the training component, which is aimed at equipping Florida's critical infrastructure entities with the knowledge and skills they need to better protect themselves against cyber threats.
This efforts has garnered interest from the federal government and NIST in how the cybersecurity framework is being used to measure against the risk assessment of entities in Florida. In addition to the report sent to Florida, participants will receive their individual reports as well as a comparison to the sector-wide results. This will allow them to identify areas of weakness and make improvements. It is anticipated that the CSET tool will be used regularly, and cybersecurity assessments will be necessary as long as there are computers connected to the Internet. Validation can be done through cyber ranges or tabletop exercises to test knowledge around cybersecurity.
The team continues to field responses from Florida’s sectors and encourages all to participate for the most complete report findings. Emilio's passion is clear as he speaks to this project and how he's motivated to keep giving it momentum. He and the team are dedicated to achieving their mission of making Florida the most cyber secure state in the nation, and their commitment to improving cybersecurity through risk assessments and training is evident.
With currently 269 critical infrastructure sectors participating and a goal of 500 by June, he sees the potential for tens of thousands of entities in Florida to complete the CSET tool, providing a robust report on the state's cybersecurity posture. As training programs are implemented and grants become available, Emilio believes that federal and state resources can help patch vulnerabilities and close gaps. His goal is to improve resilience and preparedness against cyber attacks, a continued threat to the US and Florida. Emilio emphasizes the importance of education and tools to protect individuals, companies, and entities from cyber threats.
This has been just a brief summary of all that was discussed on this episode with Emilio. Be sure to listen to the full episode on The PrOTect OT Cybersecurity Podcast.