You Can't Modernize Critical Infrastructure Without Cybersecurity
Will bipartisan legislation in the U.S. make securing IT and operational technology a priority?
U.S. lawmakers have an unprecedented opportunity to vastly improve the cybersecurity posture of the nation's critical infrastructure this week as they negotiate a massive infrastructure package. The bipartisan legislation aims to transform and modernize the nation's infrastructure for generations to come — but only if it prioritizes cybersecurity of the IT and operational technology (OT) upon which such facilities rely.
Unfortunately, many lawmakers still seem unclear about how ransomware attacks against operators of critical infrastructure, such as the recent hacks of Colonial Pipeline and JBS, could undermine any such modernization efforts. Without clear, strong language addressing cybersecurity, we believe any such legislation would fall short. Criminal groups, foreign adversaries and even lone hackers have shown a strong appetite to target everything from the pipelines that carry fuel to the meatpacking facilities that provide food and even the water treatment plants that supply our most basic needs. And they're making use of flaws in IT and OT technologies in order to accomplish their goals.
As the White House and lawmakers debate the Bipartisan Infrastructure Framework, its scope and what should be considered "infrastructure," cybersecurity must be prioritized. Any legislation should, at a base level, require any infrastructure project receiving funding from the infrastructure plan to assess its cybersecurity risk, identify gaps and outline a plan to address those gaps through cybersecurity risk mitigation practices and technology.
For example, if a state wants to use funding from the legislation to modernize a water treatment plant, or a municipality wants to acquire smart cities capabilities, or a power utility wants to deploy new technologies in its facilities, they must first show their cybersecurity plans. This should not be controversial — why spend money upgrading the backbone of our society if we're going to leave the door open for digital adversaries? Why update the power grid to be able to handle more extreme weather, only for it to be taken down by hackers instead?
Cybersecurity standards for critical infrastructure
Any infrastructure legislation should also provide guidelines for how to secure our critical infrastructure systems. Anne Neuberger, White House deputy national security advisor for cyber and emerging technology, was spot on when she called out the need for basic cyber hygiene practices in a recent memo to organizations across the country
Lawmakers debating the current package can look to the Senate Committee on Energy and Natural Resources for ways to guide infrastructure operators. Section 1106 of the Senate Committee on Energy and Natural Resources energy infrastructure bill allows the secretary of energy to require recipients of grants or funding under the bill to submit a cybersecurity plan. Such cybersecurity plans are required to:
- Outline how the recipient will maintain and improve cybersecurity throughout the life of the project;
- Demonstrate how the recipient plans to maintain cybersecurity between the networks, systems, devices, applications or components within the proposed solution and at external interfaces; and
- Indicate how the recipient will leverage applicable cybersecurity programs of the department, including cyber vulnerability testing.
Section 1106 also calls on funding recipients to maximize the use of open guidance and standards, including the Department of Energy Cybersecurity Capability Maturity Model and the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity.
These are excellent provisions and Tenable urges Secretary of Energy Jennifer Granholm to leverage this authority to drive stronger cybersecurity outcomes across the energy sector. The same provisions should apply to the nation's other critical infrastructure sectors as well.
What we need from the upcoming infrastructure modernization package is, at its core, quite simple: language requiring any organization providing these essential services to focus on the cybersecurity basics — including cyber risk assessments, asset management and vulnerability prioritization. Anything less would be negligent.
We recognize the details of critical infrastructure security are complex and unique. We believe this legislation presents a vital, common-sense place to start, as Congress works towards a final infrastructure plan. While our nation's electric grid and other critical infrastructure facilities are in dire need of physical updates, leaving them open to the barrage of cyberattacks is simply not an option. Congress must include cybersecurity provisions and requirements as it finalizes its infrastructure modernization plan.
Are You Vulnerable to the Latest Exploits?
Enter your email to receive the latest cyber exposure alerts in your inbox.