While there is a “change in attitude” regarding securing operational technology (OT) to underpin critical infrastructure such as manufacturing plants and utilities, the federal government still has a strong focus on small businesses working with limited resources. We are working on issues that target our efforts toward Security is built into current OT investments.
Over the past year, the Biden administration has spearheaded several initiatives aimed at making industrial control systems (ICS) safer. This includes the National Security Memorandum passed last July. Standards and Technology (NIST) has developed a number of security he performance targets for the critical infrastructure sector. But at Thursday’s hearing, “Building on our Baseline: Securing Industrial Control Systems against Cyberattacks,” government officials said the further security improvements needed at ground level to protect critical infrastructure environments. and discussed the particularly complex challenge of incorporating security into the design of OT systems. .
Yvette Clarke, Democrat-New York, Chair of the Cybersecurity, Infrastructure Protection and Innovation Subcommittee, said: “We rely on industrial control systems and other operational technologies (OT) to power our homes, ensure clean drinking water, and perform health, safety, and a myriad of other functions essential to life. We secure services, yet the question of how to secure these critical OT systems tends to take a backseat to traditional IT security.”
CISA has led many of the critical infrastructure security efforts at the federal level. In April, we expanded the Joint Cyber Defense Collaborative (JCDC) – an agency effort to develop cyber defense plans in both public and private sector entities – to focus on ICS security. with a new partner. The agency is also working to finalize the performance targets required by the national security memorandum, according to his assistant director of cybersecurity, Eric Goldstein, CISA’s executive for cybersecurity at the hearing. These goals extend the existing NIST Cybersecurity Framework (a standard for building and evaluating cybersecurity programs) to identify critical IT and OT system controls that are It has a known risk reduction value that can be applied.”
“We need to find ways to educate the people who are engineering and building the systems and the components of those systems. there is.”
Despite these efforts, Clarke and others stressed the need for greater cooperation between federal agencies and critical infrastructure operators to keep sectors like the power grid, water, and gas safer for the Biden administration. reiterated the need he had previously stressed.
“We believe these baseline standards have the potential to reshape the OT security landscape. It won’t be a target,” Clark stressed.
When asked how CISA communicates with smaller organizations and utilities, Goldstein said CISA is working to build better partnerships with local critical infrastructure organizations and utilities. It said it was expanding its regional offices, but admitted that it is now “asymmetrical across sectors.”
“There are sectors like the energy sector where there are many small power cooperatives and local governments,” says Goldstein. “I think CISA’s work with the Department of Energy has played an important role in understanding risk and controls. And we have work to do to identify all possible means of communication and collaboration.”
While high-profile critical infrastructure attacks like the colonial pipeline hack are only recent, security challenges in the OT space have long been debated. OT devices are very different from IT devices, which affects the methods and levels of security. Because IT is actively managed, it’s easy to install the regular patches needed to fix critical security flaws. For example, the critical nature of OT devices means that their downtime has a much greater impact and adds complexity to any kind of update. or exchange.
Vergle Gipson, senior advisor at the Idaho National Laboratory, said there are other design issues that make security and management of OT devices more complex. For example, IT infrastructure refresh cycles require devices to be upgraded every few years, whereas OT is designed to last for decades, and many devices have no need for strong cybersecurity defenses. It was built at least 20 years ago, long before it was even discussed. Educating the people currently building and designing these systems is his one key opportunity to improve security, he said.
“This is a huge opportunity for us in the United States. Much of our existing infrastructure cannot be protected from a cyber perspective, so we are upgrading and replacing our infrastructure so that it can be cyber-safe and defensible.” It’s a great opportunity to start at the design stage,” says Gipson. “We need to find ways to educate the people who are engineering and building the systems and the components of those systems. there is.”