Homeland Security Committee conducts hearing, examines federal efforts on building ICS security against cyberattacks
The Subcommittee on Cybersecurity, Infrastructure Protection & Innovation held a hearing this week to examine federal efforts to strengthen the security of industrial control systems (ICS) and operational technology (OT), which support industrial functions that underpin critical infrastructure. The hearing provided witnesses with an opportunity to discuss how the Cybersecurity and Infrastructure Security Agency (CISA) is working to grow and mature its existing ICS security programs in partnership with Idaho National Laboratory, how it is developing voluntary security guidelines for ICS operators, and how Congress can support such efforts.
The witnesses at Thursday’s hearing were Eric Goldstein, executive assistant director at CISA, and Vergle Gipson, senior advisor for the cybercore integration center at Idaho National Laboratory, U.S. Department of Energy.
Rep. Yvette D. Clarke, a Democrat from New York and chairwoman of the Cybersecurity, Infrastructure Protection, & Innovation Subcommittee raised questions about how the security of these critical OT systems tends to take a backseat to traditional IT security. “That is simply not an option in today’s threat landscape – as OT grows increasingly connected to the internet, is more integrated with IT systems, and becomes a far more attractive target for cyber criminals and our adversaries,” she wrote in her statement.
Clarke assessed that in an industrial environment, the risk of a cyber compromise is not limited to stolen customer data or reputational harm to a company. “The consequences can be deadly. An OT disruption could hurt our communities, our economy, and even our national security. And yet, in a recent report, the National Telecommunications Security Advisory Committee, or NSTAC, found that our ‘biggest gap’ in industrial cybersecurity is our ‘lack of urgency,’” she added.
Last July, U.S. President Joe Biden formalized an ICS Cybersecurity Initiative in a National Security Memorandum on Improving Control System Security. The Memorandum also directed the CISA to work with NIST on a set of cybersecurity performance goals to serve as clear guidance to operators about the level of security ‘the American people can trust and should expect for such essential services.’
Clarke wrote that the statement reflects a commitment to three principles that should underpin the federal approach to OT security. “First, the American people are entitled to trust that the services they have grown to rely on meet a reasonable, baseline standard of security and resilience. Second, critical infrastructure operators have a responsibility to earn and maintain the trust of the American people. And finally, the Federal government has a responsibility to bring its expertise, convening power, and resources to bear in support of this effort.”
“In this Subcommittee, we often talk about the need to meet sectors where they are – recognizing their different security postures, resources, and expertise. That applies here as well,” Clarke wrote. “We need to do everything we can to make sure that efforts like the ICS sprints and the performance goals are designed to benefit all stakeholders – not just the most sophisticated. That will require the Administration to identify lessons learned, and apply them – for instance, to the upcoming chemical sector sprint. Finally, as we’re shoring up these programs and ICS investments, I also want to hear how we’re investing in our ICS security workforce – and doing so in a way that fosters diversity,” she added.
Bennie G. Thompson, a Democrat from Mississippi and chairman of the Committee on Homeland Security, wrote in his statement that as the Committee continues its oversight of the federal government’s ICS security efforts, “we are learning that stakeholders are eager to partner -provided that the government is collaborative and transparent. Toward that end, I have three goals for this hearing.”
“First, I am interested in knowing what support CISA has provided to the City of Jackson during the water crisis – including in helping the City understand the cascading effects of being without water,” Thompson wrote. “Second, I want to understand what CISA learned about the cybersecurity posture of the water sector through the ICS cybersecurity sprint, and what resources CISA brought to bear as it collaborated with the Environmental Protection Agency. Finally, I am interested in learning how CISA is encouraging ICS owners and operators to prioritize cybersecurity and resilience and invest in it accordingly,” he added.
Thompson said he supports the development of voluntary security guidelines, “but they will only make us more secure if the private sector agrees to implement them. There are certain things the public should be able to rely on. Being able to drink the water coming out of the faucet is one of those things. If we are going to rely on voluntary security goals to protect ICS from cyberattacks, we must ensure that stakeholders are incentivized and able to implement them,” he added.
In his testimony, Goldstein said that the CISA serves as a trusted partner within the ICS and OT ecosystem to provide information, guidance, and capabilities that enable faster and more scalable reduction of risks facing ICS and OT assets. “Our goal is to meet the unique requirements of the ICS and OT community by continuously evaluating and improving our capabilities to support the areas of greatest need, recognizing that many ICS and OT environments require approaches and solutions that differ from traditional Information Technology environments,” he added.
He highlighted that in April, the CISA expanded the Joint Cyber Defense Collaborative (JCDC) to focus on ICS security and brought in new partners to help lead this important work. Through the creation of focused collaboration channels, the JCDC-ICS is positioned to quickly share, analyze, and enrich information about threats and vulnerabilities affecting ICS assets. Additionally, the JCDC-ICS initiative catalyzed a new planning effort intended to expedite collaboration across the ICS ecosystem, bringing together government, critical infrastructure operators, ICS vendors, and ICS security providers with unprecedented cohesion and scale.
Goldstein pointed out that the CISA collaboratively develops trusted information to help organizations more effectively mitigate vulnerabilities. “To gain deeper visibility into particular sectors, we are partnering with a small number of ICS security companies to give our analysts the ability to determine whether a given threat has been seen before, while preserving anonymity of the security companies’ customers,” he added.
“Finally, for select critical infrastructure entities, we provide access to our CyberSentry program,” Goldstein wrote. “CyberSentry is a CISA-managed threat detection and monitoring program that allows our analysts to directly detect attempts to compromise critical ICS networks. Through a strategic and narrow deployment, CyberSentry leverages sensitive data to provide enhanced visibility that can be used by CISA and our partners to better defend critical infrastructure networks,” he added.
INL’s Gipson provided in his testimony certain recommendations to address some of the most critical research and capability gaps surrounding ICS. He suggested creating an ICS cybersecurity Center of Excellence, which would serve as a focal point for increased information sharing among a community of practice that includes government, industry, academia, and other national laboratories; create a vehicle for further investments in cybersecurity research and development; and advance the science of securing operational technology to stay ahead of our cyber adversaries’ rapidly evolving tactics.
Gipson also suggested directing research to mature Cyber Informed Engineering (CIE) which encourages addressing cybersecurity issues early in the design lifecycle of engineered systems to reduce cyber risks. “The Secretary of Energy recently released a National Cyber Informed Engineering Strategy focused on the energy sector that could be expanded to address all U.S. critical infrastructure,” he added.
He also suggested the expansion of INL cyber-physical test environments to support the development of cyber risk mitigations. The expansion would enable the research and development of mitigation strategies, the analysis of product and system vulnerabilities, the understanding of emerging adversary tactics, and other cybersecurity efforts reliant on representative test environments.
Furthermore, the expansion should include the addition of full-scale, sector-specific, cyber-physical test environments for priority infrastructure systems, including water and wastewater, transportation, oil and natural gas, and critical manufacturing.
Last month, the CISA said that upgrading ICS systems to post-quantum cryptography will be a challenge, as deployed cryptography-dependent ICS hardware is costly, and the associated equipment is often geographically dispersed. It further urged ICS organizations to ensure that their hardware replacement cycles and cybersecurity risk management strategies account for actions to address risks from quantum computing capabilities.
Related
