US House Homeland Security subcommittee addresses OT threats, CISA’s role in securing OT

The U.S. House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection committee conducted on Tuesday a hearing to address threats to operational technology (OT) across critical infrastructure sectors, including the water sector, and to discuss the Cybersecurity and Infrastructure Security Agency’s (CISA) role in securing OT.

In his opening remarks, Andrew Garbarino, a Republican from New York and Chairman of the committee outlined the importance of securing OT. “OT systems are responsible for controlling the reliable delivery of lifeline functions across the United States, including clean water and electricity. It is a national imperative to secure the foundational technology and infrastructure that underpins our Nation’s most critical functions,” he added.

“During my tenure on this Committee, we have made great strides to focus CISA’s efforts on securing OT,” according to Garbarino. “But given recent incidents we must revisit this topic to consider how Congress may further refine and strengthen CISA’s support to critical infrastructure owners and operators.”

In late 2023, Garbarino pointed out that “we saw the latest nefarious cyber activity against OT devices in multiple sectors, including water and wastewater systems, by Iranian-affiliated cyber actors. This malicious activity against Israeli programmable logic controllers, or PLCs, is unacceptable. I was glad to see the Treasury Department announce sanctions for six Iranian government officials late last week—this is the first step to holding these bad actors fully accountable.”

Unfortunately, this exploitation was not isolated to one sector, underscoring the risks associated with critical infrastructure interdependencies. Owners and operators across all sectors must raise the level of security for OT systems. Important first steps include following CISA’s guidance to change default passwords and disconnect OT systems from the internet.

“But in my conversations with owners and operators across sectors I learned that sometimes basic cyber hygiene principles for information technology, or IT, systems may not translate to OT systems,” Garbarino detailed. “Many OT systems rely on legacy equipment that owners and operators may not have the capacity to secure in the same way as traditional IT. Given this, CISA must update traditional IT guidance to reflect the realities of OT systems. I look forward to hearing from our private sector experts today on how this translation could be most impactful,” he added. 

“OT security requires a different mentality. It is unique from IT security. This is due to the nature of the physical environments and also because the threats that target them are different,” Robert M. Lee, CEO and co-founder at Dragos, said in his written testimony.

Lee added that applying all of the IT cybersecurity controls of a business to the OT networks would yield wasted resources and likely cause more disruption to the environment than all the state actors currently tracked combined. “Simply put, organizations should look to unique OT cybersecurity controls and then evaluate the IT cybersecurity controls based on what risk they reduce and, if so, the unique way they should be applied. Our communities cannot afford for companies to ‘gold plate’ the problem nor can they afford them to ignore it.”

“The threat has escalated dramatically,” said Charles Clancy, senior vice president and chief technology officer at MITRE. “The CCP’s primary targets are assessed to be energy, transportation, communications, and water infrastructure with the intent to destabilize quality of life systems.”

Clancy noted, “Much of the current policy debate is focused on incremental change that while all positive, can only move the needle so much. Better resourcing federal agencies involved in this ecosystem helps. More collaboration and information sharing helps. But not enough.”

“The scale of the threat requires critical infrastructure operators to prepare and respond more like they would to a major natural disaster,” according to Clancy. “They need to establish procedures to sever their control systems from the internet and practice disconnected operations. Continuity of operations plans are needed, and federal agencies should help wargame and exercise these functions, so when a CCP attack comes, we are prepared to operate through and literally keep the lights on.”

Clancy identified in his written testimony that “the water sector is perhaps the most under-resourced and disadvantaged among the lifeline sectors. In addition to preparing and practicing contingencies for a large-scale and enduring cyber conflict, there are plenty of more targeted things that could help improve cybersecurity and make China and Russia’s cyber exploitation efforts more difficult.”

He also pointed out that since U.S. President Joe Biden’s Executive Order 14028 released in May 2021, industrial capacity to generate and deliver software bills of material (SBOMs) has been improving. “Open-source software underpins most of the Internet and is also pervasive in OT networks. In most cases, this software has dubious supply chains, and critical infrastructure operators need tools to better manage this risk. One approach is to have OT vendors selling into the U.S. market provide SBOMs for their products to a clearinghouse that notifies them if a new vulnerability is disclosed that impacts their product,” Clancy added.

In closing, Clancy identified a considerable opportunity for EPA to step up, CISA and FBI to systematically engage across, and the network of security vendors to make it easier for everyone to coordinate. “But these modest reforms should be kept in context with the scale of the threat, and the limited amount of resources available to critical infrastructure operators, particularly in the water sector. We should urgently begin piloting, exercising, and preparing for contingency scenarios that require isolated operations across lifeline critical infrastructure sectors.”

Unlike other critical infrastructure sectors, to date, no dedicated funding has been appropriated to expedite technology upgrades at water systems with legacy OT systems, Kevin Morley, manager for federal relations at the American Water Works Association (AWWA) identified in his testimony. “While cybersecurity is one of many eligible activities within the State Revolving Fund (SRF) program, constraints on that program may not allow utilities to acquire the optimal cybersecurity support they need.” 

He highlighted that if the water sector is truly a national security priority, “then it will need support to expedite technology transformations to address the digital divide in a manner that is not punitive and fulfills our shared commitment to the communities we serve.”

Morley added that collaboration with trusted partners like AWWA is a high-value force multiplying capability that should be maximized to address the national security risk cyber threats impose on drinking water and wastewater systems. “Drinking water and wastewater systems sustain our way of life and support public health, safety, and economic vitality. These systems are robust and resilient but, like all critical infrastructure entities, are not immune to cyber threats.” 

He added that in recognition of this threat, “AWWA has actively engaged our members, and the sector at large, in building cybersecurity awareness and providing resources to support the implementation of best practices.”

Another witness at Tuesday’s hearing, Marty Edwards, deputy chief technology officer for OT and Internet of Things at Tenable, cited the recent Municipal Water Authority of Aliquippa, Pennsylvania cyber attack which was the target of the exploitation of Unitronics’ programmable logic controllers (PLCs). 

PLCs “are common tools utilized in the water and wastewater sectors. The exploitation of PLCs and similar OT systems are not new nor uncommon, but this set of attacks took advantage of direct internet accessibility, which enables control systems assets to be accessed remotely,” Edwards identified. “In a water or wastewater facility, PLCs are the literal brains of the operation. They are often programmed to do virtually all of the operational functions at a water treatment plant. When PLCs are compromised, threat actors can take control of motor and pump functions, and manipulate chemical settings. The effects on water quality and safety can be immediate or programmed to cause disruption at a future time.”

Edwards emphasized that attacks such as the one in Aliquippa, Pennsylvania, are largely due to poor cyber hygiene. “Bad actors can easily roam the internet in search of assets that still have the factory default password. Allowing for direct accessibility from the internet, default passwords, and a lack of authentication security is more than negligent; it is a failure of not only the asset owner but of the complete OT security environment.”

He suggested that Tenable advise Congress to implement various policy objectives to strengthen the cybersecurity readiness of U.S. critical infrastructure. These objectives involve establishing baseline cybersecurity requirements or standards of care for critical infrastructure that are in line with CISA’s cross-sector Cybersecurity Performance Goals (CPGs), international standards, and the NIST CSF. These requirements should be based on effective cyber hygiene and preventive security practices.

Furthermore, it is crucial to prioritize substantial funding for programs and initiatives that aim to enhance OT security. This includes allocating resources for CISA Cyber Hygiene services to expand their offerings, such as conducting OT and IoT systems assessments. Additionally, funding should be allocated to CISA and FCEB agencies to effectively implement policy recommendations like BOD 22-01, BOD 23-01, and M-24-04. 

Moreover, it is essential to incorporate cybersecurity requirements into infrastructure grant funding. Congress should also ensure that CISA is adequately equipped to handle the vast amount of information shared by critical infrastructure entities as part of its oversight of CISA’s implementation of CIRCIA. 

Edwards also recommends supporting the Joint Cyber Defense Collaborative (JCDC) and providing oversight of CISA to clarify roles and responsibilities of other public-private partnerships; improving the ICS cyber workforce by ensuring CISA implements the ICS cybersecurity training initiative; and requiring independent assessments of critical software to include OT and IoT.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.