Although a “shift in attitude” is happening around securing the operational technology (OT) that underpins critical infrastructure like manufacturing plants or utilities, the federal government is still working through challenges in targeting efforts toward smaller operators grappling with limited resources, and ensuring that the OT investments being made today have security built into them.
The Biden administration over the past year has spearheaded several initiatives that aim to better secure industrial control systems (ICS), including a National Security Memorandum passed last July, which directed the Cybersecurity and Infrastructure Security Agency (CISA) to work with the National Institute of Standards and Technology (NIST) to develop a number of security performance goals for critical infrastructure sectors. But at a Thursday hearing called “Building on our Baseline: Securing Industrial Control Systems Against Cyberattacks,” government officials discussed further security improvements needed at the ground level to secure critical infrastructure environments and the particularly complex challenge of building security into the design of OT systems.
“This is a topic that we, as lawmakers and Federal officials, don’t spend nearly enough time talking about, working on, or funding,” said Yvette Clarke (D-NY), chairwoman of the Cybersecurity, Infrastructure Protection and Innovation subcommittee. “We rely on industrial control systems and other operational technology, or OT, to make sure we have power in our houses, clean water to drink, and countless other functions and services essential to our health, safety, and livelihoods. Still, questions about how we secure these critical OT systems tend to take a backseat to traditional IT security.”
CISA has led many of the critical infrastructure security efforts at a federal level, in April expanding the Joint Cyber Defense Collaborative (JCDC) - an agency effort to develop cyber defense plans with both public and private sector entities - to focus on ICS security by bringing in new partners. The agency has also been working to finalize the performance goals required by the National Security Memorandum, according to CISA Executive Assistant Director for Cybersecurity Eric Goldstein during the hearing. These goals expand on the existing NIST Cybersecurity Framework, a standard for building and evaluating cybersecurity programs, by identifying significant IT and OT system controls “with known risk-reduction value that are broadly applicable across sectors,” he said.
“We need to find ways to educate those that are engineering and building systems and the components in those systems, that that work is done with cybersecurity in mind so they can be defended.”
Despite these efforts, Clarke and others reiterated a need previously emphasized by the Biden administration for further cooperation between federal agencies and critical infrastructure operators in order to better secure sectors like the electric grid, water, gas and more.
“I see these baseline standards as having real promise to reshape the OT security landscape – but they will only be as effective as CISA’s ability to engage and incorporate the feedback they are hearing from stakeholders,” stressed Clarke.
When asked how CISA is communicating with smaller organizations and utilities, Goldstein said CISA has expanded its regional offices to better partner with local critical infrastructure organizations and utilities, but acknowledged that currently “it’s asymmetric across sectors.”
“There are some sectors like the energy sector where there are a lot of electric co-ops or municipal utilities that are smaller,” said Goldstein. “I think CISA’s work in cooperation with the Energy Department has done an important job of understanding the risks and the controls. If we look across other sectors, for example the thousands upon thousands of small water utilities in this country, we have work to do to make sure we are identifying all possible means of communication and collaboration.”
While high-profile critical infrastructure attacks like the Colonial Pipeline hack have only recently occurred, security challenges in the OT space have long been discussed. OT devices are drastically different from IT devices and that impacts how - and the level to which - they are secured. While IT is actively managed, making it easy to install routine patches needed to fix critical security flaws, for instance, the critical nature of OT devices means that their downtime will have a much greater impact, adding a tangle of complexity to any sort of update or replacement.
Vergle Gipson, senior advisor at the Idaho National Laboratory, said other design issues exist as well that make the security and management of OT devices more complicated. While the refresh cycle for IT infrastructure calls for devices to be upgraded every few years, for instance, OT is designed to last for decades and many devices were built at least 20 years ago, long before the need for strong cybersecurity defenses was being discussed. The education of those who are currently building and designing these systems is one vital opportunity for bolstering security, he said.
“This is a big opportunity for us in the U.S.- a lot of the existing infrastructure simply isn’t securable from a cyber viewpoint, and so as we are upgrading and replacing infrastructure, it’s the perfect time to make that infrastructure cyber secure and defendable, and the design stage is the right place to start,” said Gipson. “We need to find ways to educate those that are engineering and building systems and the components in those systems, that that work is done with cybersecurity in mind so they can be defended.”