After decades of being treated as an afterthought, cybersecurity in the operational technology realm is finally getting the attention it deserves in Washington.
To fix the problem, federal agencies and policymakers are eyeing a mix of voluntary collaboration and financial incentives to prod critical infrastructure entities to slowly replace past technologies and processes that have traditionally prioritized availability and reliability over security.
At a hearing Thursday, Rep. Yvette Clarke, D-N.Y., chair of the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Innovation, pressed executive branch officials for updates on a number of programs specifically directed at critical infrastructure and said that past prioritization of IT systems at the expense of operational technology “is simply not an option in today’s threat landscape, as OT becomes more internet connected, integrated with IT systems and attractive to our adversaries.”
It's the latest sign that Congress and the executive branch are increasingly focused on improving security for the highly specialized equipment and systems that are used to run power plants, dams and water control systems, manufacture goods, and deliver other critical services to American society.
These assets are often old, running ancient or unpatched versions of software that leave them open to exploitation from hackers, and require a delicate touch as even small changes can lead to severe disruptions of essential services. Other observers in the federal government, like Michael Dransfield, a senior technical executive for control systems cybersecurity at the NSA, have said that much of the nation’s veteran workforce familiar with securing OT systems have retired over the past decade, forcing businesses to increasingly rely on automated control systems that are vulnerable to hackers.
Meanwhile, both the Department of Energy and the Cybersecurity and Infrastructure Security Agency are touting the potential for new federal investments that can, they argue, reshape the status quo around cybersecurity in critical infrastructure.
As SC Media has reported, the Department of Energy is embarking on a decade-long plan to leverage grant funding from the Bipartisan Infrastructure law passed last year to replace outdated legacy technologies in the energy sector with newer, more secure systems. It’s also attempting to alter the way energy technologies are made through its Cyber Informed Engineering plan, a strategy to ensure that cybersecurity is baked into newer ICS equipment and systems at the design stage.
“This is a big opportunity for us in the U.S. in that a lot of the existing infrastructure simply isn’t securable from a cyber viewpoint … and the design stage is the right place to start,” Vergle Gipson, a senior advisor at the Idaho National Laboratory, told lawmakers.
This week, officials from the Office of Cybersecurity, Energy Security and Emergency Response at DoE also held the second of three planned meetings with hundreds of rural electric utilities and cooperatives to get feedback on their funding needs as the agency begins to craft the specifics of grant programs and solicitations. In particular they are looking for participation from smaller utilities who are most likely to benefit from federal grant funding.
“We’re missing the voice of the smaller utilities, which is going to be essential because a lot of that limited resource audience is going to be the smaller utilities and I want to make sure we design a program with their voice in mind,” Cynthia Hsu, a cybersecurity program manager at CESER, told attendees Thursday.
Gipson told lawmakers that a new ICS Cybersecurity Center of Excellence is also needed to drive research and development within the community, as well as developing “more realistic” test environments to experiment and develop novel cybersecurity mitigations across different sectors. Policymakers will need to balance many of the basic, blocking and tackling measures needed by energy utilities and power companies across the with deeper research on preventing discrete, high-impact hacks with broader implications.
“In addition to all the great cyber hygiene things that need to be done … we also need to identify what are those high consequence events that we simply can’t allow to occur as a nation,” Gipson said.
Meanwhile, CISA Executive Assistant Director Eric Goldstein detailed a range of programs his agency has rolled out over the past year to improve coordination of security across critical infrastructure. It includes a new cyber defense plan focused on improved sharing threat and vulnerability information around industrial control systems that is developed by a working group of ICS device manufacturers, integrators, security providers and operators within the Joint Cyber Defense Collaborative.
It also involves updates to voluntary baseline security goals for operational technology released by CISA and the National Institute for Standards and Technology over the past year that Goldstein said would help organizations in critical infrastructure prioritize security investments over the long term. Goldstein said the final version of those guidelines is expected to be released in the coming weeks.