Main menu


The challenge of protecting critical operational technology systems at ground level

featured image

While there is a “change of attitude” in securing operational technology (OT) to underpin critical infrastructure such as manufacturing plants and utilities, the federal government is still grappling with small businesses with limited resources. We are working on issues that target our commitment to people. Security is built into current OT investments.

Over the past year, the Biden administration has spearheaded several initiatives aimed at making industrial control systems (ICS) safer. This includes the National Security Memorandum passed last July. Standards and Technology (NIST) has developed a number of security he performance targets for the critical infrastructure sector. But at Thursday’s hearing, “Building on our Baseline: Securing Industrial Control Systems against Cyberattacks,” government officials said the further security improvements needed at ground level to protect critical infrastructure environments and We discussed the particularly complex challenges of incorporating security into the design of OT systems. .

Yvette Clarke, Democrat-New York, Chair of the Cybersecurity, Infrastructure Protection and Innovation Subcommittee, said: “We rely on industrial control systems and other operational technologies (OT) to power our homes, ensure clean drinking water, and perform health, safety, and a myriad of other functions essential to life. We secure services, yet the question of how to secure these critical OT systems tends to take a backseat to traditional IT security.”

CISA has led many of the critical infrastructure security efforts at the federal level. In April, we expanded the Joint Cyber ​​Defense Collaborative (JCDC) – an agency effort to develop cyber defense plans in both public and private sector entities – to focus on ICS security. with a new partner. The agency is also working to finalize the performance targets required by the national security memorandum, according to his assistant director of cybersecurity, Eric Goldstein, CISA’s executive for cybersecurity at the hearing. These goals extend the existing NIST Cybersecurity Framework (a standard for building and evaluating cybersecurity programs) to identify critical IT and OT system controls that are It has a known risk reduction value that can be applied.”

“We need to find ways to educate the people who are engineering and building the systems and the components of those systems. is needed.”

Despite these efforts, Clarke and others believe that more cooperation between federal agencies and critical infrastructure operators has been required previously by the Biden administration to keep sectors such as power grids, water and gas safer. reiterated the need emphasized in

“We believe these baseline standards have the potential to reshape the OT security landscape. It won’t be a target,” Clark stressed.

When asked how CISA communicates with smaller organizations and utilities, Goldstein said CISA is working with regional offices to better partner with local critical infrastructure organizations and utilities. has expanded, but admits that it is now “asymmetric across sectors.”

“There are sectors like the energy sector where there are many small power cooperatives and local governments,” says Goldstein. “I think CISA’s work with the Department of Energy has played an important role in understanding risk and controls. And we have work to do to identify all possible means of communication and collaboration.”

While high-profile critical infrastructure attacks like the colonial pipeline hack are only recent, security challenges in the OT space have long been debated. OT devices are very different from IT devices, which affects the methods and levels of security. Because IT is actively managed, it’s easy to install the regular patches needed to fix critical security flaws. For example, the critical nature of OT devices means that their downtime has a much greater impact and adds complexity to any kind of update. or exchange.

Vergle Gipson, senior advisor at the Idaho National Laboratory, said there are other design issues that make security and management of OT devices more complex. For example, IT infrastructure refresh cycles require devices to be upgraded every few years, whereas OT is designed to last for decades, and many devices require strong cybersecurity defenses. It was built at least 20 years ago, long before it was even discussed. Educating the people currently building and designing these systems is his one key opportunity to improve security, he said.

“This is a huge opportunity for us in the United States. Much of our existing infrastructure cannot be protected from a cyber perspective, so we are upgrading and replacing our infrastructure so that it can be cyber-safe and defensible.” , the design phase is a good place to start,” Gipson said. “We need to find ways to educate the people who are engineering and building the systems and the components of those systems. is needed.”