Despite a “shift in attitude” around securing the operational technology (OT) that underpins critical infrastructure such as manufacturing plants or utilities, the federal government is grappling with the challenge of targeting smaller operators with limited resources and Make sure your OT investments made today have security built in.
The Biden administration has spearheaded several initiatives over the past year aimed at better protecting industrial control systems (ICS), including a national security memorandum passed last July that directed cybersecurity and infrastructure security Agency (CISA) in partnership with the National Institute for Information Security Standards and Technology (NIST) to develop a number of security performance goals for the critical infrastructure sector. But at a hearing on Thursday titled “Building on Our Baselines: Protecting Industrial Control Systems from Cyberattacks,” administration officials discussed the need for further security improvements at the bottom to protect critical infrastructure environments, as well as the Building security into OT system design is a particularly complex challenge.
“As legislators and federal officials, we don’t spend enough time talking, researching, or funding this topic,” said Yvette Clarke (D-NY), chair of the Cybersecurity, Infrastructure Protection, and Innovation Subcommittee. “We rely on industrial control systems. and other operational technology or OT to ensure our homes have electricity, clean drinking water, and countless other functions and services that are critical to our health, safety, and livelihoods. Nonetheless, the question of how do we protect these critical OT systems It tends to be superseded by traditional IT security.”
CISA has led many critical infrastructure security efforts at the federal level, and in April expanded the Joint Cyber Defense Partnership (JCDC) — an agency that develops cyber defense programs with public and private sector entities — to focus on ICS security by introducing new collaborations partner. The agency has also been working to finalize the performance goals required by the national security memorandum, Eric Goldstein, CISA’s executive assistant director for cybersecurity, said at the hearing. The goals, he said, extend the existing NIST Cybersecurity Framework, a standard for building and evaluating cybersecurity programs by identifying critical IT and OT system controls that “have known risk-reducing value and are broadly applicable across sectors.” .
“We need to find ways to educate the people who are designing and building systems and the components in those systems, and this is done with cybersecurity in mind, so they can be protected.”
Despite these efforts, Clark and others reiterated the Biden administration’s previous emphasis on the need for further cooperation between federal agencies and critical infrastructure operators to better secure the power grid, water, natural gas and other sectors.
“I think these baseline standards hold real promise to reshape the OT security landscape — but their effectiveness will depend on CISA’s ability to engage and integrate the feedback they hear from stakeholders,” Clark stressed.
When asked how CISA communicates with smaller organizations and utilities, Goldstein said CISA has expanded its regional offices to better work with local critical infrastructure organizations and utilities, but acknowledged that currently “it is in There is asymmetry between sectors.”
“In some industries, like the energy industry, there are a lot of smaller electric cooperatives or municipal utilities,” Goldstein said. “I think CISA’s work with the Department of Energy has done an important job in understanding risk and controlling. If We look at other sectors, like the thousands of small water companies in this country, and we have work to do to make sure we are identifying all possible ways of communicating and collaborating.”
While high-profile critical infrastructure attacks like the Colonial Pipeline hack have only recently occurred, security challenges in the OT space have long been discussed. OT equipment is very different from IT equipment, which affects how and how secure they are. While IT is actively managed, routine patches needed to fix critical security vulnerabilities can be easily installed, e.g. the critical nature of OT devices means their downtime will have a greater impact, adding complexity to any type of update sex or replacement.
There are other design issues that make the security and management of OT devices more complex, said Vergle Gipson, senior consultant at Idaho National Laboratory. For example, while the refresh cycle of IT infrastructure requires equipment to be upgraded every few years, OT is designed to last decades, and many equipment was built at least 20 years ago, long before the need for robust cybersecurity defenses was discussed. long time. Educating the people currently building and designing these systems is an important opportunity to enhance safety, he said.
“This is a huge opportunity for us in the U.S. — from a cyber perspective, a lot of existing infrastructure is simply not secure, so when we upgrade and replace infrastructure, now is the time to make that infrastructure cyber-secure And the best time to be defensible, the design phase is the right place to start,” Gibson said. “We need to find ways to educate the people who are designing and building systems and the components in those systems, and this is done with cybersecurity in mind, so they can be protected.”