Recent efforts by the U.S. Cybersecurity and Infrastructure Agency, combined with significant bills coming out of the House and Senate, are putting critical infrastructure operators on a path towards achieving cross-sector visibility and strong operational technology security.
Nearly six months ago, the global coronavirus pandemic necessitated a massive, sudden pivot to remote work. Organizations and industries that never planned to enable employees to work from home found themselves scrambling to adapt. That pivot came with cybersecurity ramifications, forcing organizations to reevaluate their threat landscape and risk environment. For critical infrastructure owners and operators in sectors such as healthcare, communications, defense and energy the shift to remote work was particularly concerning.
For instance, during this time, the pharmaceutical industry has been hard at work to develop treatments and vaccines for COVID-19, the illness caused by the novel coronavirus — a key step towards a return to normal. But as organizations focused on this work, bad actors, foreign adversaries and criminal organizations have stepped up cyberattacks against the industry. The risks of an attack on the development, manufacture and distribution of a vaccine pose significant national security, economic and societal dangers that put the importance of secure critical infrastructure into perspective.
In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) has been working to protect federal and critical infrastructure IT systems from exploitation by malicious actors during COVID-19. But even before the pandemic, CISA had been working to secure industrial control systems (ICS) connected to critical infrastructure, including commercial manufacturing plants. In July, CISA released its ICS Strategy, which calls for empowering and educating ICS operators to secure their operations against cyberthreats. This is key: Operators from all sectors need tools, resources and expertise to defend themselves using basic cyber hygiene and vulnerability management practices. Galvanizing the ICS community to work across sectors and with government agencies will have a tangible impact on their security posture. CISA is leading the way in that plan.
But cyber hygiene and vulnerability management aren't enough to completely mitigate today's advanced threats. We also need cross-sector visibility and strong overall OT security and collaboration to help manage threats. CISA is currently in the process of refreshing the National Infrastructure Protection Plan, which was last updated in 2013. CISA is engaging with public and private stakeholders across all critical infrastructure sectors and from all levels of government in the update to this plan. Cross sector collaboration should be a key feature in the updated plan. In the instance of grid security, electric utilities should work together, not against each other, on security. Pharmaceutical companies should be sharing best practices to keep COVID-19 vaccine information and manufacturing plants secure.
CISA has also released cybersecurity best practices through its Cyber Essentials toolkits series. The most recent release, Essential Elements: Your Systems, leads with the essential action of learning what is on your network. This inventory of hardware and software assets is crucial because an organization's security team can't effectively protect connected assets if it's unaware of their existence.
As I noted in August during a webinar with Barak Perelman, Tenable's VP of OT Security, several of the security issues for critical infrastructure industries right now stem from a lack of awareness, and many OT operators don't know where to start. These measures will help to bridge that gap.
While CISA makes important strides on OT security through the agency process, Congress is also keenly aware of the threat. The Senate is working on the American Energy Innovation Act, which contains several provisions, including the PROTECT Act, the Enhancing Grid Security through Public-Private Partnership Act and the Energy Cybersecurity Act, that would help make significant strides towards securing the electric grid and the nation's energy infrastructure. Here's a closer look at some of these recent efforts:
- The PROTECT Act, introduced by Sens. Lisa Murkowski (R-Alaska) and Joe Manchin (D-W.Va.), would establish a grant program within the Department of Energy (DOE) to help improve the cyber defenses of rural electric cooperatives — which are among our most vulnerable electric infrastructure — giving cooperatives the support they need to make vital cyber improvements. The act would also direct the Federal Energy Regulatory Commission (FERC) to use rate incentives to encourage electric utilities to invest in cybersecurity.
- The Enhancing Grid Security through Public-Private Partnership Act, introduced by Sens. Cory Gardner (R-Colo.) and Michael Bennet (D-Colo.) in the Senate, and Reps. Jerry McNerney (D-Calif.) and Bob Latta (R-Ohio) in the House, would give DOE the authority to provide cybersecurity assistance through a public-private partnership to resource-constrained electric utilities by providing tools for self-assessment, sharing of best practices and assistance with threat assessments and training.
- The Energy Cybersecurity Act, introduced by Sens. Maria Cantwell (D-Wash.) and Martin Heinrich (D-N.M.), directs DOE to develop advanced cybersecurity applications and technologies for the energy sector through advancing the security of field devices and third-party control systems. DOE engagement with other appropriate federal agencies, the national laboratories and with industry stakeholders is a key component of this legislation.
In addition to the above measures, the House is currently considering the Clean Economy Jobs and Innovation Act, which includes cybersecurity provisions associated with electric grid modernization, smart buildings and smart manufacturing. It also incorporates cybersecurity research and development legislation sponsored by Reps. Ami Bera (D-Calif.) and Randy Weber (R-Texas), including important sections on grid resilience and vulnerability testing to improve energy sector cybersecurity.
This agency work and these aforementioned bills coming out of the House and Senate are all important and thoughtful steps towards securing the nation's energy infrastructure, but we shouldn't stop innovating and improving. For instance, energy cybersecurity legislation should require DOE to work closely with CISA on interoperable information sharing.
The American Energy Innovation Act and the Clean Economy Jobs and Innovation Act have several vital energy cybersecurity components and Congress should work quickly to further refine and pass this legislation.
As Perelman noted in our discussion last month, 15 years ago, we had to convince people that the threat to the electric grid was real. Now, Congress is taking important steps towards securing our OT infrastructure. I look forward to working with my colleagues and government partners on this important issue as industry co-chair of the Control Systems Working Group (CSWG). In this role, I'm thrilled to help develop the CSWG's strategy and work with industry and government stakeholders to implement our plans for collaboration and information sharing across sectors and fields to improve OT security and ensure we have a strong critical infrastructure foundation for years to come.
- View the webinar: Expert Advice - What You Need to Know: CISA/NSA Alert AA20-205A for OT Systems
- Read the blogs: