Top cybersecurity and critical infrastructure experts voiced concerns to lawmakers today at a House Homeland Security Subcommittee hearing that neither the government nor the private sector are doing enough to secure operational technology (OT) networks of critical infrastructure organizations.
The Subcommittee on Cybersecurity and Infrastructure Protection held its hearing on “Securing Operational Technology: A Deep Dive into the Water Sector” just days after House Energy and Commerce Committee members heard from utilities and trade group witnesses on how to get the water infrastructure managers up to speed on cybersecurity best practices.
Witnesses at today’s hearing told lawmakers that the scale of the threat to critical infrastructure networks – including water facilities – requires more than incremental changes to systems and information sharing.
“Much of the current policy debate is focused on incremental change that while all positive, can only move the needle so much. Better resourcing federal agencies involved in this ecosystem helps. More collaboration and information sharing helps, but not enough,” Charles Clancy, senior vice president and chief technology officer at MITRE, said during the hearing.
“The scale of the threat requires critical infrastructure operators to prepare and respond more like they would to a major natural disaster,” he continued.
That kind of response, according to Clancy, would include water facility operators establishing procedures to sever their control systems from the internet and practice functioning with disconnected operations.
He added that Federal agencies should help operators “war-game and exercise these functions, so when an … attack comes, we are prepared to operate through and literally keep the lights on.”
However, the water sector is highly fragmented, and many operators have limited resources and staff to devote to security. Due to this, some water utilities have struggled to prioritize cybersecurity, and in turn, OT security, according to some of the witnesses.
“Today water utilities and other critical infrastructure organizations find themselves in the frontlines defending against both state actors and criminal groups. They face growing threats, most importantly to their OT or operational technology networks. These systems are the critical part of critical infrastructure,” said Dragos CEO and founder Robert Lee.
He explained to lawmakers that “our standard best practices are simply apply IT security controls to OT without considering whether or not they should be applied.” But there are fundamental differences between OT and IT networks, and this practice results in wasted resources and operational disruptions.
“OT security should focus on unique OT security controls and adopt IT security practices only when it makes sense,” Lee said.
Kevin Morley, manager of federal relations at the American Water Works Association, echoed Lee’s comments, adding that the difficulty that operators face is that IT systems have cycled through upgrades at a rate that has outpaced OT systems.
“This digital divide has stranded many utilities on legacy OT systems,” Morley said. “Funding that prioritizes and expedites technology upgrades to address legacy OT systems is necessary to overcome this digital divide.”
Lee also argued that securing critical infrastructures, such as water facilities, is not something private operators could do alone, and he said there needs to be a balance to that partnership for it to work effectively.
“The government must harmonize across frameworks and use an outcome-based approach that defines why they are concerned, what the outcome is that we are driving towards, and leave the ‘how’ to the private sector,” Lee said. “Simply stated, give us the requirements, not the answers.”
For Federal agencies, this means providing clear and consistent guidance to the industry and identifying specific requirements they need to support such as realistic threat scenarios and opportunities to exercise them.
Morley also told Lawmakers that in many cases what was needed was not extra cyber-related resources from Federal agencies, but a reorganization of current resources.
“We do not need new resources, we need to organize those that we already have in place in a manner that is more accessible to owners and operators,” Morley said.