Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Regulation, Standards and Compliance

New cybersecurity standards coming to communications, water, and healthcare sectors, Neuberger reveals

October 17, 2022
2022.10.17 New cybersecurity standards coming to communications, water, and healthcare sectors, Neuberger reveals

As the administration of U.S. President Joe Biden works towards securing cyberspace and strengthening American critical infrastructure, Anne Neuberger, deputy assistant to the president and deputy national security advisor for cyber and emerging threats, confirmed that the communications, water, and healthcare sectors are looking at new cybersecurity standards. 

Neuberger said Thursday at a Washington Post Live event that the communications sector might be the next critical infrastructure sector looking at new standards, as “the FCC issuing a public notice regarding a rulemaking for emergency and public warning systems.”

Last month, FCC Chairwoman Jessica Rosenworcel proposed action to bolster the security of the nation’s public alert and warning systems, the Emergency Alert System and Wireless Emergency Alerts. These systems warn the public about emergencies through alerts on their televisions, radios, and wireless phones. 

The next sector, according to Neuberger, will be “Water. Again, a creative approach the EPA will be using‑‑a thank‑you and a shout‑out to Michael Regan and Janet McCabe at EPA‑‑who are taking the approach to say an existing legislation that calls for the safety and security of water that includes cybersecurity as well.”

The announcement comes as the Environmental Protection Agency (EPA) recently presented a document covering a cybersecurity support plan for public water systems (PWSs) to Congress. The plan looks into the methodology to identify specific PWSs for which cybersecurity support should be prioritized, in addition to prescribing timelines for making voluntary technical support for cybersecurity available to specific PWSs. 

The Russian-based Cl0p ransomware hacker group targeted the water sector that breached water systems at the U.K. water supply company South Staffordshire in mid-August. Coming in the middle of one of the worst droughts the U.K. has faced, the cyber attack demonstrates that very little has changed since last year’s remote access cyber attack at the Oldsmar, Florida, water treatment plant.

Neuberger lists the healthcare sector next, with “HHS coming out, beginning to work with partners at hospitals to put in place minimum cybersecurity guidelines and then further work upcoming thereafter on devices and broader health care as well,” she adds.

Organizations in the healthcare and public health sectors have been facing an increasing number of ransomware attacks, often leaving hospital networks vulnerable. With these adversaries lurking around in the OT/IoT environments, they have become considerably more capable of executing significant attacks at scale while also taking advantage of the growing success of the ransomware-as-a-service (RaaS) model.

Regarding the U.S. being slow in the regulatory arena, Neuberger acknowledges that the nation has been “pretty much last in the race on putting in place standards for critical infrastructure among our peers.” 

The European Union put in place its first requirements for critical infrastructure several years ago, Neuberger observed. “There’s a second version that updates in a draft. Australia passed legislation, as you know, this past summer that puts in place standards for critical infrastructure and expectations for technology as well, and I want to talk about the technology aspect as well.” 

Neuberger also said that at the beginning of the President’s administration, “we began with innovative public‑private partnerships focused on industrial control systems, since that’s been an increasing area of focus, given the potential to disrupt an actual control system.” 

Then came the Colonial Pipeline attack, “and the Transportation Security Administration, you know, does not have in place a standard for whatever expectations are for the cybersecurity of their networks,” Neuberger said. 

“So, following that‑‑and a credit really to Secretary Mayorkas’ DHS’s leadership, David Pekoske, the Transportation Security Administrator’s leadership, we did a rapid review of existing authorities, and we saw that TSA had emergency authorities to mandate minimum cybersecurity thresholds for the sectors it oversees, which are the transportation sector, which as you noted has five key subsectors‑‑aviation, maritime, rail, oil and gas pipelines,” according to Neuberger. “And TSA began issuing a security directive that summer for oil and gas pipelines. They learned, you know, when that first was issued, companies quickly said, you know, “What’s going on?” she adds.

So as a foundational step, it had to be bringing in executives from the sector, giving them a classified threat brief, so they were operating off the same information as the government and truly became a partner, Neuberger said.

“So TSA came to us in the White House and said it would be very helpful if we brought these executives together, provided them a classified threat briefing, and explained to them the context of the kinds of threats they face, much as you asked me in our first question,” Neuberger said. “We brought them in, and TSA adjusted their security guidelines based on a back‑and‑forth with the sector and then used that model for the next, as you noted, for rail.”

TSA identified 57 rail entities, 104 air entities, whether airports, airlines, or cargo airlines, brought them in, gave them a threat brief and issued a security directive, and then refined the security directive as well, according to Neuberger. “So you’ll be seeing shortly, very soon, an updated rail directive based on those interactions‑‑the first one was issued in December of ’21‑‑and shortly as well an updated aviation directive, the first one issued last November and updated this winter as well with these interactions. And that gives us confidence in what are the minimum cybersecurity standards in place,” she adds.

Addressing whether there are sectors that will have to turn to Congress for authorities to impose standards, Neuberger said “looking across the‑‑there are 14 critical sectors with another five subsectors like I mentioned transportation. Across them, there’s really three categories. In some cases, like I noted in transportation, there are adequate authorities to put in place those minimum cybersecurity guidelines; for others like EPA, creative interpretations that say clearly safety and security means cybersecurity as well.” 

“And, finally, for some, like critical manufacturing or DHS’s emergency services or information technology, there are no authorities, and we’re looking carefully at those to say what is needed in this space and how do we approach this,” she adds.

Looking at the ransomware issue that has affected countries across sectors, Neuberger said that criminals are really taking a toll, disrupting critical services around the world. 

“We saw Costa Rica, significant impact, really disrupting their government’s operations via what we believe is a Russian criminal ransomware group, Montenegro more recently, hospitals in France and England, hospital chains in the United States, and certainly, over Labor Day weekend, we surged support from the federal government to ensure the L.A. school district could rapidly recover and open schools Tuesday morning.”

“So ransomware, criminal use of vulnerabilities in technology, and harnessing that is a major‑‑is a major global worry, and as such, we saw the opportunity for the U.S. to lead by bringing partners in around the world, both to build capacity in areas like how do you do block chain analysis so that if a criminal is being paid via the blockchain, we can rapidly identify the wallet and work to recover the funds, work to trace it to who the criminal entity is,” she adds.

In the context of the midterm elections coming up in less than a month, Neuberger addressed the broader geopolitical context and the uptick of malicious cyber activity from major adversaries such as Russia, China, North Korea, and Iran. 

“Following Russia’s invasion of Ukraine and the run‑up, we warned about the threat, given Russia in the past has used cyberattacks to coerce foreign governments, to undermine populations, and that is certainly a threat we’re increasingly concerned about,” Neuberger said. “We’ve watched Russia use destructive capabilities against Ukraine as part of their initial invasion. Our expectation that there would be additional Russian cyberattacks hasn’t necessarily panned out, but we still believe they have the capabilities to do so, and that’s a call to responsibility for us as Americans, as individuals, as the private sector, as the government to double‑down on addressing our defenses.”

Neuberger adds that from gaining funds through cyberattacks, North Korea is a surprisingly innovative and capable adversary. “Hacking specifically the cryptocurrency infrastructure in novel ways to glean large amounts of funds‑‑when I say large amounts of funds, for example, I’ll point to a hack against a particular cryptocurrency platform that gleaned at the time $600 million in crypto. So that is an area we’ve put a lot of focus.”

The Biden administration has put a lot of focus on really looking to see “how do we make it costlier, riskier, and harder for North Korea to fund its weapons program, its missiles program via hacking of cryptocurrency infrastructure,” according to Neuberger.

She says Iran remains a capable cyber threat. “Iran remains an entity that continues to undermine the Middle East, and cyber is certainly a tool in its toolkit.”

“And, of course, we’re continuously focused on China, which we believe has a very well‑funded program primarily focused on intellectual property theft, affecting countries around the world, but also really gaining access to critical infrastructure, which we fear could be used in the future to coerce or undermine governments,” Neuberger said.

Neuberger’s comments come as the Biden-Harris administration announced last week a ‘relentless focus’ on improving the nation’s cyber defenses, building a comprehensive approach to ‘lock our digital doors’ and carry out aggressive action to strengthen and safeguard its cybersecurity. Earlier, President Biden released a proclamation on the occasion of cybersecurity awareness month to highlight the importance of safeguarding the nation’s critical infrastructure from the malicious cyber activity and protecting citizens and businesses from ransomware and other attacks.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights