Industrial control systems (ICS) and operational technology (OT) are, simply put, the very fabric of the critical infrastructures that surround us. From the electric grid to the pharmaceutical plants manufacturing the COVID vaccine, OT devices are the backbone of many things we rely on every day.
But as we incorporate new devices and capabilities such as the Industrial Internet of Things (IIoT) into these systems to help improve their reliability and efficiency, the convergence of IT and OT has expanded the threat landscape and created new attack vectors, as seen in the recent Florida city water facility attack.
In fact, modern attack frameworks contain exploits for older, well-known vulnerabilities in OT systems. Cyber attackers love these systems – they’re simple to penetrate given the interconnected nature of the devices and highly prone to attacks when organizations don’t implement proper risk management and security practices.
Neither the government nor the private sector alone can address the massive challenges of securing our ICS and OT. Securing the nation’s critical infrastructure still requires strong public-private partnerships (PPPs) and cross-agency collaboration like the recently announced DOE and CISA partnership to improve the cybersecurity of the nation’s electric grid. As the leading cybersecurity agency, CISA is best positioned to facilitate these collaborations and partnerships with government and industry stakeholders.
Easier Said Than Done
The reality is that OT security is hard – these systems were often not designed with security in mind. The opportunity for cyber attackers to probe and test them for vulnerabilities can have unintended consequences on the physical infrastructure they support. That’s why it’s critical for OT operators to get the basics right – everything from asset and identity management to prioritized mitigation of overall risk – to keep bad actors out.
This is especially important as more and more organizations see adoption of zero trust approaches as the best path forward. As Tenable’s Chairman & CEO Amit Yoran noted, “no organization should begin a zero-trust journey without first nailing the basics of cyber hygiene.”
It’s well known in industrial cybersecurity that you can’t simply take enterprise or corporate IT security solutions and apply them blindly to operational environments. Industry stakeholders must collaborate and identify shortcomings in ICS security and invest in improvements across the board.
Newly introduced legislation in the House, called the DHS Industrial Control Systems Capabilities Enhancement Act, focuses on operational activities like threat and vulnerability identification and incident response. It specifically calls out technical assistance and coordination with researchers, end-users, manufacturers, and other stakeholders. The legislation extends the responsibility of the Director of CISA to provide more insight into threats and control over sharing that information with key stakeholders to mitigate risk, while requiring the Director to monitor vulnerabilities of ICS specifically. Everyone knows that CISA is the cyber agency – but the direct call out for ICS and OT monitoring is critical.
The DHS ICS Capabilities Enhancement Act is an important step towards fully securing the nation’s OT systems. This network provides critically important services to the government and the private sector as threats continue to arise – from coordinating responses to providing strategic guidance on keeping our critical infrastructure safe.
One of the challenges CISA faces with programs intended to improve the cybersecurity of these environments is that a very high percentage of critical infrastructure in the United States is owned and operated by private companies rather than federal, state, local, tribal or territorial governments. We need collaboration from industry to get this done. Luckily, the bill references private sector stakeholders and public-private partnerships, giving CISA the authority and resources they need to implement these partnerships.
While investments in ICS and OT security are vital, going forward, we need to invest in cybersecurity from the start. Any modernization of these systems must take cybersecurity into account from the very beginning so we can avoid heightening the risks associated with the expansive threat landscape that the ongoing convergence of IT/OT systems has created.
CISA has existing authorities for systems operating within federal departments and agencies through a binding operational directive (BOD), which allows CISA to provide the federal government guidance to help secure federal OT systems. While the DHS ICS Enhancement Act calls for ICS and OT research and coordination, the federal government should leverage CISA’s BOD and undertake a comprehensive asset inventory to clearly understand the magnitude of vulnerabilities and threats facing federal OT systems.
No one can tackle this challenge alone, and CISA is in the best position to lead this effort across all stakeholders. Passing the DHS Industrial Control Systems Capabilities Enhancement Act is key to giving CISA the tools it needs to better tackle these challenges, but it is clear more will still need to be done.