Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

You Can't Modernize Critical Infrastructure Without Cybersecurity

You Can't Modernize Critical Infrastructure Without Cybersecurity

Will bipartisan legislation in the U.S. make securing IT and operational technology a priority?

U.S. lawmakers have an unprecedented opportunity to vastly improve the cybersecurity posture of the nation's critical infrastructure this week as they negotiate a massive infrastructure package. The bipartisan legislation aims to transform and modernize the nation's infrastructure for generations to come — but only if it prioritizes cybersecurity of the IT and operational technology (OT) upon which such facilities rely. 

Unfortunately, many lawmakers still seem unclear about how ransomware attacks against operators of critical infrastructure, such as the recent hacks of Colonial Pipeline and JBS, could undermine any such modernization efforts. Without clear, strong language addressing cybersecurity, we believe any such legislation would fall short. Criminal groups, foreign adversaries and even lone hackers have shown a strong appetite to target everything from the pipelines that carry fuel to the meatpacking facilities that provide food and even the water treatment plants that supply our most basic needs. And they're making use of flaws in IT and OT technologies in order to accomplish their goals.

As the White House and lawmakers debate the Bipartisan Infrastructure Framework, its scope and what should be considered "infrastructure," cybersecurity must be prioritized. Any legislation should, at a base level, require any infrastructure project receiving funding from the infrastructure plan to assess its cybersecurity risk, identify gaps and outline a plan to address those gaps through cybersecurity risk mitigation practices and technology.

For example, if a state wants to use funding from the legislation to modernize a water treatment plant, or a municipality wants to acquire smart cities capabilities, or a power utility wants to deploy new technologies in its facilities, they must first show their cybersecurity plans. This should not be controversial — why spend money upgrading the backbone of our society if we're going to leave the door open for digital adversaries? Why update the power grid to be able to handle more extreme weather, only for it to be taken down by hackers instead?

Cybersecurity standards for critical infrastructure

Any infrastructure legislation should also provide guidelines for how to secure our critical infrastructure systems. Anne Neuberger, White House deputy national security advisor for cyber and emerging technology, was spot on when she called out the need for basic cyber hygiene practices in a recent memo to organizations across the country

Lawmakers debating the current package can look to the Senate Committee on Energy and Natural Resources for ways to guide infrastructure operators. Section 1106 of the Senate Committee on Energy and Natural Resources energy infrastructure bill allows the secretary of energy to require recipients of grants or funding under the bill to submit a cybersecurity plan. Such cybersecurity plans are required to:

  • Outline how the recipient will maintain and improve cybersecurity throughout the life of the project;

  • Demonstrate how the recipient plans to maintain cybersecurity between the networks, systems, devices, applications or components within the proposed solution and at external interfaces; and 

  • Indicate how the recipient will leverage applicable cybersecurity programs of the department, including cyber vulnerability testing.  


Section 1106 also calls on funding recipients to maximize the use of open guidance and standards, including the Department of Energy Cybersecurity Capability Maturity Model and the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity.

These are excellent provisions and Tenable urges Secretary of Energy Jennifer Granholm to leverage this authority to drive stronger cybersecurity outcomes across the energy sector. The same provisions should apply to the nation's other critical infrastructure sectors as well.

What we need from the upcoming infrastructure modernization package is, at its core, quite simple: language requiring any organization providing these essential services to focus on the cybersecurity basics — including cyber risk assessments, asset management and vulnerability prioritization.  Anything less would be negligent.

We recognize the details of critical infrastructure security are complex and unique. We believe this legislation presents a vital, common-sense place to start, as Congress works towards a final infrastructure plan. While our nation's electric grid and other critical infrastructure facilities are in dire need of physical updates, leaving them open to the barrage of cyberattacks is simply not an option. Congress must include cybersecurity provisions and requirements as it finalizes its infrastructure modernization plan.

Learn more

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a Demo

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.

Request a Demo

Tenable.ad

Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.