Presidential advisory committee provides recommendations to improve critical infrastructure security.
Critical infrastructure in the U.S. faces a significantly heightened threat landscape. The importance of securing information technology (IT) and operational technology (OT) systems and their convergence has become a national security imperative. Successful OT attacks can impact human safety and damage physical equipment, taking offline for extended periods of time the critical processes that OT equipment supports.
Compromises of critical infrastructure IT, ICS and OT are happening with increasing frequency globally. Recent high-profile examples include:
Ukraine electric grid (2015, 2016)
Colonial Pipeline (2021)
Oldsmar, Florida water treatment plant (2021)
According to the Gartner® report “Predicts 2022: Cyber Physical Systems Security – Critical Infrastructure in Focus”, published in 11/17/21, “Attacks on organizations in critical infrastructure sectors have increased dramatically, from less than 10 in 2013 to almost 400 in 2020 – a 3,900% change.”
In light of this reality, the President’s National Security Telecommunications Advisory Committee (NSTAC) was tasked with developing a report to examine the key challenges of securing converged OT systems against threats that emerge from IT network connections and to identify emerging approaches to increase OT resiliency to these threats. I had the privilege of serving as the Chair for the NSTAC subcommittee that developed the report.
The NSTAC received more than 30 briefings from subject-matter experts, including government entities and policymakers; critical infrastructure owners and operators of converged IT/OT environments and original equipment manufacturers; and cloud service providers, integrators and cybersecurity vendors.
IT/OT cybersecurity has not been prioritized
The resulting report found that, as a nation, we have not yet prioritized securing these interconnected systems. This is despite the fact that IT/OT convergence is not new, and that we have the technology and knowledge to protect these systems.
Briefers noted that many organizations lack complete visibility into their OT environments, including IT/OT interconnections and supply chain dependencies. In addition, OT and IT personnel often operate in silos, negatively impacting coordination on security. And further exacerbating the challenge, requests for proposals and procurement vehicles for OT systems acquisitions in both the public and private sectors rarely include cybersecurity requirements.
Government has an opportunity to lead
The report includes 15 recommendations, which can help improve the security of converged IT/OT systems in both the public and private sectors. Among these, the report identified three recommendations, which can be implemented by President Biden to immediately improve the cybersecurity posture of OT systems that are owned and operated by the U.S. government, and to serve as a model for protecting privately owned critical infrastructure:
First, the Cybersecurity and Infrastructure Security Agency (CISA) should issue a Binding Operational Directive requiring executive civilian branch departments and agencies to maintain a real-time continuous inventory of all OT devices, software, systems and assets within their area of responsibility, including an understanding of any interconnectivity to other systems. Once federal agencies clearly understand the vast interconnected nature of their OT devices and infrastructure, they can then make risk-informed decisions about how to prioritize their IT, OT, and cybersecurity resources.
Second, CISA should develop guidance for procurement language for OT products and services and require the inclusion of risk-informed cybersecurity capabilities for products and services that support converged IT/OT environments, including for supply chain risk management. CISA should then work with the General Services Administration to require the inclusion of risk-informed cybersecurity capabilities in procurement vehicles for the federal government.
Finally, the National Security Council, CISA, and the Office of the National Cybersecurity Director should prioritize the development and implementation of interoperable, technology-neutral and vendor-agnostic information-sharing mechanisms to enable the real time sharing of sensitive collective-defense information between authorized stakeholders involved with securing the critical infrastructure of the U.S.
The cybersecurity threats to critical infrastructure are real. And yet, we are not helpless. We have the knowledge and capabilities necessary to materially improve our security posture. What we have lacked is the determination to put this knowledge and technology to use. It is time we started meeting IT/OT convergence with the sense of urgency it requires. Implementing the recommendations of the NSTAC report will help improve government and critical infrastructure IT/OT security, and will have significant positive downstream effects on the private sector.
More Stories
The AI Fix #30: ChatGPT reveals the devastating truth about Santa (Merry Christmas!)
In episode 30 of The AI Fix, AIs are caught lying to avoid being turned off, Apple’s AI flubs a...
US and Japan Blame North Korea for $308m Crypto Heist
A joint US-Japan alert attributed North Korean hackers with a May 2024 crypto heist worth $308m from Japan-based company DMM...
Spyware Maker NSO Group Found Liable for Hacking WhatsApp
A judge has found that NSO Group, maker of the Pegasus spyware, has violated the US Computer Fraud and Abuse...
Spyware Maker NSO Group Liable for WhatsApp User Hacks
A US judge has ruled in favor of WhatsApp in a long-running case against commercial spyware-maker NSO Group Read More
Major Biometric Data Farming Operation Uncovered
Researchers at iProov have discovered a dark web group compiling identity documents and biometric data to bypass KYC checks Read...
Ransomware Attack Exposes Data of 5.6 Million Ascension Patients
US healthcare giant Ascension revealed that 5.6 million individuals have had their personal, medical and financial information breached in a...