Critical infrastructure
Features
Industrial Cyber Attacks
IT/OT Collaboration
Malware, Phishing & Ransomware
Regulation, Standards and Compliance
Secure Remote Access
Secure-by-Design
Supply Chain Security
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

US Congressional hearings on cybersecurity highlight urgency to protect critical infrastructure, OT from cyber threats

February 11, 2024
US Congressional hearings on cybersecurity highlight urgency to protect critical infrastructure, OT from cyber threats

Recent U.S. Congressional hearings on cybersecurity serve as crucial platforms for examining the threats faced by operational technology (OT) and critical infrastructure sectors. By emphasizing the role of agencies like the Cybersecurity and Infrastructure Security Agency (CISA) in securing the nation’s systems, these hearings provide insights into ongoing efforts to combat cyber threats while recognizing the significance of these discussions in safeguarding society’s vital resources and maintaining national security.

The U.S. House Select Committee on the Chinese Communist Party and the House Energy and Commerce Environment, Manufacturing, and Critical Materials Subcommittee recently held hearings addressing significant concerns regarding the Chinese Communist Party’s influence and actions. 

The former emphasized the importance of raising awareness about the risks posed by nation-state hackers capable of causing significant harm to Americans through destructive cyberattacks targeting critical infrastructure and supply chains. Meanwhile, the latter addressed the need to safeguard the nation’s drinking water infrastructure from cyberattacks. The hearing comes as a follow-up to last year’s May hearing held by the Subcommittee on Oversight and Investigations, at which the U.S. Environmental Protection Agency (EPA) testified.

Given the current geopolitical climate and ongoing tensions between the U.S. and China, these hearings would have been crucial in shaping policies and strategies to address these complex challenges. They come in the wake of water infrastructure and its systems becoming increasingly vulnerable to cyberattacks by adversaries and other bad hackers wishing to harm, underscoring the need for strengthening their cybersecurity. It also provided an opportunity to discuss with experts and stakeholders how best to protect this key infrastructure from rising attacks and work toward mitigating future risks.

The U.S. House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection convened a hearing to tackle threats to OT within critical infrastructure sectors, particularly emphasizing the water sector. The discussion centered on emerging cyber threats, vulnerabilities in OT systems, and the role of the CISA in safeguarding these vital assets. Given the increasing frequency and sophistication of cyberattacks targeting critical infrastructure, this hearing provided an opportunity to assess current cybersecurity measures and explore ways to enhance protection mechanisms. 

Addressing these cybersecurity challenges is paramount to ensuring the resilience and security of essential services upon which society relies. These hearings shed light on the evolving landscape of cyber threats and the steps being taken to safeguard critical infrastructure. As reliance on technology grows, so does the potential for cyber attacks that can disrupt essential services and pose significant threats to national security. The hearings highlight the government’s commitment to addressing these challenges head-on and fortifying defenses against cyber threats.

Strengthening cybersecurity strategies across critical infrastructure

Following last week’s hearings by the House Select Committee on the Chinese Communist Party and the House Energy and Commerce Environment, Manufacturing, and Critical Materials Subcommittee, Industrial Cyber reached out to industrial cybersecurity experts on how the critical infrastructure sector can adapt its cybersecurity strategies based on insights gained from the hearings. 

Edgard Capdevielle, CEO at Nozomi Networks
Edgard Capdevielle, CEO at Nozomi Networks

“The message to owners and operators of critical infrastructure was loud and clear. If your cybersecurity strategy doesn’t assume nation-state actors are targeting you, it should,” Edgard Capdevielle, CEO at Nozomi Networks, told Industrial Cyber. “The FBI is ringing the alarm bell, their position is that the enemy is not at the gate, they’re behind the gate. This is not the time to develop strategy, we’re beyond drawing board tactics….it’s time to move forward defensive cybersecurity strategies – quickly – using the well-established tools and protocols and best practices we have today.”

Jose Seara, founder and CEO at DeNexus

Jose Seara, founder and CEO of DeNexus pointed out that the call to action to the private sector from the hearings can be best summarized by comments from CISO Jen Easterly, U.S. Director of the Cybersecurity and Infrastructure Security Agency (CISA): “Every CEO, every board member, every business leader of a critical infrastructure – owner or operator – has to see cyber risk as a core business risk. They have to manage it as a matter of good governance and national security.”

“Many in attendance emphasized the significance of collaboration between the private and public sectors as a countermeasure against substantial investments by certain nation-states aiming to penetrate critical U.S. infrastructure for the long run- their goal being to inflict harm either immediately or in the future, strategically supporting times of crisis with the U.S.,” Seara told Industrial Cyber.

Victor-Atkins-global-director-of-dxecutive-advisory-services-for-Industrial-Cybersecurity-in-1898-Co.-a-part-of-Burns-McDonnell-1
Victor Atkins, director – executive advisory for industrial cybersecurity at 1898 & Co.

Victor Atkins, director – executive advisory for industrial cybersecurity at 1898 & Co., told Industrial Cyber that the hearings discussed how the water sector of the United States, particularly in rural areas, is highly vulnerable to disruptive cyber attacks that could negatively impact public health and the environment. 

Patrick Miller, president and CEO at Ampere Industrial Security,
Patrick Miller, president and CEO at Ampere Industrial Security,

“Given the lack of detail, the sector can only enhance their detection and hunting methods, in the hopes they are successful,” Patrick Miller, president and CEO at Ampere Industrial Security, pointed out to Industrial Cyber. “The challenge is both of these require the respective time, money, and skills.”

Collaboration techniques to bolster critical infrastructure cybersecurity

The executives discuss specific recommendations that have emerged from the hearings and explore how they can be effectively implemented to enhance cybersecurity in the critical infrastructure sector. Additionally, they delve into the ways in which the sector can collaborate with global partners to strengthen its cybersecurity defenses, taking into account the insights gained from recent Congressional hearings.

Seara pointed out that software vulnerabilities are some of many Achilles heels in the cybersecurity of critical infrastructure that can be proactively identified and fixed. “The primary recommendation for resource-constrained teams is to partner with local CISA teams and take advantage of free resources offered such as vulnerability scanning which can then feed into cyber risk solutions to quantify the risk and prioritize remediation, helping to allocate their scarce financial and human cybersecurity resources wisely,” he added. 

Atkins outlined two important recommendations that emerged from the hearing. “First, water utilities need a better understanding about the threats that they face, so they can prioritize resources to address vulnerabilities. Without a clear understanding of what they are securing against, water utilities will likely continue to fall short of implementing meaningful cybersecurity controls.” 

He added that federal agencies need to make sure that threat intelligence is concise, actionable, and properly contextualized to be consumed by utilities that may lack technical expertise within their organizations. This requires input from professionals who understand systemic risks within operational technology environments and can help utilities understand specific measures they can take to mitigate these nation-state threats.  

Secondly, Atkins detailed that water sector entities should seek support in applying Consequence-driven Cyber-Informed Engineering (CCE) methods to identify cyber-related risks to their key functions so they can properly mitigate them with proper engineering solutions.

Miller said that “there weren’t many specific recommendations, vs. a general statement that China is embedded in our infrastructure. The US should be working with global partners, both from a government-to-government approach and a company-to-company approach. Sharing of intelligence has always been a challenge, but worth the effort.”

Addressing cybersecurity concerns across water sector 

The executives provide their reactions to this week’s ‘Securing Operational Technology: A Deep Dive Into the Water Sector’ hearing held by the U.S. Congress’s House of Representatives. They shed light on the most effective strategies for the water infrastructure sector to address cyber vulnerabilities and strengthen its overall cybersecurity posture. 

Capdevielle said that the water sector is foundational to the performance of every other critical sector yet has unique challenges that stymie the deployment of cybersecurity measures. “In some cases, they’re run by municipalities that have to decide between cybersecurity for the water/wastewater plant, or police, schools, fire, and other funding obligations. Most water is run like a non-profit, with a cost-plus or regulated business model which significantly restricts their ability to invest and makes justifying the expense more difficult.” 

Moreover, he added that the sectors’ complexities, such as large geographical areas, every plant is unique, and plants are sometimes designed by one firm, built by another, and operated by someone else, resulting in an environment that’s resistant to change….by design. “Our water/wastewater sector, along with the power grid is our Achilles heel, but the power grid gets the lion’s share of funding and attention. The outcome of that strategy is what we’re witnessing today.”

Seara pointed out that in the committee hearing on water facilities, Senator Eric Swalwell, a Democrat from California and a ranking member of the Subcommittee on Cybersecurity and Infrastructure Protection, qualified water infrastructures as ‘target rich, resource poor.’

“With many opportunities to upgrade existing systems, it is imperative for the water sector to prioritize risk and cybersecurity investments using a clear understanding of where cyber attacks could cause the most damage – operationally, financially, and to the safety of their customers,” according to Seara. “It might not be necessary to fix every single vulnerability, but it’s a must to fix the ones that are modeled to allow the most damaging attacks and the ones already exploited at other facilities.”

Miller defined that the water sector is woefully underfunded and is considered by many to be one of the weakest when it comes to cybersecurity. “However, it is also one of the industries that have been consistent with cyber-informed engineering, creating systems that cannot cause catastrophic damages if they are hacked.”

Focus on key cybersecurity gaps overlooked in recent hearings

The executives share their views on any important aspects missing from the recent hearings that they want to address. They offer additional perspectives that they believe should be included for a comprehensive understanding of the cybersecurity landscape in the critical infrastructure sector.

Certainly, while ringing the alarm bell on threats is crucial, the next step is Congressional action, Capdevielle responded. “How will front-line defenders be empowered to take action based on the guidance coming from CISA and the FBI? By adding ‘defending against foreign nations’ state attacks’ to the burden of small-town operators trying to provide clean and safe drinking water, we’re asking for trouble.” 

He added “We can’t expect them to do what some of the world’s most prestigious cybersecurity environments can’t even do, which is provide iron-clad defense against that level of adversary, both of which have demonstrated their capability to bypass highly regulated systems. We need funding for practical solutions that are actionable, leveraging existing capabilities of the crucial, yet under-resourced defenders.”

Seara said that there needs to be a more drastic shift towards cyber resilience to counter every security professional’s natural predisposition to focus on cybersecurity technology and tooling. “Cybersecurity will never be perfect, especially hard to tackle people-related risk and insider threats. And not all critical infrastructure will have the means to replace obsolete equipment or deploy advanced cybersecurity solutions to their fullest. We need to find venues to fund or finance these efforts, as some of the entities exposed are underfunded and understaffed. And their risk is everybody’s risk. Cyber risk in Critical Infrastructures is a community problem that requires a community solution.”

He added that cyber resilience must start with a thorough inventory of assets at risk, a 360-degree discovery of vulnerabilities, and quantification of the value at risk in monetary terms. “Mitigation strategies can then be evaluated and compared based on investment required and their potential to reduce risk. Then and only then can businesses prioritize their cybersecurity investment including the transfer of risk to third parties through cyber insurance.”

“There needs to be a larger investment in an end-to-end solution where cyber risk is managed as a business risk that should be quantified and managed like other business risks,” according to Seara. “This is why giving the tools to CISOs and technical staff to translate cyber risk in dollars with evidence-based reports that can be shared with the CFO and the board of directors is paramount.”

Miller said that he would have liked to hear specific tactics and behaviors from all of the adversarial parties in the mix: e.g., Iran, Russia, and North Korea. “Critical infrastructure companies need to know what to look for to be successful. Maybe not in a public setting, but something indicating that they will be working with industry to make this happen,” he added.

Impact of policy changes on critical infrastructure cybersecurity

The executives discuss the potential policies or regulations that may result from the committee hearings and examine how these can impact the cybersecurity resilience of the critical infrastructure sector. They also analyze the technological advancements or innovations that the sector should consider adopting in order to enhance its cybersecurity capabilities, taking into account the findings of the committees.

Capdevielle said that the focus needs to be on making sure the necessary funding and technologies are in place to defend critical infrastructure. “Many of these environments are using decades-old technologies, sometimes remotely accessible from the internet and usually vulnerable to threats. With this as our starting point, defending against (estimated) 100,000 hackers working for the CCP seems daunting.”

He added that “we should be talking about resilience both in cyberspace and the physical world. Since you can’t protect what you can’t see, adopting technology that helps critical infrastructure owners gain operational visibility and an accurate understanding of the assets in their environment is the first step to improving security.”

He further emphasized that there seems to be a significant disconnect between the warnings issued by CISA and the FBI last year and the actual response in the field.

Seara noted that tremendous progress has been made through the recent SEC cybersecurity regulation which took effect in December and requires great transparency from public entities on cyber incidents and cyber risk management. “This needs to be translated to non-public, often smaller entities with easy-to-use and deploy solutions bundled with a significant amount of training services.”

“The federal government has sponsored the development of CCE to reduce the potential for cyber threats to have catastrophic effects on critical infrastructure networks, even if they are attacked,” Atkins said. “This is achieved by identifying connections and access points that cyber actors could exploit, and then working with the asset owner to apply tailored mitigation strategies that enable digital process control while reducing or even eliminating vulnerabilities that malicious actors could exploit.”

“I do think that getting actuarial data from incidents will tell us what works and what doesn’t. I would like to couple that with a requirement for threat hunting and detection,” according to Miller. “This combination will give us information on how defensive measures are successful/unsuccessful as well as give us the capability to know.”

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems