Agency Falls Behind Deadline for Critical Industry Guidance But Cites Progress
Concerns about industrial security and the safety of America’s critical infrastructure came into focus last year with highly publicized attacks against a Florida water system and Colonial Pipeline.
In a U.S. House Homeland Security Subcommittee hearing, a representative of the Cybersecurity and Infrastructure Security Agency testified that the agency is behind on the deadline to roll out sector-specific performance goals to the 16 sectors that make up critical infrastructure. But he announced progress on plans for better information sharing between the public and private sectors and a new cybersecurity grant program to support small to midsize organizations.
Eric Goldstein, executive assistant director of CISA, which is part of the Department of Homeland Security, said the agency will focus on “target-rich and cyber-poor” organizations such as small water utilities, electric cooperatives and healthcare groups with a new grant program set for imminent announcement.
“We see these grants as being foundational not only in providing the ability to deploy the technologies but also for organizations to really increase their level of cybersecurity governance, to develop cybersecurity plans, programs and procedures that are necessary to manage the risk that we’re all seeing every day,” Goldstein told the House Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation.
The grant program was welcome news to some observers. “Small and medium-sized businesses that have OT environments, they don’t have the money, they don’t have the people to create a robust security program,” says Dawn Cappelli, OT Cert director at Dragos. “And yet they’re being hit with ransomware often. And that’s not only impacting them, but it’s impacting their supply chain, their customers. For IT security, there are free resources out there for small and medium businesses, but nothing for ‘How do you secure your factory?'”
Under a national security memorandum signed by President Joe Biden in July 2021, the agency was supposed to have voluntary performance goals in place for critical infrastructure organizations, including guidance for technology architecture and best practices by July 2022. Goldstein said the common baseline goals were released for public comment this summer and should be finalized by October. The sector-by-sector performance goals will come out in tranches by industry, but he did not give a time frame for their release.
At the hearing, Rep. Richard Torres, D-N.Y., challenged Goldstein on why the performance goal program is voluntary for the federal government’s OT security program. In the exchange, Goldstein said it’s impossible to guarantee secure systems, even with a mandate.
Also testifying was Virgle Gipson, senior advisor at the Idaho National Laboratory, part of the U.S. Department of Energy, which provides research and industry training. Gipson says adopting performance goals isn’t enough to secure the nation’s critical infrastructure.
“There’s so much that needs to be done here,” Gipson says. “So in addition to all of the great cyber hygiene things that need to be done to establish a baseline across our physical infrastructure, we also need to identify what are those high-consequence events that we simply can’t allow to occur as a nation and then working together between government and industry, find ways to mitigate the risks to eliminate those high-consequence events that could be catastrophic.”
Subcommittee members said that solving the talent shortage is critical, adding that a recent study showed that for every 100 cybersecurity jobs, there are only 68 qualified people to fill them. The shortage is even more pronounced in the OT security space, Gipson says.
“To take someone who’s already trained in information technology cybersecurity and train them to do operational technology, the principles are exactly the same,” he says. “What is different is the technical details of it, the data protocols, the vulnerabilities, the specific threats. So to take an IT person and turn them into an OT cybersecurity person, that is doable.”
Gipson said collaboration between IT and OT also requires a “culture change in companies. And so that is the longer pole in the tent.”
Changes can’t come soon enough for many organizations working with OT systems. Rockwell Automation, for example, found in a recent survey that 73% of critical infrastructure organizations have been attacked in the past year and 66% didn’t have an effective patching program in place.
“In my opinion, we cannot move fast enough,” says Nicole Darden Ford, vice president of global information security and CISO at Rockwell Automation. “The task is with every industrial CISO and CIO, head of plant engineering or operations, and also with business leadership and boards as the risk of downtime and liabilities has increased exponentially. So it is absolutely imperative. Many costs of breaches go unreported, and it is way beyond downtime, damage and/or ransoms.”