Earlier this month, the United States House Committee on Homeland Security introduced legislation aimed at securing critical infrastructure. The DHS Industrial Control Systems Enhancement Act of 2021 is designed to strengthen the U.S. Cybersecurity and Infrastructure Security Agency, which has been tasked with securing the nation’s industrial control systems and operational technology.
The new legislation has bipartisan support and was inspired by the recent cyber attack on a water treatment facility in Florida. In that attack, hackers accessed the computer system at the facility remotely and attempted to increase the amount of sodium hydroxide in the water supply.
“These systems operate many vital components of our nation’s critical infrastructure and remain under constant attack from cybercriminals and nation-state actors,” Rep. John Katko (R-NY), Ranking Member of the House Committee on Homeland Security, said in a statement. “As we saw recently when a Florida water treatment facility was targeted, these attacks can have devastating, real-world consequences. This legislation is a critical first step in the committee’s efforts to ensure CISA has proper resources and authorities to effectively carry out its mission.”
Industrial Cyber talked to Marty Edwards, vice president of OT security at Tenable, about the legislation aimed at securing critical infrastructure and its implications for the private sector.
“This bill focuses on operational activities like threat and vulnerability identification, incident response and it specifically calls out technical assistance and coordination with researchers, end-users, manufacturers, and other stakeholders,” Edwards says. “Neither the government nor the private sector can address the massive challenges of securing our ICS alone, and CISA is in the best position to lead these collaborations and partnerships across stakeholders. “
The DHS Industrial Control Systems Enhancement Act would require CISA’s director to monitor ICS vulnerabilities, including collecting, coordinating, and providing vulnerability information to relevant organizations.
“This bill extends the CISA director’s job responsibilities to give more insight into threats and control over sharing that information with key stakeholders to mitigate risk,” Edwards says. “The bill requires the director to monitor vulnerabilities of industrial control systems specifically, as the country’s critical infrastructure is often the target of bad actors. Everyone knows that CISA is the cyber agency – but this is the first time that industrial control systems and operational technology are being called out as a specific requirement for them.”
The legislation also directs CISA’s director to pay specific attention to threat hunting, provide technical assistance to both federal agencies and the private sector, and respond to attacks. This includes providing briefings to the Homeland Security committee about the DHS’s ICS capabilities every six months.
“The implementation of cross-sector incident response capabilities and ICS vulnerability disclosures are the most notable items that will impact the private sector,” Edwards says. “In the wake of sprawling attacks like SolarWinds and Microsoft Exchange, CISA’s leadership will be critical to keeping both the public and private sectors secure and improving information-sharing processes between the two entities.”
Prior to joining Tenable, Edwards was the longest-serving director of the Industrial Control Systems Cyber Emergency Response Team (ICS‐CERT). During his six years there he learned about the challenges facing ICS and OT, and the importance of securing critical infrastructure first hand.
“Nearly every critical industry relies on OT to produce and deliver their product or service – without flawless operation, we wouldn’t be able to benefit from critical products or services like generating electricity and drinking clean water,” Edwards says. “Although these ICS and OT systems were once isolated from other networks, over time they have been integrated and completely interconnected with the enterprise IT systems, which bring along new opportunities for threat actors, making securing critical OT infrastructure essential.”
According to Edwards, attackers have a keen interest in targeting critical infrastructure because of the potential for monetary gain from ransomware attacks. He says critical infrastructure involving electricity generation and distribution, water treatment and delivery, oil and gas production and other essential services also presents opportunities for espionage and sabotage.
“Threat actors continue to target critical infrastructure around the world, as OT powers the modern economy and is used ubiquitously in all industries,” Edwards says. “Some of these systems are older legacy machines which may be left unpatched to known vulnerabilities. By connecting them to the outside world, they’re exposed to modern attack tools – making them a relatively easy target.”
Edwards says he is often asked how big the OT cybersecurity problem is. He says it’s a question that is difficult to answer because no one knows how many OT devices and systems are being used within the various departments and agencies of the federal government. In order to address the knowledge gap, Edwards says a good first step would be to inventory all of these systems in order to fully determine the scope of the problem.
“CISA received new funding through the coronavirus stimulus package, which was an important step forward to better securing our government systems. But the billion dollars allocated still doesn’t go as far as we need it to go. We see critical functions within CISA and we see critical requirements for better protecting the federal government unfunded, and having more money available to get those important tasks accomplished is vital.
“In cybersecurity, one of the primary tenets is ‘you can’t protect what you can’t see’ and right now we really can’t see much.”