U.S. government officials are calling for better collaboration with private-sector companies when it comes to stomping out the core security issues that afflict critical infrastructure, which run the gambit from poor visibility into networks to a dearth of resources.
Rep. James Langevin (D-R.I.), chairman for the House Armed Services Subcommittee on Intelligence and Emerging Threats and Capabilities, which handles issues related to cybersecurity, said that tightened partnerships between the public and private sector will help the government understand the inherent security challenges that beset critical infrastructure companies and put real-time threat intelligence into better context.
“At the top of the agenda is creating a joint collaborative environment between the government and the private critical infrastructure sector, so that the left hand knows what the right hand is doing,” he said on Tuesday at Hack the Capitol 4.0, which brings together policymakers and technology experts to discuss underlying critical infrastructure security challenges.
The security of industrial control systems (ICS), utilized to operate or automate critical infrastructure, has long caused concerns - however, these worries have come to a head on the heels of several incidents, including an attacker accessing a Florida town’s water treatment system and attempting to raise the level of sodium hydroxide in the water to a dangerously high level; as well as several ransomware groups targeting industrial companies, including an attack last year on a U.S.-based natural gas facility that shut down operations for two days.
While ICS environments long existed in an isolated state, they are becoming increasingly connected to the network, opening an array of potential security holes - including exposure on the internet, weak network segregation and a lack of basic security controls like authentication. At the same time, the level of sophistication necessary for targeting ICS networks is decreasing. It’s not only nation state-level actors targeting critical infrastructure anymore, as seen when a 22-year-old man allegedly attempted to access a Kansas public water system’s computers in order to tamper with its disinfectant levels in 2019.
“The track record is clear - there will still be rogue actors and nation states in the mix,” said Chris Inglis, the former deputy director of the National Security Agency (NSA), who has been nominated by the Biden administration to serve as the first National Cyber Director. “We don’t operate in a vacuum in this. Cybercriminals will come at us - we don’t have the luxury of asking them to freeze in place.”
“I hope CISA can strengthen its bonds and create relationships with non-vendor, non-federal hunters to look at federal and state systems."
The government has recently been honing in on critical infrastructure and ICS security, with the NSA releasing an advisory outlining steps for companies to stop malicious cyber activity against connected operational technology (OT), the hardware and software that monitors industrial equipment in order to detect or cause changes. At a higher level, the Biden administration has announced the development of a 100-day plan with the goal of protecting the electric grid against cyberattacks, which a spokesperson said is “a pilot of the administration’s broader cybersecurity initiative planned for multiple critical infrastructure sectors.”
Langevin stressed that strengthening the Cybersecurity and Infrastructure Security Agency (CISA) is a key recommendation in addressing the serious visibility gaps in OT going forward. While the Biden administration in April proposed a budget of over $2.1 billion for CISA in fiscal year 2022 - around $110 million more than it was allocated in fiscal year 2021 - Langevin advocates for allocating at least $400 million in additional funding to CISA’s budget in fiscal year 2022, arguing that the agency needs to be “resourced properly” in order to help protect OT.
However, beyond budgetary initiatives and security advisories, an increased level of collaboration is also needed, said Langevin. He noted that the government has taken the first steps in ramping up teamwork between the private and public sectors with the implementation of Sector Risk Management Agencies. These agencies are designated to 16 critical infrastructure sectors - including healthcare, water, energy and more - and serve as a way for critical infrastructure owners and operators to collaborate with federal departments and agencies.
This necessary cooperation also applies to CISA, with Langevin encouraging the agency to bring in security researchers in residence, as well as work with third-party partners in addressing OT concerns.
“I hope CISA can strengthen its bonds and create relationships with non-vendor, non-federal hunters to look at federal and state systems,” he said.
“The government’s problem is that it doesn’t do a good job speaking the language of the business - what do you need to do, and why do you need to do it - and that piece needs to happen as part of the larger discussion.”
This heightened level of collaboration will help the government better understand how to approach defensive and offensive strategies when it comes to ICS security. David Weinstein, an associate partner with McKinsey & Company where he specializes in cybersecurity, said that it’s risky to apply existing IT strategies utilized by the government to OT. Some of these existing strategies “don’t account for the nuances of OT network, and it’s a night and day comparison,” he said. “IT and OT couldn’t be more different in their design, use and security.”
For instance, ICS may throw a wrench into the technicalities behind the concept of defending forward. This concept, initially articulated in the 2018 Department of Defense Cyber Strategy, calls for actively going head-to-head with adversaries by disrupting their capabilities to conduct cyberattacks. This means both blocking cyberattacks as well as building “more lethal” cyber capabilities. But when it comes to defending forward for ICS, “the devil’s in the details,” said Marie O’Neill Sciarrone, CEO of Tribal Tech. For instance, “meaty policy questions” relating to cyber - such as how enemies are defined, or how malicious intent is defined - are often left undiscussed, she said. One big challenge of defending forward as it relates to ICS is the level of risk and reward associated with the concept.
“With the industrial control system environment being physical infrastructure, it creates a unique question around the impact,” said Sciarrone. “If you decide to defend forward, what happens? What are the unknown consequences of those actions? You need to be careful with what you decide to do... because this isn’t traditional warfare where you fire a bullet and it’s gone... it can ricochet back to you.”
Weinstein, instead, pointed to the need for more of a deterrence strategy for blocking nation state actors from accessing ICS environments.
“We’re not doing enough blocking and tackling to reach those actors,” he said. “A deterrence strategy would go hand-in-hand with what the industry is doing to protect their networks, and make it...harder and more costly for criminals to access those systems.”
Overall, experts on the technology side say that the government needs to do a better job understanding the inherent challenges that OT teams face at the day-to-day level - including limited resources and personnel. Sciarrone said that the private sector wants to hear actionable information that specifically relates to the cost center.
“At the end of the day, the government doesn’t control infrastructure - the private sector does,” said Sciarrone. “The government’s problem is that it doesn’t do a good job speaking the language of the business - what do you need to do, and why do you need to do it - and that piece needs to happen as part of the larger discussion.”