As government-backed adversaries continue to shift some of their energy and capabilities to attacks on critical infrastructure, experts say a tighter focus on some basic yet effective security controls, along with increased strategic leadership from federal agencies, could help turn the tide in defenders’ favor.
Recent attack campaigns that have targeted critical infrastructure operators in sectors such as water and energy have drawn attention from legislators and federal regulators who are looking not just for answers on how the intrusions happened, but also for ways to improve the security of these networks going forward. The most recent set of intrusions involved the compromise of hundreds of SOHO routers by the Chinese attack group known as Volt Typhoon, which then used its position to pivot to some critical infrastructure (CI) networks in the United States. In a hearing last week of the House Select Committee on the Chinese Communist Party, U.S. law enforcement officials called the attacks a “low blow” and said the threat to CI operators is persistent and concerning.
On Tuesday, ICS and OT security specialists told members of the House Homeland Security Subcommittee on Critical Infrastructure Protection that while many if not most water facility operators and defenders may be lacking in terms of technology, staff, and funding, there are moves those operators can make that would raise the level of security quickly. For example, focusing on practical things such as enforcing MFA for access where possible can make a significant difference.
“Most of these facilities lack a firewall. It’s appropriate to think about this in the long term, but the horse is out of the barn,” said Robert M. Lee, CEO of Dragos, which specializes in ICS security. “Defenders have an advantage, but you’re just not going to have an advantage on every front.”
While concerns about the security and resilience of ICS and OT networks are not a new phenomenon, recent operations such as the Volt Typhoon campaign have brought them to the forefront. State-backed actors from various countries have made the targeting of CI networks a priority, and experts say those operations often are designed to pre-position attackers inside valuable networks in preparation for later cyber or physical attacks.
“Russia and China have begun to shift from IT to OT systems and paint the picture in a really bad direction in terms of fundamental international norms,” said Charles Clancy, senior vice president and general manager of MITRE Labs.
“I’m particularly concerned about the interdependencies of these sectors. If energy gets hit, water goes down shortly thereafter.”
To address the weaknesses in OT networks in utilities and other CI environments, Lee, Clancy, and the other witnesses suggested that the Cybersecurity and Infrastructure and Security Agency and other federal agencies expand their OT-specific cybersecurity expertise and look for ways to reduce the burden on operators.
“There is an ongoing care and feeding that’s required for these OT networks."
“There is a considerable opportunity for EPA to step up, CISA and FBI to systematically engage across, and the network of security vendors to make it easier for everyone to coordinate. But these modest reforms should be kept in context with the scale of the threat, and the limited amount of resources available to critical infrastructure operators, particularly in the water sector,” Clancy said.
“We should urgently begin piloting, exercising, and preparing for contingency scenarios that require isolated operations across lifeline critical infrastructure sectors.”
The witnesses also emphasized to the committee members the differences between IT and OT networks and the specific challenges of defending the latter type, especially on the constrained budgets that many operators have.
“A lot of folks who have never set foot in a pump station are trying to tell people how to operate it. In water, there are three to four scenarios we should be concerned about. Most water facilities share one IT contractor and it’s just not going to work if we get out there and try to tell them to do fifty things,” Lee said.
“Only two to three percent of vulnerabilities even matter to OT operators. If you steal from IT, you steal people’s data. If you target OT, you can kill people.”
Going forward, the experts recommended continued investment in CISA’s programs, the establishment of baseline security requirements for OT networks, and uniform incident reporting standards.
“There is an ongoing care and feeding that’s required for these OT networks. We just need to make sure that from the get-go we’re defining the security requirements in projects and then measuring them,” said Marty Edwards, deputy CTO at Tenable.