[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]
BUILDING ON OUR BASELINE: SECURING INDUSTRIAL CONTROL SYSTEMS AGAINST
CYBER ATTACKS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
CYBERSECURITY, INFRASTRUCTURE
PROTECTION, AND INNOVATION
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTEENTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 15, 2022
__________
Serial No. 117-69
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
50-027 PDF WASHINGTON : 2022
COMMITTEE ON HOMELAND SECURITY
Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas John Katko, New York
James R. Langevin, Rhode Island Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey Clay Higgins, Louisiana
J. Luis Correa, California Michael Guest, Mississippi
Elissa Slotkin, Michigan Dan Bishop, North Carolina
Emanuel Cleaver, Missouri Jefferson Van Drew, New Jersey
Al Green, Texas Mariannette Miller-Meeks, Iowa
Yvette D. Clarke, New York Diana Harshbarger, Tennessee
Eric Swalwell, California Andrew S. Clyde, Georgia
Dina Titus, Nevada Carlos A. Gimenez, Florida
Bonnie Watson Coleman, New Jersey Jake LaTurner, Kansas
Kathleen M. Rice, New York Peter Meijer, Michigan
Val Butler Demings, Florida Kat Cammack, Florida
Nanette Diaz Barragan, California August Pfluger, Texas
Josh Gottheimer, New Jersey Andrew R. Garbarino, New York
Elaine G. Luria, Virginia Mayra Flores, Texas
Tom Malinowski, New Jersey
Ritchie Torres, New York
Hope Goins, Staff Director
Daniel Kroese, Minority Staff Director
Natalie Nixon, Clerk
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND
INNOVATION
Yvette D. Clarke, New York, Chairwoman
Sheila Jackson Lee, Texas Andrew R. Garbarino, New York,
James R. Langevin, Rhode Island Ranking Member
Elissa Slotkin, Michigan Michael Guest, Mississippi
Kathleen M. Rice, New York Diana Harshbarger, Tennessee
Ritchie Torres, New York Andrew S. Clyde, Georgia
Bennie G. Thompson, Mississippi (ex Jake LaTurner, Kansas
officio) John Katko, New York (ex officio)
Moira Bergin, Subcommittee Staff Director
Austin Agrella, Minority Subcommittee Staff Director
Aaron Greene, Subcommittee Clerk
C O N T E N T S
----------
Page
Statements
The Honorable Yvette D. Clarke, a Representative in Congress From
the State of New York, and Chairwoman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Andrew R. Garbarino, a Representative in Congress
From the State of New York, and Ranking Member, Subcommittee on
Cybersecurity, Infrastructure Protection, and Innovation:
Oral Statement................................................. 4
Prepared Statement............................................. 5
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Chairman, Committee on
Homeland Security:
Prepared Statement............................................. 5
Witnesses
Mr. Eric Goldstein, Executive Assistant Director for
Cybersecurity, Cybersecurity and Infrastructure Security
Agency, U.S. Department of Homeland Security:
Oral Statement................................................. 7
Prepared Statement............................................. 8
Mr. Vergle Gipson, Senior Advisor, Cybercore Integration Center,
Idaho National Laboratory, U.S. Department of Energy:
Oral Statement................................................. 11
Prepared Statement............................................. 12
Appendix
Questions From Chairwoman Yvette D. Clarke for Eric Goldstein.... 35
Questions From Ranking Member Andrew R. Garbarino for Eric
Goldstein...................................................... 36
Questions From Honorable James Langevin for Vergle Gipson........ 38
Questions From Ranking Member Andrew R. Garbarino for Vergle
Gipson......................................................... 39
BUILDING ON OUR BASELINE: SECURING INDUSTRIAL CONTROL SYSTEMS AGAINST
CYBER ATTACKS
----------
Thursday, September 15, 2022
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity,
Infrastructure Protection,
and Innovation,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:03 a.m., in
room 310, Cannon House Office Building, Hon. Yvette D. Clarke
[Chairwoman of the subcommittee] presiding.
Present: Representatives Clarke, Jackson Lee, Langevin,
Slotkin, Rice, Torres, Garbarino, Guest, Clyde, and LaTurner.
Chairwoman Clarke. The Subcommittee on Cybersecurity,
Infrastructure Protection, and Innovation will be in order.
The subcommittee is meeting today to receive testimony on
``Building Our Baseline: Securing Industrial Control Systems
Against Cyber Attacks''.
Without objection, the Chair is authorized to declare the
committee in recess at any point.
Good morning. I would like to thank the witnesses for
participating in today's hearing on securing the industrial
control systems at the heart of our Nation's critical
infrastructure. This is a topic that we, as lawmakers and
Federal officials, don't spend nearly enough time talking
about, working on, or funding. We rely on industrial control
systems and other operational technology, or OT, to make sure
we have power in our houses, clean water to drink, and the
countless other functions and services essential to our health,
safety, and livelihoods. Still, questions about how we secure
these critical OT systems tend to take a backseat to
traditional IT security. That is simply not an option in
today's threat landscape, as OT becomes more interconnected,
integrated with IT systems, and attractive target to our
adversaries.
In our industrial environment, the risks are not to stolen
customer data or reputational harm to a company. The
consequences can be deadly. An OT disruption could hurt our
communities, our economy, and even our National security. Yet,
in a recent report, the National Telecommunications Security
Advisory Committee, or NSTAC, found that our ``biggest gap'' in
OT security is our ``lack of urgency.'' The NSTAC diagnosis was
simple: ``The U.S. has the technology and the knowledge to
secure the systems but has not prioritized the resources'' to
do so. In a hearing earlier this year, I said that the United
States desperately needs to revamp its playbook for critical
infrastructure cybersecurity. It is particularly true for OT
security.
Fortunately, I believe we are starting to see a shift in
attitudes and the Biden administration is helping to lead that
charge. In his first few months in office, President Biden
launched a new ICS Cybersecurity Initiative, envisioned as a
series of cybersecurity sprints, starting with the electricity
subsector and then expanding to other sectors like pipelines
and water. Last July, President Biden formalized this
initiative in a National Security Memorandum on Improving
Control System Security. The Memorandum also directed CISA to
work with NIST on a set of cybersecurity performance goals to
serve as clear guidance to operators about the level of
security the American people can trust and should expect for
such essential services. This statement reflects a commitment
to three principles that should underpin the Federal approach
to OT security.
First, the American people are entitled to trust that the
services they have grown to rely on meet a reasonable, baseline
standard of security and resilience. Second, critical
infrastructure operators have a responsibility to earn and
maintain the trust of the American people. Finally, the Federal
Government has a responsibility to bring its expertise,
convening power, and resources to bear in support of this
effort.
I am pleased to have the Federal Government's lead convener
for critical infrastructure, and the principal architect of
those baseline standards, CISA, on our panel today. I know CISA
has been working to complete the Common Baseline performance
goals and I understand they will soon be finalized. I see these
baseline goals as having real promise to reshape the OT
security landscape, but they will only be as effective as
CISA's ability to engage and incorporate the feedback they are
hearing from stakeholders.
I am also pleased to have another leader in Federal OT
cybersecurity here today, the Idaho National Laboratory, to
talk about how they are working to secure OT systems and
support some of CISA's most critical OT programs, like
CyberSentry, which I worked to codify last year. I would like
to see this program grow and expand to new stakeholders, and I
look forward to hearing how Congress can support that growth.
I would also like to hear from CISA how it is targeting its
efforts toward OT operators with the greatest need, and the
fewest resources, for instance, small utilities or State and
local governments.
In this subcommittee, we often talk about the need to meet
sectors where they are, recognizing their different security
postures, resources, and expertise. That applies here as well.
We need to do everything we can to make sure that efforts like
the ICS sprints and the performance goals are designed to
benefit all stakeholders, not just the most sophisticated. That
will require the administration to identify lessons learned,
and apply them, for instance, to the upcoming chemical sector
sprint.
Finally, as we are shoring up these programs and ICS
investments, I also want to hear how we are investing in our
ICS security work force and doing so in a way that fosters
diversity.
I thank our witnesses for joining us today and I look
forward to our discussion.
[The statement of Chairwoman Clarke follows:]
Statement of Chairwoman Yvette D. Clarke
September 15, 2022
I would like to thank the witnesses for participating in today's
hearing on securing the industrial control systems at the heart of our
Nation's critical infrastructure. This is a topic that we, as lawmakers
and Federal officials, don't spend nearly enough time talking about,
working on, or funding. We rely on industrial control systems and other
operational technology, or OT, to make sure we have power in our
houses, clean water to drink, and countless other functions and
services essential to our health, safety, and livelihoods. Still,
questions about how we secure these critical OT systems tend to take a
backseat to traditional IT security.
That is simply not an option in today's threat landscape--as OT
grows increasingly connected to the internet, is more integrated with
IT systems, and becomes a far more attractive target for cyber
criminals and our adversaries. In an industrial environment, the risk
of a cyber compromise is not limited to stolen customer data or
reputational harm to a company. The consequences can be deadly. An OT
disruption could hurt our communities, our economy, and even our
National security. And yet, in a recent report, the National
Telecommunications Security Advisory Committee, or NSTAC, found that
our ``biggest gap'' in industrial cybersecurity is our ``lack of
urgency.'' The NSTAC's diagnosis was simple: ``the U.S. has the
technology and the knowledge to secure these systems but has not
prioritized the resources'' to do so.
In a hearing earlier this year, I said that the United States
desperately needs to revamp its playbook for critical infrastructure
cybersecurity. That is particularly true for OT security. Fortunately,
I believe we are starting to see a shift in attitudes--and the Biden
administration is helping to lead that charge. In his first few months
in office, President Biden launched a new ICS Cybersecurity
Initiative--envisioned as a series of cybersecurity sprints--starting
with the electricity subsector and then expanding to other sectors like
pipelines and water. Last July, President Biden formalized this
Initiative in a National Security Memorandum on Improving Control
System Security.
The Memorandum also directed CISA to work with NIST on a set of
cybersecurity performance goals to serve as clear guidance to operators
about the level of security ``the American people can trust and should
expect for such essential services.'' This statement reflects a
commitment to three principles that should underpin the Federal
approach to OT security. First, the American people are entitled to
trust that the services they have grown to rely on meet a reasonable,
baseline standard of security and resilience. Second, critical
infrastructure operators have a responsibility to earn and maintain the
trust of the American people. And finally, the Federal Government has a
responsibility to bring its expertise, convening power, and resources
to bear in support of this effort.
I am pleased to have the Federal Government's lead ``convener'' for
critical infrastructure, and the principal architect of those baseline
standards, CISA, on our panel today. I know CISA has been working to
complete the Common Baseline performance goals required by NSM-5, and I
understand they will soon be finalized. I see these baseline standards
as having real promise to reshape the OT security landscape--but they
will only be as effective as CISA's ability to engage and incorporate
the feedback they are hearing from stakeholders.
I am also pleased to have another leader in Federal OT
cybersecurity here today--Idaho National Laboratory--to talk about how
they're working to secure OT systems and support some of CISA's most
critical OT programs, like CyberSentry, which I worked to codify last
year. I would like to see this program grow and expand to new
stakeholders, and I look forward to hearing how Congress can support
that growth. I would also like to hear how CISA is targeting its
efforts toward OT operators with the greatest need, and the fewest
resources--for instance, small utilities or State and local
governments.
In this subcommittee, we often talk about the need to meet sectors
where they are--recognizing their different security postures,
resources, and expertise. That applies here as well. We need to do
everything we can to make sure that efforts like the ICS sprints and
the performance goals are designed to benefit all stakeholders--not
just the most sophisticated. That will require the administration to
identify lessons learned, and apply them--for instance, to the upcoming
chemical sector sprint. Finally, as we're shoring up these programs and
ICS investments, I also want to hear how we're investing in our ICS
security workforce--and doing so in a way that fosters diversity.
Chairwoman Clarke. The Chair now recognizing the Ranking
Member of the subcommittee, the gentleman from New York, Mr.
Garbarino, for an opening statement.
Mr. Garbarino. Thank you, Chairwoman Clarke, what is sure
to be an informative hearing today. I thank you to our
witnesses for being here to discuss the threats posed by
industrial control systems, also known as operational
technology.
The magnitude of these threats is often difficult for
people to grasp, including Members of Congress. Securing the
foundational technology that underpins our Nation's most
critical functions is a National imperative. Industrial control
systems are responsible for safely and securing operating
informational technology throughout many critical
infrastructure sectors, such as energy, water, and
transportation systems.
Most Americans are accustomed to the reliable delivery of
National critical functions, like electricity and clean water,
but many are not aware of the serious cyber risks these sectors
face.
In 2017 the world's biggest shipping company, Maersk, was
one of the high-profile victims of the NotPetya attack. During
this attack, NotPetya malware was able to infiltrate the
company's industrial control systems, ultimately causing
container ships and ports to grind to a halt for almost 9 days.
Unfortunately, this incident was not solely isolated to the
maritime and transportation sector as the pharmaceutical, food,
and other industries were impacted as well.
What is more, in 2021 alone 80 percent of industrial
control system organizations reportedly experienced ransomware
attacks. As more industrial control systems across critical
infrastructure sectors become connected to the internet, the
attack surface will continue to grow exponentially. These
legacy industrial control systems were not originally designed
to be internet-facing unless they do not have the appropriate
level of cyber resilience baked into their foundations.
To mitigate threats we must consider a thoughtful approach
complementing--but sometimes unique from--our approach to
traditional informational technology cybersecurity. While we
must continue to innovate and evolve as a Nation to deliver
better-, fast-
er-, and greater-performing services, we must also incorporate
baseline cybersecurity protocols to these industrial control
system environments to protect U.S. National and economic
security.
The Cybersecurity Infrastructure Security Agency works
closely with Federal and private-sector partners to secure
industrial control systems across the Federal enterprise and
throughout each of the 16 critical infrastructure sectors. I am
eager to hear CISA's perspective for the industrial control
systems security from Eric Goldstein and I am looking forward
to diving into the sector-specific industrial control system
concerns of Mr. Gipson from the Idaho National Laboratory.
Again, I would like to thank you all for being here. As I
mentioned earlier, we look to experts like you to help us
comprehend the magnitude of the threats facing industrial
control systems and the potential solutions Congress could
employ to bolster industrial control system cyber resilience.
I look forward to learning something new today from each of
our expert witnesses.
Thank you again, Madam Chair, for holding today's hearing
and I yield back.
[The statement of Ranking Member Garbarino follows:]
Statement of Ranking Member Andrew R. Garbarino
Thank you, Chairwoman Clarke, for holding what is sure to be an
informative hearing. And thank you to our witnesses for being here
today to discuss the threats posed to industrial control systems (ICS),
also known as Operational Technology (OT). The magnitude of these
threats is often difficult for many people, including Members of
Congress, to grasp.
Securing the foundational technology that underpins our Nation's
most critical functions is a National imperative. ICS systems are
responsible for safely and securely operating informational technology
(IT) and operational technology (OT) throughout many critical
infrastructure sectors such as energy, water, and transportation
systems, among others. Most Americans are accustomed to the reliable
delivery of National critical functions, like electricity and clean
water, but many are not aware of the serious cyber risks these sectors
face.
In 2017, the world's biggest shipping company, Maersk, was one of
the high-profile victims of the NotPetya attack. During this attack,
the NotPetya malware was able to infiltrate the company's ICS systems,
ultimately, causing container ships and ports to grind to a halt for
almost 9 days. Unfortunately, this incident was not solely isolated to
the maritime and transportation sector, as the pharmaceutical, food,
and other industries were impacted, as well. What's more, in 2021
alone, 80 percent of ICS organizations reportedly experienced
ransomware attacks.
As more ICS systems across critical infrastructure sectors become
connected to the internet, the attack surface will continue to grow
exponentially. These legacy ICS systems were not originally designed to
be internet-facing, and thus they do not have the appropriate level of
cyber resilience baked into their foundations. To mitigate threats, we
must consider a thoughtful approach, complementing--but sometimes
unique from--our approach to traditional IT cybersecurity. While we
must continue to innovate and evolve as a Nation to deliver better,
faster, and greater performing services, we must also incorporate
baseline cybersecurity protocols into these ICS environments to protect
U.S. National and economic security.
The Cybersecurity and Infrastructure Security Agency (CISA) works
closely with Federal and private-sector partners to secure industrial
control systems across the Federal enterprise and throughout each of
the 16 critical infrastructure sectors. I'm eager to hear CISA's
perspective on ICS security from Eric Goldstein, and I'm looking
forward to diving into the sector-specific ICS concerns of Mr. Gipson
from the Idaho National Laboratory.
Again, I would like to thank you all for being here. As I mentioned
earlier, we look to experts like you to help us comprehend the
magnitude of the threats facing industrial control systems, and the
potential solutions Congress could employ to bolster ICS cyber
resilience. I look forward to learning something new today from each of
our expert witnesses. Thank you again Madam Chair for holding today's
hearing.
Chairwoman Clarke. I would like thank the Ranking Member.
Members are also reminded that the subcommittee will
operate according to the guidelines laid out by the Chairman
and Ranking Member in their February 3, 2021 colloquy regarding
remote procedures. Members may also submit statements for the
record.
[The statement of Chairman Thompson follows:]
Statement of Chairman Bennie G. Thompson
September 15, 2022
Operational technology underpins almost every aspect of how we live
and work. From generating and distributing the electricity lighting
this room, to ensuring that the water coming from the faucets is clean
enough to drink, operational technology is the backbone of the National
critical functions essential to public health, public safety, and
National security. In the late summer, two ``National critical
functions'' in Mississippi failed.
Jackson, Mississippi is in the midst of a water crisis, leaving
over 100,000 of my constituents without a clean water supply or
appropriately-managed wastewater. They cannot use the water coming out
of the faucets in their homes to brush their teeth, bathe, or wash the
dishes. Tens of millions of gallons of untreated wastewater has flowed
into Jackson-area waterways. Jackson schools had to revert to remote
learning earlier this month because the toilets would not flush.
Although the water crisis was not caused by a cyber attack, its
horrific impacts and cascading consequences underscore the urgency of
ensuring the safety, reliability, and functionality of the industrial
control systems that support National critical functions. For me, the
Jackson water crisis frames the way I think about today's hearing.
Since I became Chairman of the committee again in 2019, I have
expressed my concerns about the cybersecurity posture of the water
sector, and I am pleased that we now have a President who has made
improving it a priority. Earlier this year, the full committee received
testimony from the American Water Works Association about the
challenges facing municipal water authorities as they work to improve
their cybersecurity and about the ICS Cybersecurity Initiative water
``sprint.'' We learned that water authorities struggle to stretch their
budgets to invest in cybersecurity, and that Federal support needs to
be tailored to the existing maturity and resources of the sector.
A draft report on the convergence of operational and information
technology by the National Security Telecommunications Advisory
Committee released in August confirmed these findings. As the committee
continues its oversight of the Federal Government's ICS security
efforts, we are learning that stakeholders are eager to partner--
provided that the Government is collaborative and transparent. Toward
that end, I have three goals for this hearing.
First, I am interested in knowing what support CISA has provided to
the city of Jackson during the water crisis--including in helping the
city understand the cascading effects of being without water. Second, I
want to understand what CISA learned about the cybersecurity posture of
the water sector through the ICS cybersecurity sprint, and what
resources CISA brought to bear as it collaborated with the
Environmental Protection Agency. Finally, I am interested in learning
how CISA is encouraging ICS owners and operators to prioritize
cybersecurity and resilience and invest in it accordingly.
I support the development of voluntary security guidelines, but
they will only make us more secure if the private sector agrees to
implement them. There are certain things the public should be able to
rely on. Being able to drink the water coming out of the faucet is one
of those things. If we are going to rely on voluntary security goals to
protect ICS from cyber attacks, we must ensure that stakeholders are
incentivized and able to implement them.
Chairwoman Clarke. I now welcome our panel of witnesses.
First, I would like to welcome Mr. Eric Goldstein, the
executive assistant director for cybersecurity at the
Cybersecurity Infrastructure Security Agency, CISA. Mr.
Goldstein runs CISA's cybersecurity division. Previously, Mr.
Goldstein was the head of cybersecurity policy, strategy, and
regulation at Goldman Sachs. Mr. Goldstein also served at
CISA's predecessor agency, the National Protection and Programs
Directorate.
Next we will hear from Mr. Virgil Gipson, a senior advisor
at Idaho National Laboratories Cyber Integration Center. Before
joining INL, Mr. Gipson spent over 3 decades at the National
Security Agency, NSA, where he served in senior leadership in
technical roles.
Without objection, the witness' full statements will be
inserted in the record.
I now ask both witnesses to summarize their statements for
5 minutes, beginning with Mr. Goldstein.
STATEMENT OF ERIC GOLDSTEIN, EXECUTIVE ASSISTANT DIRECTOR FOR
CYBERSECURITY, CYBERSECURITY AND INFRASTRUCTURE SECURITY
AGENCY, U.S. DEPARTMENT OF HOMELAND SECURITY
Mr. Goldstein. Thank you.
Madam Chair, Ranking Member, Members of the subcommittee,
it is a privilege to rejoin the group today and talk about this
critically important topic. I applaud your focus on this issue,
as well as the depth of understanding and insight reflected in
both of your opening statements.
Madam Chair, as you noted, the security of control systems
in operational technology is of paramount importance for this
country. Americans rely every day on services enabled by
control systems, from health care to mass transit to water to
energy. This priority is of the utmost importance for CISA and
the broader Biden-Harris administration. This priority is
exemplified, Madam Chair, as you noted, by President Biden's
National Security Memorandum on securing critical
infrastructure control systems issues just last year, which
called for a series of cybersecurity sprints and the
development of cybersecurity performance goals.
At CISA, our work to enable and support security and
control systems is predicated on three core principles.
First, a focus on partnership, understanding the diverse
ecosystem of organizations across the control systems community
that must come together to enable important change.
Second, the important differences between operational
technology and more traditional IT, which requires thoughtful
consideration when adopting appropriate cybersecurity
solutions.
Third, the fact that many organizations using control
systems face uniquely high demands for availability and face
unique operational risks, which further requires deep
consideration and collaboration when recommending or supporting
particular security measures.
Now, with these principles in mind, at CISA we are focused
on deepening our operational collaboration across the ICS
community, on providing trusted and authoritative guidance to
help organizations adopt the right security measures at the
right time across the ecosystem, and developing cybersecurity
performance goals that will help organizations make the right
investments with their next security dollar to drive progress
toward the most important security outcomes.
Now, of course, we start first in everything we do with
partnership and operational collaboration. We were delighted
this past April to stand up our Joint Cyber Defense
Collaborative ICS Group, which brings together device
manufacturers, integrators, security providers, and owner/
operators to take on shared challenges in the control systems
and OT space. This group right now is working on a cyber
defense plan focused on enhancing the efficiency,
effectiveness, and speed of sharing the threat vulnerability
information across this broad ecosystem.
Now, Madam Chair, you raised a wonderful point, which is
the importance when thinking about collaboration of not just
focusing on the most mature organization, but those that are,
as we call them, target-rich and cyber-poor. Making sure that
those organizations that are less resourced are still able to
raise their own bar for cybersecurity. In that regard, we are
looking forward to launching our State and Local Tribal and
Territorial Cyber Grant Program. We are expanding our regional
forces to meet organizations where they are and proving easy-
to-use guidance and assessment tools.
Now, on this last point, we are also really focused on
serving as a trusted and authoritative source of guidance. I
mean the cybersecurity performance goals play an important role
here. These goals, which again were derived from the
President's National Security Memorandum, call on CISA and NIST
to work collaboratively in developing a set of goals that
organizations can use to inform resource prioritizations. Now,
really importantly, these goals are voluntary by design, were
developed as part of a richly collaborative process. We
received over 2,000 comments on the draft goals over 2 rounds
of feedback and countless workshops and listening session.
Excitingly, these goals are designed to be used in conjunction
with the NIST cybersecurity framework that is already adopted
by many organizations across the country. The goals, when they
are launched, will provide more specificity and measurability
to help organizations prioritize their security investments.
Even when the goals are launched, our dialog and our work will
continue as we will keep receiving feedback on the baseline
cross-sector goals and begin our work in developing center-
specific goals that are tailored to the unique considerations
of each individual sector.
You know, the risk we face as a country in securing our
control systems and OT is extraordinary. CISA, with our
partners, is taking on this challenge head-on by providing
performance goals, making work easier for organizations that
are less mature, serving as a trusted and authoritative source
of guidance, including by enabling the coordinated disclosure
of vulnerabilities in control systems, and enabling increased
visibility across the control systems and OT landscape by
encouraging adoption of commercial solutions and by providing
our cyber protection ability to organizations that need it
most.
Thank you again for the privilege of joining today. It is
always an honor and I look forward to your questions.
[The prepared statement of Mr. Goldstein follows:]
Prepared Statement of Eric Goldstein
September 15, 2022
Chairwoman Clarke, Ranking Member Garbarino, and Members of the
subcommittee, thank you for your invitation to testify today on behalf
of the Cybersecurity and Infrastructure Security Agency. I appreciate
the opportunity to highlight how CISA supports our Nation's industrial
control systems (ICS) and operational technology (OT) communities
against cyber threats that have the potential of impacting National
Critical Functions and the provision of essential services to the
American people.
As reflected in President Biden's National Security Memorandum
(NSM)--5, ``Improving Cybersecurity for Critical Infrastructure Control
Systems,'' securing ICS and OT assets is a top priority of the Biden-
Harris administration, and CISA is privileged to serve in a central
role in implementing this directive, alongside our Federal and industry
partners. NSM-5 directed an unprecedented focus on ICS cybersecurity
across the U.S. Government through a series of ``sprints'' focused on
the electricity, pipeline, and water sectors and through the
development of baseline cybersecurity performance goals.
Our Nation's ICS and OT community is a complex ecosystem comprised
of device manufacturers, integrators, owners and operators of critical
infrastructure, and security providers. CISA serves as a trusted
partner within the ICS and OT ecosystem to provide information,
guidance, and capabilities that enable faster and more scalable
reduction of risks facing ICS and OT assets. Our goal is to meet the
unique requirements of the ICS and OT community by continuously
evaluating and improving our capabilities to support the areas of
greatest need, recognizing that many ICS and OT environments require
approaches and solutions that differ from traditional Information
Technology environments.
operational collaboration
Over the past decade, we learned that traditional methods of
public-private partnership characterized by intermittent,
unidirectional information sharing did not scale to meet the pace of
the adversary or the velocity of technological change. With the support
of Congress, we shifted the paradigm toward continuous collaboration to
empower synchronized cybersecurity planning, cyber defense, and
response. The Joint Cyber Defense Collaborative (JCDC) brings together
critical partners in Government and the private sector to engage in
persistent collaboration and joint cyber defense planning.
In April 2022, we expanded the JCDC to focus on ICS security and
brought in new partners to help lead this important work. Through the
creation of focused collaboration channels, the JCDC-ICS is positioned
to quickly share, analyze, and enrich information about threats and
vulnerabilities affecting ICS assets. Additionally, the JCDC-ICS
initiative catalyzed a new planning effort intended to expedite
collaboration across the ICS ecosystem, bringing together Government,
critical infrastructure operators, ICS vendors, and ICS security
providers with unprecedented cohesion and scale. As we continue to
bring on new partners, CISA will mature the JCDC's structure and
operational approaches to maximize value for the ICS community.
serving as an authoritative source of trusted information
As a core part of our mission to advance security of the ICS and OT
communities, CISA collaboratively develops trusted information to help
organizations more effectively mitigate vulnerabilities. This
information generally takes two forms.
First, we develop Cybersecurity Advisories with inter-agency and
international partners on urgent threats and risks, such as the joint
product with the National Security Agency (NSA) and Federal Bureau of
Investigation (FBI) from April 13, 2022, on APT cyber tools targeting
ICS/SCADA devices; our joint product with the Department of Energy
(DOE) on March 29, 2022, regarding targeting uninterruptable power
supplies; and our March 24, 2022, joint product with FBI and DOE on
threats from Russian state-sponsored cyber actors targeting the energy
sector. These products, many of which benefited from input from
private-sector partners, are intended to turn raw intelligence into
actionable guidance information with increased speed for organizations
across the country.
Second, CISA's ICS Vulnerability Response and Disclosure program
regularly publishes ICS Advisories to share information about impactful
vulnerabilities. The program serves as a trusted partner with
cybersecurity researchers and product vendors to effectively identify,
enable mitigation, and publicly disclose vulnerabilities impacting
control systems and operational technology. CISA coordinated the timely
disclosure of thousands of vulnerabilities and their associated
mitigations, which otherwise would affect systems and hardware
supporting critical functions such as the electric grid, hospitals,
building automation systems, defense systems, data centers, and other
crucial systems. In 2022, CISA already has published over 300 such
Advisories representing thousands of vulnerabilities in a variety of
ICS/OT products. These vulnerabilities impact products used across a
wide variety of sectors, including Energy, Critical Manufacturing,
Water and Wastewater Systems, Food and Agriculture, and Chemical. We
work closely with stakeholders across Government and industry to
identify the most impactful ways to disseminate vulnerability
information, including through machine-readable data that can be
ingested and actioned through automation and by providing guidance that
enables prioritization of the most significant risks. CISA will soon
begin producing machine-readable ICS Advisories in the Common Security
Advisory Framework (CSAF) format, which will enable automated and
timely exchange of vulnerability advisory information in an
interoperable manner, and we urge all vendors of ICS and OT products to
adopt this approach.
enabling operational visibility
A prerequisite for optimized operational collaboration and
provision of timely, actionable guidance is visibility into the
targeting of ICS and OT systems. We must know how malicious actors are
attempting to compromise systems, where they are succeeding, and which
security measures are most effective in stopping them. To gain
visibility into the breadth of malicious activity targeting American
networks, we work with our JCDC partners to build an ecosystem of
continuous collaboration where traffic or an incident seen by one
partner can be rapidly shared across both private and public-sector
entities for analysis, enrichment, and correlation. To gain deeper
visibility into particular sectors, we are partnering with a small
number of ICS security companies to give our analysts the ability to
determine whether a given threat has been seen before, while preserving
anonymity of the security companies' customers.
Finally, for select critical infrastructure entities, we provide
access to our CyberSentry program. CyberSentry is a CISA-managed threat
detection and monitoring program that allows our analysts to directly
detect attempts to compromise critical ICS networks. Through a
strategic and narrow deployment, CyberSentry leverages sensitive data
to provide enhanced visibility that can be used by CISA and our
partners to better defend critical infrastructure networks. CyberSentry
is not a replacement for a company's own ICS cybersecurity program or
security providers; rather, this program provides an additive layer of
visibility where the Nation needs it most. We continue to encourage all
organizations to adopt commercial ICS monitoring solutions by
publishing guidance that provides a list of criteria organizations
should consider when evaluating a commercial ICS monitoring solution.
We are grateful to Congress for authorizing the CyberSentry program,
and we look forward to expanding it to additional partners in the
months to come.
enabling prioritized investment
A key pillar of President Biden's NSM-5 directed CISA and NIST to
develop cybersecurity performance goals for critical infrastructure,
which ``should serve as clear guidance to owners and operators about
cybersecurity practices and postures that the American people can trust
and should expect for such essential services.'' Referred to as the
Common Baseline, it aims to identify a set of practices that critical
infrastructure owners and operators should employ to protect systems
supporting National Critical Functions and reduce risks to National
security, economic security, and public health and safety. This Common
Baseline represents a combination of best practices for IT and OT
owners and sets forth a prioritized list of security controls. These
practices are also intended to be a benchmark for critical
infrastructure operators to measure and improve their cybersecurity
maturity.
Unlike other control frameworks, the Common Baseline considers not
only the practices that address risk to individual entities, but also
the aggregate risk to the Nation. Rather than a comprehensive catalog,
the Common Baseline captures a core set of high-impact controls and
practices with known risk-reduction value that are broadly applicable
across sectors. Organizations can use the Common Baseline to prioritize
the security controls which work most effectively to reduce risk in
their environments. This prioritization can help determine how to most
prudently allocate investments toward specific security practices.
The Common Baseline is voluntary by design, and the draft goals
were developed through a highly collaborative process. CISA received
over 2,000 comments across two separate rounds of review, which
included multiple workshops with critical infrastructure partners, ICS
and OT experts, and the general public. Importantly, the Common
Baseline is designed to be utilized in conjunction with and in support
of the NIST Cybersecurity Framework (CSF), which is the de facto
standard for all organizations to build and evaluate their
cybersecurity programs. The Common Baseline extends the CSF by
identifying the most impactful controls across both IT and OT systems
and describes both the scope and measurements for those controls so
that it is easier for asset owners to implement and attest to their
security posture. Organizations that are already using the NIST CSF or
other frameworks can easily determine where they are already making
progress toward achieving particular goals in the Common Baseline and
where more investment may be required. We look forward to releasing the
next iteration of the Common Baseline this fall, with continued
collaboration across the cybersecurity community on further maturation
of the baseline goals and sector-specific goals.
conclusion
Advancing the security and resilience of industrial control systems
(ICS) will continue to be a top priority for CISA and the Biden-Harris
Administration. As the lead agency for civilian cybersecurity and the
National coordinator for critical infrastructure security and
resilience, we will continue to partner with organizations across the
ICS and OT ecosystem to identify and reduce risk facing our Nation's
most critical systems. With the continued support of Congress, we will
make measurable progress toward these essential goals.
Chairwoman Clarke. Thank you, Mr. Goldstein, for your
testimony here today.
I will now recognize Mr. Gipson to summarize his statement
for 5 minutes.
STATEMENT OF VERGLE GIPSON, SENIOR ADVISOR, CYBERCORE
INTEGRATION CENTER, IDAHO NATIONAL LABORATORY, U.S. DEPARTMENT
OF ENERGY
Mr. Gipson. Chairwoman Clarke, Ranking Member Garbarino,
Members of the subcommittee, thank you for the invitation to
testify on a topic critical to the security of our Nation.
I am Vergle Gipson and I am a senior advisor at Idaho
National Laboratory. I am an expert in cyber threat and
critical infrastructure cybersecurity.
By nearly all measures, cyber risk to our Nation's critical
infrastructure continues to increase. Unfortunately, this trend
is likely to continue because our adversaries view cyber
vulnerabilities as a low-risk, often unattributable means to
strike our Nation. Acts of cyber-enabled sabotage are possible
because our Nation's infrastructure is highly dependent on
industrial control systems.
These industrial control systems, also known as operational
technology, govern and execute complex processes at
substations, manufacturing facilities, water treatment
facilities, military bases, transportation hubs, and much more.
In contrast to information technology--IT, like personal
computers and business networks--operational technology is not
as widely protected. There are several reasons for this
including, first, systems management. Most IT is upgraded or
replaced every 3 to 5 years, software and firmware is
frequently updated and patches are routinely installed. On the
other hand, operational technology is often designed to last
for decades and is typically only updated if a noticeable
failure occurs.
Second is standardization. Most IT is designed and operated
using industry best practices for cybersecurity that are widely
adopted. By contrast, operational technology is often custom-
engineered for specific systems.
Third, is discovery tools. The IT industry has developed a
wide range of products to discover malicious activities and
vulnerabilities. However, a few discovery tools exist for
operational technology.
To help simplify this complex issue, I find it helpful to
think of cyber risk as a function of threats, vulnerabilities,
and consequences. As adversaries increas their capabilities and
their intent to conduct malicious cyber activity, the threat to
U.S. infrastructure rises. As the complexity and number of
digital system increases, the cyber vulnerabilities in U.S.
infrastructure rises. As our society becomes more reliant on an
increasing number of digitally-connected systems, the
consequences of cyber attacks also increase.
However, this cyber risk can be greatly reduced, and in
some cases eliminated. We at Idaho National Laboratory are
working with CISA, the Department of Energy, the Department of
Defense, industry, and others to reduce cyber threats,
vulnerabilities, and consequences.
Idaho National Laboratory is managed by Battelle Energy
Alliance for the Department of Energy and is focused on
innovations in nuclear research, renewable energy systems, and
National security systems. From our decades of work building
and testing more than 50 nuclear reactors, the Lab has
developed a deep understanding of operational technology and
the cybersecurity, engineering, and processes needed to provide
critical function assurance.
For more than 18 years, CISA and its predecessor
organizations, have leveraged the Lab's capabilities and proven
leadership. Current Laboratory technical support to CISA
includes discovering cyber vulnerabilities and partnering to
develop mitigations, providing technical expertise in response
to cyber incidents, developing analytic tools to detect
malicious behavior and to identify cross-sector dependencies,
developing methods and tools to assess the security of critical
infrastructure systems, and creating cybersecurity and
infrastructure protection training for the industrial control
systems work force.
Looking forward, to address some of the most critical gaps
surrounding industrial control system cybersecurity, the Lab
recommends, first, creating an industrial control system
cybersecurity center of excellence to drive research and
development among the community of practice. Second, maturing
cyber-informed engineering to address cybersecurity issues
early in the life cycle of engineered systems by leveraging the
Department of Energy's National cyber-informed engineering
strategy. Third, expanding cyber physical test environments to
support development of sector-specific cyber risk mitigations.
I appreciate the opportunity to testify and I look forward
to your questions.
[The prepared statement of Mr. Gipson follows:]
Prepared Statement of Vergle Gipson
September 15, 2022
introduction
Chairwoman Clarke, Ranking Member Garbarino, and Members of the
subcommittee, thank you for the invitation to testify on a topic
critical to the security of our Nation. My name is Vergle Gipson, and
I'm a senior advisor at Idaho National Laboratory. Prior to joining the
Laboratory 5 years ago, I retired from the Senior Executive Service
after more than 30 years at the National Security Agency working a
variety of cyber-related issues. I'm an expert in cyber threat and
critical infrastructure cybersecurity.
testimony
By nearly all measures, cyber risk to our Nation's critical
infrastructure continues to increase. Unfortunately, this trend is
likely to continue because our adversaries view cyber vulnerabilities
as a low-risk, often unattributable means by which to strike our
Nation. Foreign and domestic acts of cyber-enabled sabotage are
possible because our Nation's infrastructure is highly dependent on
industrial control systems. Widely known as ``operational technology,''
industrial control systems govern and execute complex processes at
substations, manufacturing facilities, water treatment facilities,
military bases, transportation hubs, and much more. From regulating the
flow of oil and natural gas in pipelines to purifying our drinking
water supply, millions of digitally-connected devices--such as
protective relays, programmable logic controllers, and human-machine
interfaces--keep our society running day-in and day-out. All of the
Nation's 16 critical infrastructure sectors rely on operational
technology.
In contrast to Information Technology (IT) like personal computers,
business networks, and databases, operational technology is not as
widely protected. There are several reasons for this, and I will touch
a on few of them:
Refresh cycle.--While most IT is upgraded or replaced every
3 to 5 years, operational technology is often built and
designed to last for decades. Many of the industrial control
systems in our critical infrastructure today were designed 20
or more years ago, before the need for robust cyber defenses
was fully understood.
Standardization.--Most IT is designed, installed, and
operated using industry best practices for cybersecurity that
are widely adopted and accepted. By contrast, operational
technology is often a custom engineering design, created to
meet exact specifications for its end user.
Management.--IT is actively managed--software and firmware
are updated, and patches are routinely installed. Operational
technology is typically passively managed, only updated or
replaced if a noticeable failure or fault occurs.
Discovery tools.--The IT industry has developed a wide range
of products to detect and discover malicious code and
vulnerabilities. For instance, think about the wide variety of
anti-virus software available for purchase and use on home or
business computers. By contrast, few discovery tools exist for
operational technology.
Intent.--While threats against IT systems target information
like financial data or proprietary business dealings, threats
against operational technology target physical processes like
the flow of electric power or the production of our food
supply.
To help simplify this extraordinarily complex issue, I find it
helpful to think of cyber risk as a function of threats,
vulnerabilities, and consequences. As adversaries increase their
capabilities and their intent to conduct malicious cyber activity, the
threat to U.S. infrastructure rises. As the complexity and number of
digital systems increases, the cyber vulnerabilities in U.S.
infrastructure also rises. Not only are those vulnerabilities inherent
in the systems themselves, but they're also introduced by adversaries
through supply chain operations and other means. As our society becomes
more reliant on an increasing number of digitally-connected systems,
the consequences of cyber attacks also increase. In short, multiple
factors affecting cyber threats, vulnerabilities, and consequences are
driving the increase in cyber risk, and that trend is likely to
continue.
In the last two decades, the risk of a cyber attack against our
critical infrastructure has transitioned from being theoretically
possible to documented and proven. As protection strategies, tools, and
expertise have improved in the IT environment, adversaries have
likewise improved their techniques and are expanding to other target-
rich environments including critical infrastructure. However, this
cyber risk can be greatly reduced and, in some cases, eliminated. We at
Idaho National Laboratory, with our unique capabilities in
cybersecurity for operational technology, are working with the
Department of Homeland Security's Cybersecurity and Infrastructure
Security Agency (CISA), the Department of Energy (DOE), the Department
of Defense (DoD), industry, and others to reduce cyber threats,
vulnerabilities, and consequences.
Idaho National Laboratory (INL) is one of 17 U.S. Department of
Energy (DOE) National Laboratories and is managed by Battelle Energy
Alliance. Located in Idaho Falls, Idaho, INL employs more than 5,400
researchers and support staff focused on innovations in nuclear
research, renewable energy systems, and National security solutions.
INL's National security mission focuses on protecting the Nation's
critical infrastructure, preventing the proliferation of weapons of
mass destruction, and providing direct support to America's
warfighters. From our decades-long work in building and testing more
than 50 nuclear reactors in the high desert west of Idaho Falls, INL
has developed a deep understanding of operational technology and the
cybersecurity, engineering, and processes needed to secure systems and
provide critical function assurance. With a large 890-square-mile site,
INL cannot only create new industrial control system security
solutions, but also test and demonstrate those security solutions at
scale in full-size test environments.
For more than 18 years, CISA and its predecessor organizations have
leveraged INL's unique capabilities and proven leadership in the
discovery, development, testing, and demonstration of advanced
technology solutions. Specifically, INL's experience providing
solutions to address critical infrastructure security needs, and INL's
relationships with both private and public stakeholders, has helped
CISA address the needs of the entire critical infrastructure community
against the ever-evolving set of natural and man-made hazards the
Nation faces. INL technical support to CISA includes:
Vulnerabilities.--Discovering and/or helping develop
mitigations against hundreds of vulnerabilities affecting
operational technology products including several high-profile
vulnerabilities impacting U.S. Critical Infrastructure.
Hunt and Incident Response Operations.--Providing industrial
control systems technical expertise during responses to
operational technology-related incidents including identifying
vulnerabilities and hunting for evidence of threat actors.
Analysis.--Developing analytic tools and platforms that
enable both CISA and critical infrastructure partners to detect
malicious and anomalous behavior, to identify and understand
cross-sector dependencies, and to perform analysis of all
potential hazards.
Assessments.--Developing and continuing to support
methodologies and tools focused on the assessment and design
review of critical infrastructure systems and environments.
Training.--Creating and delivering training focused on
educating the industrial control systems and IT workforce on
cybersecurity, and bridging the knowledge gap that exists
within organizations, through unique hands-on experiences and
virtual learning environments that require them to collaborate.
INL stands ready to do even more to reduce the cyber risks to our
Nation's critical infrastructure. INL's unique facilities are
singularly positioned to support a wide variety of research, analysis,
testing, and validation opportunities for Federal and industrial
collaborators. Comprising a cyber-physical infrastructure test range,
co-located laboratories, several technology-specific test ranges, and
available air space, this premier research environment allows testing--
from modeling and simulation to full-scale--to be conducted safely and
securely. More than 100,000 square feet of specialized laboratory
testing space staffed by experts in operational technology,
cybersecurity, power systems engineering, vulnerability assessments,
and dependency analysis enables the creation, testing, and
demonstration of the next-generation control system cybersecurity
solutions the Nation needs now and well into the future.
To address some of the most critical research and capability gaps
surrounding industrial control system cybersecurity, INL recommends the
following:
1. Creation of an industrial control systems cybersecurity Center
of Excellence.--This Center of Excellence would serve as a
focal point for increased information sharing among a community
of practice that includes Government, industry, academia, and
other National Laboratories; create a vehicle for further
investments in cybersecurity research and development; and
advance the science of securing operational technology to stay
ahead of our cyber adversaries' rapidly-evolving tactics.
2. Directed research to mature Cyber-Informed Engineering (CIE).--
Cyber-Informed Engineering encourages addressing cybersecurity
issues early in the design life cycle of engineered systems to
reduce cyber risks. The Secretary of Energy recently released a
National Cyber-Informed Engineering Strategy focused on the
energy sector that could be expanded to address all U.S.
critical infrastructure.
3. Expansion of INL cyber-physical test environments to support
development of cyber risk mitigations.--This expansion would
enable the research and development of mitigation strategies,
the analysis of product and system vulnerabilities, the
understanding of emerging adversary tactics, and other
cybersecurity efforts reliant on representative test
environments. This expansion should include the addition of
full-scale, sector-specific, cyber-physical test environments
for priority infrastructure systems, including water and
wastewater, transportation, oil and natural gas, and critical
manufacturing.
I appreciate the opportunity to testify, and I want to thank you
again for your attention to this very important issue for our Nation. I
look forward to your questions.
Chairwoman Clarke. Thank you, Mr. Gipson, for your
testimony here today.
I will remind the subcommittee that we will each have 5
minutes to question the panel.
I will now recognize myself for questions.
The Biden administration has taken proactive steps to
secure critical infrastructure control systems, but there is
much more to do. So my question is to both of you gentlemen.
What more could the administration be doing toward
industrial cybersecurity? What milestones should we be looking
at to see over the next 5 to 10 years?
Mr. Goldstein. Thank you, ma'am, that is a wonderful
question.
As you know, the administration has made this issue an
absolute top priority and we have now set forth a strategy and
a series of efforts that we believe will make measurable
impact, working with our partners, in the months and years to
come.
A few of these lines of effort include the cybersecurity
performance goals. We look forward to releasing the baseline
cross-sector goals here soon and then immediately turning to
work on the sector-specific performance goals. Where sectors
uniquely utilize control systems and OT, we look forward to
exploring how these performance goals can help organizations
prioritize the right investments in securing their ICS and OT
environments on a voluntary basis in accordance with the
performance goals.
Of equal importance is our collaborative work, particularly
with the vendor security provider and integrator community, as
the Ranking Member noted, to ensure that we are providing
needed support and assistance in adopting, for example, more
security protocols and security by design measure in many
control systems and OT technologies that were designed
historically for availability and reliability and now need to
be improved to ensure that security is also top in mind. We
will be doing a lot of that work through our Joint Cyber
Defense Collaborative, but again working closely with our
partners across sectors.
Beyond that, we are also really focused on ensuring that we
are enabling prompt identification of vulnerabilities in the
control systems and OT environment to ensure that when a risk
is identified, it is rapidly remediated across sectors to
reduce, as my co-witness noted, the opening that our
adversaries have to cause an intrusion and cause harm.
Mr. Gipson. So we at Idaho National Lab provide technical
support to CISA and others in the administration, other
organizations. As I laid out in my testimony a moment ago, big
things on our mind include that center of excellence to do more
to encourage cyber informed engineering, changing the culture
among engineers to recognize cybersecurity as a fundamental
tenet just as engineers currently recognize functionality,
reliability, and safety.
Then, finally, having more representative test environments
that are close to real life to experiment and develop
mitigations that will work in the real world environment for
specific sectors.
So there is so much that needs to be done here.
So in addition to all of the great cyber hygiene things
that need to be done to establish a baseline across our
critical infrastructure, we also need to identify what are
those high-consequence events that we simply can't allow to
occur as a Nation and then working together between Government
and industry to find ways to mitigate the risks to eliminate
those high-consequence events that could be catastrophic.
Chairwoman Clarke. As the Federal Government funnels
resources into new infrastructure projects today, how can we
make sure the OT investments we are making now have security
built in for the threats of tomorrow?
Mr. Goldstein. Thank you, ma'am.
Certainly we are at a unique time in this country's
infrastructure where resources, including through the
Infrastructure, Investment and Jobs Act, will cause an
extraordinary maturation and modernization of this country's
infrastructure across sectors. At CISA we are working with our
partners across the Federal Government to provide guidance and
support to enable adoption of security by design and security
by default principles in as many of those projects as possible.
Certainly our colleagues, for example, at the Department of
Energy are taking a similar approach. So with the extraordinary
work of Congress here in enabling funding through the IIJA, we
will hope that this funding will lead not only to dramatic
modernization and access for all Americans, but also increases
its security as well.
Mr. Gipson. This is a big opportunity for us in the United
States that a lot of the existing infrastructure simply isn't
securable from a cyber viewpoint. So as we are upgrading and
replacing infrastructure, it is the perfect time to make that
infrastructure cyber secure and defendable. The design stage is
the right place to start. So we have to find a way to educate
those who are engineering and building new systems and those
who are engineering and building the components in those
systems, that that work is done with cybersecurity in mind, so
when those new systems are installed and become operational
they can be defended.
Chairwoman Clarke. Very well.
I now recognize the Ranking Member of the subcommittee, the
gentleman from New York, Mr. Garbarino, for his questions.
Mr. Garbarino. Thank you, Chairwoman.
Mr. Goldstein, you mentioned in your opening statement that
you are looking forward to the State and local grant program.
Where are we with that right now?
Mr. Goldstein. Thank you, sir.
As you know, we are really excited for this program. It is
really a new opportunity to drive some extraordinary maturation
across our partners, many which lack resources to adopt needed
security practices in the face of modern threats. We are
preparing in the near future to announce the notice of funding
opportunity, which is going to provide the window for SLTT
organizations to apply for cybersecurity grants. We see these
grants as being foundational, not only in providing the ability
to deploy needed technologies, but also for organizations to
really increase their level of cybersecurity governance, to
develop cybersecurity plans, programs, and procedures that are
necessary to manage effectively the risk that we are all seeing
everyday.
Mr. Garbarino. So but in the near future you are
expecting----
Mr. Goldstein. Yes, sir.
Mr. Garbarino [continuing]. To open up for application?
Great. It is good to hear.
I wanted to ask you, because this is something that came
out yesterday, the Office of Management and Budget released new
guidance on secure software procurement requirements and, you
know, directive under the President's Improving National
Security Executive Order, and the common concern we have heard
from industry is that requirements like this are often
inconsistent across the Federal agencies. Is CISA planning on
working with or have they worked with OMB to ensure that there
is consistency of these new requirements across the Federal
Civilian Executive Branch?
Mr. Goldstein. Absolutely. At the outset we are really
excited to see OMB's software security memo be released. This
memo is going to significantly increase accountability and
transparency for the security of software used by the Federal
Executive branch. But we feel that the implications are likely
broader. So as we think through putting forth voluntary
guidance for organizations, how to think about software
security, how to make the right requests for suppliers of
software for the organizations, including critical
infrastructure, the work being done by CISA and OMB for the
Federal Government we feel like is ostensible to be adopted on
a voluntary basis by entities across the country. So as one
example of that, as we think through what performance goals
might look like for the IT sector, we are going to work really
collaboratively with IT organizations across the country to
think through how do we adopt performance goals that are
harmonized with software security guidance elsewhere so we
ideally have one set of expectations or voluntary guidance for
organizations, regardless if they are working with a Federal
entity or the private sector.
Mr. Garbarino. I appreciate the work that you are doing
with industry here. So thank you.
Mr. Gipson, in your opening statement you talked about the
ability to identify high-consequence events and also eliminate
their ability to happen. Where are we on that? I mean have we
identified these high-consequence events? Or I know they
probably change daily, but I mean do we have a baseline yet?
Mr. Gipson. So I will speak to where we are with--and Idaho
National Lab activity in partnership with the Department of
Energy, the Department of Homeland Security, and the Department
of Defense, we have been initially piloting and now
operationalizing an effort we call--it is a mouthful--
consequence-driven cyber-informed engineering. So this is a
process we go through with oftentimes asset owner and operators
to train them on how to bring together those who work IT
cybersecurity with those who work OT cybersecurity with the
engineers and with the operators, all with a focus on securing
the systems and the critical infrastructure from those high-
consequence events.
So the first pilot occurred in 2017 and things have matured
greatly since then and the program has been commercialized
somewhat. So now it is spreading. So there is a path forward
here, it just needs to grow.
Mr. Garbarino. I imagine these high-consequence events are
sector-specific. So what might be high-consequence event for
one sector is not for another. So how do we get it to mature?
What is the next step? Because it seems like we should be
moving quickly on this to develop the list and then have that
grow.
Mr. Gipson. I could not agree with you more. Yes, this
needs to move out more quickly.
So this is where time back to the Department of Energy's
National cyber-informed strategy comes in. DOE has a plan for
how to reach the work force and the practitioners so that they
start adopting the CIE activities. We have from the Lab worked
with the National Risk Management Center to prioritize those
critical infrastructure entities and various sectors. So there
is a lot that Government has done, but this is a big change
across the sector and needs to be funded either privately or
through the Government.
Mr. Garbarino. I appreciate that.
Madam Chairman, I yield back.
Thank you.
Chairwoman Clarke. The Chair will recognize other Members
for questions they may wish to ask the witnesses. In accordance
with the guidelines laid out by the Chairman and the Ranking
Member in their February 3 colloquy, I will recognize Members
in order of seniority, alternating between Majority and
Minority.
Members are also reminded to unmute themselves when
recognized for questioning.
The Chair now recognizes the gentlewoman from New York, Ms.
Rice, for 5 minutes.
Ms. Rice. Thank you, Madam Chair.
Mr. Goldstein, thank you so much for joining us. As has
been said, it is great to hear from you again.
Can you tell us what factors CISA takes into account when
deciding whether a critical infrastructure operator should be
allowed access to CISA's CyberSentry program?
Mr. Goldstein. Of course. Thank you so much, ma'am. It is a
wonderful question.
So at the outset, our approach for gaining visibility into
cyber threats targeting critical infrastructure is that every
organization should adopt leading commercial solutions so that
they themselves have visibility and can act quickly to detect
and remediate possible intrusions into their network. That is
something that we work closely with all of the leading security
vendors to ensure that we are supporting them in providing
access to the right companies in this country.
Now, for a small number of critical entities across
sectors, the U.S. Government has an operational need to get a
more granular and near-real-time understanding into threats
targeting control systems and operational technology. So the
CyberSentry program is a set of commercial solutions that CISA
provides to a constrained number of organizations across
sectors where CISA's own analysts are able to gain visibility
into cyber threats attempting to access and impact control
systems and OT networks. Actually of course note that
CyberSentry is a great partnership at Idaho National Labs.
We really focus CyberSentry on those organizations that are
most consequential to our National security, economic security,
and public and health and safety, and where we reasonable
expect targeting by advanced adversaries and where CISA's
ability to operationalize sensitive information gives the
company an added layer of security and allows CISA to quickly
detect and assess if an advanced adversary is attempting an
intrusion.
So with the great support of Congress we look forward to
expanding this program over the next fiscal year and beyond.
But this program really is intended for those most
consequential and most targeted entities in our country.
Ms. Rice. How does CISA envision expanding the CyberSentry
program to additional partners, as you mentioned in your
technology? Is CyberSentry scalable to the extent that it can
serve a larger number of systems, or does it need to remain
focused only on those facing the greatest resource challenges?
Mr. Goldstein. Our view is that CyberSentry really should
remain focused on the most consequential and the most targeted
entities in this country. Certainly we do intend to expand the
program, both next fiscal year and beyond, and bring in more
partners across sectors, but at the same time we are working
very closely with commercial cybersecurity companies and with
our partners in the Joint Cyber Defense Collaborative, such
that we have layered ways to gain visibility into threats
targeting critical infrastructure. So for those organizations
that are part of CyberSentry, CISA will be able to gain our own
visibility into threats targeting ICS and OT networks, but also
at partnering with commercial cybersecurity companies and
partnering directly with critical infrastructure. Through the
Joint Cyber Defense Collaborative we are able to get similar
visibility as well.
So our goal is every organization should adopt
cybersecurity detection and prevention capabilities, every
organization should work with CISA to ensure that we are
collaborating and sharing information for that top tranche of
organizations most consequential, most at risk. That is where
our CyberSentry tool is really useful even as it expands beyond
the number of entities today.
Ms. Rice. Great. Thank you so much.
Programs like CyberSentry and the Joint Cyber Defense
Collaborative play an important role in protecting our critical
industrial control systems, but infrastructure operators must
have access to a skilled and well-trained cyber work force of
their own that understand the particular needs of OT security
and how it differs from IT security.
CISA's recent draft of IT-OT conversions report noted that
only 68 qualified workers are available for every 100
cybersecurity jobs and over 600,000 jobs open up for
cybersecurity workers every year here in the United States. It
is even more difficult to find cyber professionals that
understand the OT environment.
Mr. Gipson, how does the Idaho National Lab support Federal
efforts to train a work force tailored specifically to OT
environments and how quickly can a cyber professional trained
to secure IT be trained to protect critical OT systems as well?
How can this committee support Federal efforts to develop our
OT security work force?
Mr. Gipson. Thank you very much for that question.
So Idaho National Lab has been involved in training the
cybersecurity work force for decades at this point and
specializing in the training of those who can do the
operational technology cybersecurity.
So to take someone who is already trained in information
technology cybersecurity and train them to do operational
technology, the principles are exactly the same. So it is not a
state change for those individuals. What is different is the
technical details of it, the data protocols, the
vulnerabilities, the specific threats. So to take an IT person
and turn them into an OT cybersecurity person, that is doable
and Idaho National Lab does that routinely with CISA funding
for many in the commercial work space.
Now, to take those OT professionals and make them truly
capable of securing critical infrastructure, it takes a lot
more than simply the OT cybersecurity professional. We need to
be able to train those engineers who are designing the systems,
the operators who are running the systems, and encourage the
collaboration of multiple parties to ensure cybersecurity. I
know training does that, it forces collaboration and that
collaboration is in many cases a culture change in companies
and so that is the longer pole in the tent.
Ms. Rice. Thank you to both of you witnesses for appearing
here today.
I yield back the balance of my time, Madam Chair.
Thank you very much.
Chairwoman Clarke. I thank the gentlelady from New York.
The Chair now recognizes for 5 minutes the gentleman from
Georgia, Mr. Clyde, for 5 minutes.
Mr. Clyde. Thank you Chairwoman Clarke and Ranking Member
Garbarino for holding this important hearing dedicated to
improving the cybersecurity of our Nation's industrial control
systems.
Over the past few years we have witnessed numerous cyber
attacks, both in the United States and abroad. Every day we see
new technology on the market and new devices connecting to the
internet. Unfortunately, it seems that at times our
technological advances have outpaced our ability to maintain
secure IT and OT systems. Cyber attacks can have devastating
consequences, both for the consumer and for the system
operators. However, many private industrial control system
operators may not even be aware of the inherent risks involved
when connecting their system to the internet.
So, Mr. Goldstein, it is good to have you back for another
hearing, sir. I know in the past we have asked you about the
resources CISA has provided to help small businesses establish
and improve cybersecurity measure with respect to information
technology. Could you explain what services CISA provides to
small businesses to maintain the security of operations
technology? There are a lot of small businesses and a lot of
them don't really have any idea what CISA does for OT.
Mr. Goldstein. Yes, sir, absolutely. Thank you for that
question. Of course, a pleasure to rejoin the group here.
I really can't overstate the importance of CISA's regional
work force here. For many small and medium organizations, even
as we push out guidance on our website, on social media, via
virtual meetings and webinars, we know that is not going to
reach many organizations in this country. So with the support
of Congress we are dramatically increasing our regional
footprint across the country so that our regional cybersecurity
experts can meet with local chambers of commerce, can knock on
the door of the local water utility and have, as you note, sir,
a really focused conversation about risks facing operational
technology and control systems.
This is really one important aspect of the cybersecurity
performance goals, because the goal of the performance goals--
and other frameworks like it--is to provide a really succinct
and simple place to start. So organizations that may not be
resourced to develop a fully mature cybersecurity program, may
not have resources to deploy best-in-class cybersecurity
technologies, there are still steps that they can take that
will dramatically improve their security today.
So a combination of easy-to-use succinct guidance in our
regional work force that is able to get out there, knock on
doors, sit down for a cup of coffee and have a conversation,
that is really our key to make sure that we are getting the
word out the right ways.
Mr. Clyde. OK. Thank you.
So on a scale of say 1 to 10, where do you think we are
right now in getting that information out for the small
businesses to understand what CISA is really doing?
Mr. Goldstein. Sir, I think it is asymmetric across
sectors. I think that there are some sectors, for example, the
energy sector, where there are of course a lot of electric co-
ops or municipal utilities that are smaller. I think CISA's
work in cooperation with the energy department has really done
an important job in driving an understanding of risks and an
understanding of controls. I think if we look across other
sectors, for example, thousands upon thousands of small water
utilities in this country, I think we have work to do to make
sure that we are identifying all possible means of
communication and collaboration to, as my co-witness noted,
raise an understanding of the risk in the first instance, so
that organizations don't, for example, just plug a device into
the internet without understanding the risk thereof, and we are
driving adoption of the reg controls and security measures that
are done in a way that is considering the unique attributes of
OT environment and the requirements for availability and
operational risk therein.
Mr. Clyde. Thank you. Thank you very much for that.
Now, Mr. Gipson, in your testimony, you said from our
decades-long work in building and testing more than 50 nuclear
reactors in the high desert of Idaho Falls, the Idaho National
Lab has developed a deep understanding of OT and cybersecurity
engineering processes needed to secure systems and provide
critical function assurance.
With proper safeguards in place, and one of those being
operational technology security, nuclear reactor energy is, you
know, one of the most clean and reliable sources of electricity
in the world. Having that incredible amount of experience in,
you know, building over 50 nuclear reactors, would you agree
that nuclear reactor energy is perfectly safe with the proper
safeguards in place?
Mr. Gipson. Well, I will caveat it with saying I am not a
nuclear engineer or a scientist, but, yes, modern nuclear
reactors are incredibly safe. Their design is nothing like the
nuclear reactors of the past.
Mr. Clyde. OK, great. Do you think we need more nuclear
reactor capability in this country?
Mr. Gipson. So, once again, away from my area of expertise.
Yes. Having that baseline generation available in a clean and
reliable source like nuclear is an incredible opportunity to
take advantage of and really there is not technical reason why
we shouldn't move out rapidly.
Mr. Clyde. Well, I will tell you, you know, in Georgia we
have two nuclear plants coming on-line in Plant Vogtle just
literally months away, just--early next year the second plant,
just a few weeks away from the first plant and I am really
excited about that.
Chairwoman Clarke. The gentleman's time has expired.
Mr. Clyde. Thank you and I yield back.
Chairwoman Clarke. The Chair now recognizes for 5 minutes
the gentleman from New York, Mr. Torres.
Mr. Torres. Thank you, Madam Chair. Good to see you again,
Mr. Goldstein.
The Federal Government must not only preach but also
practice cybersecurity, it must lead by example. So with that
in mind, does the Federal Government have full visibility in to
the OT assets it owns and operations?
Mr. Goldstein. Thank you, sir. Wonderful to see you as
well.
The Federal Government is making extraordinary strides in
getting visibility across the IT and OT landscape. The key to
this is our Continuous Diagnostic and Mitigation, or CDM,
program which has been supported by Congress for many years and
provides really two key elements. First, it funds cybersecurity
tools for all Federal Civilian Executive Branch agencies to
enable that asset visibility and understand the state of
assets, configurations, and vulnerabilities, and then also
provide CISA an on-going feed to what we call our Federal
dashboard to get visibility into the State of assets across the
Federal Civilian Executive Branch. In part by President Biden's
cybersecurity Executive Order last year, we have made
extraordinary progress and now have increasingly high
confidence in the state of asset visibility across Federal
agencies. Now, we are still working every day to identify gaps
in that coverage, make sure that we are catching what we call
shadow IT, instances of IT and OT assets that might be missed
by on-going----
Mr. Torres. It sounds like the answer is no, you don't have
full visibility. I am curious pursuant to NSTAC's
recommendation, is CISA willing to invoke its binding
operational directive to mandate visibility into Federal OT
assets or?
Mr. Goldstein. Sir, we have better visibility than we have
ever had in the history of the Federal Government. What I would
say is any organization conclusively saying they have absolute
confidence, I don't think any entity would say that, but we
have better visibility than we have had. We are making progress
every day on----
Mr. Torres. But are you willing to invoke the authority you
have to mandate visibility?
Mr. Goldstein. Unequivocally we will use every authority at
our disposal to make sure that we have the visibility we need.
Mr. Torres. You noted earlier that the National Security
Memorandum on improving critical infrastructure requires you
and NIST to set both cross-sector and sector specific
performance goals. What are time lines for finalizing both of
those goals?
Mr. Goldstein. Yes, sir. We are planning to release the
next iteration of the baseline performance goals in October
during cybersecurity awareness month. We are really excited
about this opportunity first to get these goals out in the
community and help owner-operators start using them for their
risk management, but also to keep getting feedback.
Mr. Torres. What is the time table?
Mr. Goldstein. We are releasing the baseline goals in
October, sir, and then from that point we are going to start
working on the sectoral goals. We are going to----
Mr. Torres. Is there a time table for finalizing the
sectoral goals, or?
Mr. Goldstein. We are going to do them in tranches, sir. So
we are going to start off with a few sectors off the bat. I
think the time frame is going to differ by sector. We will see
some sectors where the baseline goals may largely be
sufficient, those will be finalized faster. Other sectors that
have more unique technologies may take longer. But as to the
baseline goals, this will be deeply collaborative in
coordination with the private sector and our partners across
the inter-agency.
Mr. Torres. Now, as you know well, there are 16 sectors of
critical infrastructure, and in addition to partnering with
sector risk management agencies, CISA itself is a SRMA. Remind
me how many agencies or sectors fall within your portfolio?
Mr. Goldstein. Eight, sir.
Mr. Torres. Eight?
Mr. Goldstein. Yes, sir.
Mr. Torres. Is that manageable given the constraints of
your agency? There are some agencies that only have one sector
to oversee, you have eight of them.
Mr. Goldstein. Yes, sir. CISA has unique capacity for both
cyber and physical risk management. It is of course the calling
and mission of our agency, and so we do work closely to support
and enable further maturation of each sector for which we are
the SRMA.
Mr. Torres. Of the eight sectors, which one would you
identify is the most target-rich and resource-poor?
Mr. Goldstein. Sir, there is a variety. I would note
certainly sectors like the dam sector, like critical
manufacturing, given its diversity, and even emergency services
are sectors where we know that adversaries have expressed
interest. A need for maturation is of course on-going.
Mr. Torres. I have read the press releases about the 100
days cybersecurity sprints, but it seems like there is no real
transparency around them. There has been no reporting regarding
the results of these sprints.
So what have been the--do you intend to report the failures
and successes of these sprints or the lessons learned from
them?
Mr. Goldstein. So, sir, because the sprints derived from
the President's NSM, I will defer to the White House for any
reporting.
What I will say in this forum is we have seen different
successes for each sprint based upon the diversity of entities
involved in each. So as one example, for our pipeline sprint we
saw that sprint derive much deeper collaboration between major
pipeline companies the Federal Government. We have now stood up
within the Joint Cyber Defense Collaborative a new cyber
defense planning effort with the Nation's largest pipelines
that we would not have been able to achieve without the
catalyzing force of these cybersecurity sprints.
For the water sprint, we were able to get an increasing
number of companies signed up for our voluntary cyber hygiene
vulnerability scanning services and were able to get more water
entities interested in and signed up for CyberSentry.
So we at CISA certainly are seeing benefit and value from
these sprints, but the value is different inherently based upon
the different nature of the entities involved for each.
Mr. Torres. I see my time has expired, so.
Chairwoman Clarke. I thank the gentleman from New York.
The Chair now recognizes for 5 minutes the gentleman from
Mississippi, Mr. Guest.
Mr. Guest. Thank you, Madam Chairman.
I first want to thank both of you individuals for joining
us today for this hearing.
Mr. Gipson, in your written testimony that you submitted, I
think you did a great job summarizing the difference between
the risk associated with IT and OT technology. For those who
may be watching this hearing who may be, as I am at times,
technologically challenged, can you kind-of walk through that
since they don't have the benefit of what I have in front of me
of the differences and the risk associated with those different
systems. Very quickly.
Mr. Gipson. Of course. Thank you for the opportunity again.
So as I ran through in my testimony, the IT and OT are
different in a number of ways, specifically the ones I wanted
to highlight was that IT is typically upgraded to replace every
3 to 5 years, software and firmware is frequently updated and
patches are routinely installed, whereas with operational
technology, because that is designed to in many cases last
decades, those systems are often only updated every--whenever
there is a noticeable failure. So very large difference in how
modern the systems are.
When it comes to the standardization, there is existing
guidance, cybersecurity best practices widely available for IT
that many practitioners are trained in, whereas with
operational technology, that simply does not exist.
Then finally, when it comes to cybersecurity tools, I
mentioned discovery tools, but it is not only that, it is the
ability to do things like intrusion detection, network
analysis, widely available on the information technology side,
but still very rare on the operational technology side. So
there is a lot that still needs to happen to mature not only
the practice of operational technology, but all of the support
that goes with it that will come from industry. That needs to
happen in parallel with training that operational technology,
cybersecurity work force and training many others involved in
critical infrastructure on what to know about cybersecurity.
Mr. Guest. Then you continue on page 3 and you talk about
vulnerabilities, specifically I believe to OT systems. You talk
about vulnerabilities being inherent in the systems themselves,
but you say that they are also introduced by adversaries
through supply chain operations.
Can you talk a little bit about supply chain operations and
how adversaries are able to exploit systems through that
mechanism?
Mr. Gipson. Yes. So when I speak of inherent
vulnerabilities, that is what comes in, a piece of hardware, a
piece of software, poor design, poor coding, mistakes people
make, things that are errors that we didn't know at the time
the device or service was created. They are inherent to the
product.
Externally introduced is something that an adversary does
to put a vulnerability into a product. That can happen anywhere
along the supply chain. At the point of manufacture an
adversary can introduce a vulnerability into a component or a
system. At the point of shipping, an adversary can do that same
thing. So along that supply chain are equipment, the component
in the systems sometimes are exposed to adversaries who can
manipulate them and introduce those vulnerabilities. Then
likewise, because not everything in any system is developed in-
house, there are other products that are introduced and
incorporated into systems as they are designed and built. Each
of those products has that same exposure to supply chain
vulnerabilities.
So it is a remarkably difficult problem to know the entire
supply chain, let alone secure the entire supply chain for a
system.
Mr. Guest. There have been recent efforts by Congress to
move some of those manufacturers of some of these critical
components back to the United States. As we see that
legislation becomes successful, as we see these companies move
back from foreign nations, particularly China, back to the
United States, do you think that that will help with this
supply chain issue that you have referred to here in your
report?
Mr. Gipson. I believe that will help. That is one piece of
what needs to be done to help better secure the supply chain.
It is a broad-based large problem, an issue that needs to be
widely addressed.
Mr. Guest. Thank you.
Madam Chairman, I believe I am out of time, so I will yield
back.
Chairwoman Clarke. I thank the gentleman from Mississippi.
We are going to enter into a second round of questioning at
this time. This is a very important subject matter, something
that we are trying to wrap our brains around and you two have
the expertise to really get us where we need to be in terms of
our vision for what we can do here from the Committee on
Homeland Security.
So as I said in my statement, I believe we need to revamp
our playbook for securing OT and the common baseline
performance goals that CISA is developing might create a
foundation to do just that, but only if CISA gets it right by
working with the stakeholders to make sure that goals are
effective, translated across sectors, and address the unique
needs of OT operators.
So let me just ask, Mr. Goldstein, what mechanisms does
CISA have in place to engage with stakeholders and solicit
feedback? Is CISA proactively seeking new untapped stakeholder
groups who may have novel insight to share?
Mr. Goldstein. Yes, ma'am, absolutely.
As you note, very correctly, the baseline performance goals
are voluntary by intent and design and the only way that
organizations will use these goals to advance their own risk
management and drive investment toward the most important
security outcomes is if they are seen as credible, as valid, as
helpful.
The only way we can achieve that is through a collaborative
process in development. We have gone through two rounds of
robust stakeholder feedback, both of which included public
review. We received, remarkably, over 2,000 comments on the
cybersecurity performance goals and held a variety of
workshops, including both for sectoral partners and the general
public, as well as listening sessions across our stakeholder
groups.
Now, the point you raise, ma'am, is really important
because one goal here we had was to make sure that we are
getting input not just from the stakeholders who we talk to at
CISA everyday, but also a diversity of individuals and groups
with unique views. So we reached out uniquely to our
international partners, to academia, to researchers, to owner-
operators, device manufacturers, integrators, entities, across
the spectrum.
Really importantly here, even after we released the next
iteration of the baseline performance goals, our work on these
goals isn't done, because we understand that as organizations
begin to use these baseline goals in practice, they are likely
to have observations and feedback that will help us make these
even more useful. So our intent is to leave the door open for
feedback on these baseline goals and actually do a fairly agile
revision and update cycle so we can keep getting input and keep
improving these again so organizations can use these on a
voluntary basis with frameworks, like the NIST cybersecurity
framework, to advance their risk management and measurement
thereof.
Chairwoman Clarke. It is good to hear that there is on-
going exchange taking place, because this is an ever-evolving
threat and need to really keep up to speed.
Now, for the sprints, CISA is in a supporting role to the
sector research management agencies. How does CISA adjust that
support based on the capacity and expertise of each SRMA?
Mr. Goldstein. Yes, ma'am.
So CISA is a source of expertise and cybersecurity risk
reduction services, two critical sectors with and through the
various SRMAs. As you know correctly, the level and type of
support that we offer varies not only by the SRMA, but also by
the sector itself. So in the context of the cyber sprints
directive by the President's National Security Memorandum, for
sectors, for example, like the pipeline sector, where many
organizations have well-resourced security programs, you know,
our level of support was different and actually providing, you
know, more guidance, more coordination, and now really moving
toward on-going operational collaboration to help more quickly
identify and respond to emerging threats, risks, and
vulnerabilities.
Conversely, for the water sector, given the over 50,000
water entities in this country, many of which are dramatically
resource-constrained in cybersecurity, our role is really
different. Our role is thinking through how we can help them
provide capabilities, provide services, or for public entities,
through our new SLTT Cyber Grant Program, actually provide them
resources to improve their programs. So the heterogeneity of
sectors does call for a different level of support from CISA
depending on the partners we are working with.
Chairwoman Clarke. Then, finally, I know CISA wants to
expand the CyberSentry to new partners. What is stopping you
from doing that faster?
Mr. Goldstein. Yes, ma'am.
So the expansion of CyberSentry is on-going. We have gotten
wonderful feedback on this program from the partners who are on
board today, with the support of Congress, both resourcing and
authorizing the program in the past year. We will be expanding
throughout fiscal year 2023. We do want to be thoughtful and
rigorous about the entities to whom we expand to make sure that
they meet our requirements for consequentiality and risk and
also that they are able to make best use of this program in
conjunction with the commercial solutions that they already
have deployed.
Chairwoman Clarke. Very well.
We have been joined by one of our colleagues who wasn't
with us in the first round but is now here with us, Mr.--
Ranking Member, I am just going to--yes. I am going to--the
Chair now recognizes for 5 minutes the gentleman from Kansas,
Mr. LaTurner.
Mr. LaTurner. Thank you, Madam Chair. I appreciate it.
With the increase in prevalence of internet of things
devices and connections between OT and IT systems, the cyber
risk faced by our Nation will surely grow. I am sure we all
heard from constituents about this threat and about attacks
that have crippled vital businesses in our districts. In
Kansas, 10 FSB officers hacked into a nuclear power plant in my
district in 2017, and while they did not gain access to the
cyber systems that operate the facility, the attack makes clear
the importance of increasing our cybersecurity capability so
that utilities can operate as a partner for the defense of the
Nation.
In order for utilities to perform that role as expected by
Government, they need timely and actionable information that
they can take and respond to effectively. I appreciate the work
that both CISA and INL are doing to meet those needs of
industry and would like to thank each of our witnesses for
being here today and sharing your expertise.
Mr. Gipson, you shared in your testimony about the
importance of cyber physical test environments, like INL's
control environment laboratory resource. How can industry
partners like the nuclear plant in my district better leverage
test ranges, like CELR?
Mr. Gipson. Thank you. It is a wonderful thought.
The CELR, or that test range, think of that as a scaled
version of a representative test range where practitioners,
individuals can learn how to secure the operational technology
while simultaneously seeing the physical system that is being
controlled. So this is done at a scaled-down model size.
Now, it is wonderful because it helps see and visualize not
only the cyber activity but also the physical results of any
cyber mitigation. Now, it is even better if those same sorts of
activities can be done at life-size scale. At Idaho National
Lab we have that life-size scale. You know, the place is big,
it is 890 square miles. That is 13 times the size of
Washington, DC. We have a test bed for electricity, a small
water test bed, some other things. But there is no mechanism
right now to open that up to public use without specific
funding, either by private entities or more often, more
normally, the Government.
Mr. LaTurner. I appreciate that.
I understand INL hosts an ICS community of practice that
brings together ICS professionals across the Government,
academia, and the industry. Is this group focused on the energy
sector specifically?
Mr. Gipson. No. ICS, industrial control system, community
of practice is broader and it welcomes practitioners from all
sectors. It is over a couple of hundred participating members
now that is driving the maturation and training of ICS among
those practitioners.
So that is an opportunity for collaboration that is easily
grown as more learn of its existence and how it can benefit
them.
Mr. LaTurner. Talk to me--I don't have a ton of time left,
but it is so important--what efforts are under way with the COP
on work force development and increasing the talent pipeline in
OT cybersecurity?
Mr. Gipson. So this is where Idaho National Lab spends a
lot of effort. The training and development of that
cybersecurity, and especially the operational technology
cybersecurity work force. There are a variety of classes
offered that can be attended either in-person or virtually that
allow the hands-on learning of what it takes to secure critical
infrastructure.
As I mentioned earlier, one of the great things about the
offerings is that it allows the collaboration, and in many
cases forces the collaboration beyond what the operational
technology cybersecurity person normally does. That is critical
to being able to secure cyber physical systems.
Now, in addition to those courses that are available to
anyone--CISA funds many of those--through the development of
courses for particular sponsors, like those within the
Department of Defense and other areas, and in those cases we
try to train the trainer so that it can be easily grown and
expanded upon.
Mr. LaTurner. Thank you.
I yield back, Madam Chair.
Chairwoman Clarke. I thank the gentleman.
I now recognize our Ranking Member, the gentleman from New
York, Mr. Garbarino, for any additional questions he may have.
Mr. Garbarino. Thank you, Chairwoman.
Again, thank you to the witnesses for being here today.
Mr. Gipson, can you speak--we have--I don't think we have
touched on it really at all today, but can you speak in greater
detail about National Lab's Malcolm Tool and, you know, how are
CISA and other organizations, Government organizations
utilizing this and other tools like this?
Mr. Gipson. Thank you for that.
Malcolm, for those who aren't familiar, is an open-source
analysis framework. The beauty of that is it is open source.
Anyone can download the code, it is available on GitHub, and it
allows those practitioners in cybersecurity to have a tool set
to be able to better analyze that operational technology
network data.
So as I mentioned in my testimony, these types of tools are
widely available for IT cybersecurity professionals and
analysts, but not so much on the OT side. So with CISA's
funding, that Malcolm capability has been made available to
everyone in the world.
Mr. Garbarino. Is there room for a tool like this to go to
the OT side? Is that possible or not really?
Mr. Gipson. No, in fact Malcolm is available for the OT
side. I mean emphasize that while there are many tools
available from vendors to analyze IT data, not as many on the
OT side. This is where Malcolm fills a gap and can help those
analysts manipulate the data to be used in other IT available
tools.
Mr. Garbarino. Mr. Goldstein, is there a way--how do we get
more people to use this tool and similar tools like it? I mean
is it something that we just need to educate people of its
existence and then hopefully they use it? Or what thoughts do
you have?
Mr. Goldstein. Yes, absolutely.
So just to echo the good points of my co-witness,
developing these sorts of open-source tools that meet specific
security needs of the ICS and OT community is a key effort for
both CISA and our colleagues at INL. So, you know, Malcolm is a
wonderful tool. There are more to come. We continue to evaluate
requirements and then develop and release as open source new
tools that fulfill known gaps in the community.
To your point, sir, these tools are not useful if they are
not being used. So part of our effort is to make sure that
through efforts like INL's ICS community of practice, but also
through groups that we sponsor at CISA, like the ICS joint
working group that every year puts together thousands of
practitioners around the world in this pace, as well as frankly
being out there on the conference circuit, speaking at the
events like the S4 Conference every year and making sure that
we are evangelizing the usefulness of these tools to
organizations and practitioners. That is really key so that
they can actually drive down risk in practice.
Mr. Garbarino. Would it make sense to make this--we have
this as you said the State and local grant applications, could
CISA require to be able to get access to these grants
utilization of some of these tools as part of the application?
Would that help it expand use?
Mr. Goldstein. Certainly we are thinking carefully through
how we can utilize the grant program in the future to
incentivize adoption of the right security measures and
controls for many organizations that will be utilizing our
grant programs. There are likely more foundational investments
that will help them get to the point where they can use a tool
like Malcolm more effectively.
Mr. Garbarino. I appreciate both your answers on this and
look forward to hearing about more tools in the future.
So thank you very much and I yield back.
Chairwoman Clarke. I thank the gentleman, our Ranking
Member, for his questions.
We have been joined by some additional colleagues and I
want to give them an opportunity to ask their questions at this
time.
So the Chair now recognizes the gentlelady from Texas, Ms.
Sheila Jackson Lee, for her questions at this time.
Ms. Jackson Lee. Madam Chair, I am passing at this time.
Thank you.
Chairwoman Clarke. Very well.
I will then recognize the gentleman from Rhode Island, Mr.
Langevin, for 5 minutes.
Mr. Langevin. Thank you, Madam Chair.
I want to thank our witnesses for their testimony today and
what they are doing to better secure the country in cyber
space. I deeply appreciate your efforts.
I wanted to follow up on a discussion that had taken place
a little while ago about using binding operational directive
authority requiring executive civilian branch departments and
agencies to inventory the OT assets under their control as the
NSTAC recommended in its related report to the President on IT
OT convergence.
So my question is how well-resourced is CISA to support
compliance with such a directive and integrate agency
information about OT assets into its responsibilities as the
operational lead for Federal cybersecurity?
Mr. Goldstein. Thank you, sir. Of course, a privilege to
see you as always.
I will answer that in two parts. At the outset, the way
that we have designed our continuous diagnostic and mitigation
program is that agencies have the tools and have the
connectivity with CISA's Federal dashboard to provide that
asset visibility, both at the agency level and at a more
aggregated level to CISA with the ability for CISA also to do
deeper analytics into what we call object-level data, the
characteristics of specific devices running on a network. We
have a robust team at CISA focused exclusively at drafting,
issuing, but then ensuring adherence to our binding operational
directives. One key threshold criteria for issuance of a
directive under our authorities at CISA is an assessment of our
ability to measure adherence and ensure appropriate escalation
with agencies if adherence does not meet our requirements.
So as we evaluate the use of our authorities to ensure
appropriate asset visibility across both IT and OT assets, that
will be top of mind. Our sense is today that we do have the
technology and governance in place to enable that adherence if
and when we do utilize such authorities.
Mr. Langevin. OK. Thank you for clarifying that.
Of course finding solutions to the OT visibility problem
should not exclude private-sector critical infrastructure
owners and operators. To both of our witnesses, I wanted to
ask, what are some of the major impediments right now facing
critical infrastructure owners and operators and their Federal
partners in cataloging OT assets and instances of IT-OT
convergence? What can Congress do to help overcome those
impediments?
Mr. Goldstein. Yes, sir, I will offer a thought and
certainly welcome views from my co-witness.
You know, at the outset, a through line throughout this
hearing has been the important differences between IT
management and IT cybersecurity versus the control systems and
OT environment. I think one example of this is for most IT
practitioners and cybersecurity professionals, you know, IT
asset management is considered to be a foundational enabler of
cybersecurity. To that end, there are a variety of tools and
solutions in place to enable that visibility. Transposing those
sorts of tools directly onto control systems and OT
environments is non trivial and in fact may not be fit for
purpose given the unique aspect of control systems and OT
environments.
Additionally, the individuals or teams accountable for IT
asset management in a given organization may be quite different
from the ones who are managing the OT environment. So two key
steps are to ensure that there a resolutions available for OT
asset management that take into account the unique attributes
of control systems and operational technology and that there is
convergence between the teams, the individuals who are
accountable for asset management to ensure that IT security and
OT security are considered together given the unique linkages
between those environments.
Mr. Langevin. OK. Thank you.
Let me turn now finally to OT cybersecurity work force
development. Critical infrastructure cybersecurity, especially
as it pertains to the security of the industrial control
systems requires a work force with specific skills that aren't
always identical for those needed for traditional IT
cybersecurity.
So to be sure traditional IT cybersecurity skills are
valuable for a critical infrastructure cybersecurity operator
to have, but equally importantly I think those operators must
have an understanding of the engineering principles underlying
specific ICS devices and the systems they control, as well as
the knowledge of how to maintain physical and environmental
safety in the operation of such devices. Have you seen
challenges in this critical infrastructure owners and operators
ability to attract ICS cybersecurity talent with expertise in
each of these areas? Are the opportunities for the Federal
Government and Congress specifically to support the development
of these skills across the ICS cybersecurity work force?
Mr. Goldstein. Yes, sir. This absolutely is an area of
urgent focus and concern. My co-witness outlined some of the
important work from Idaho National Labs to address this delta,
but certainly we know that our Nation is facing a real
workforce crisis in the cybersecurity work force generally. As
you well note, sir, these specialized skills to operation
control systems or OT cybersecurity environment are even more
specialized and require an understanding not only of
cybersecurity but also of the unique operational considerations
that are inherent in control systems and OT.
CISA is working closely with partners, including INL,
including our colleagues at DOE, to provide curricula, courses,
hands-on training, to address this gap, but we need to do more.
Certainly as control systems and OT become more and more
ubiquitous and relied upon across sectors, this will be an area
where the Federal Government, the private sector, academia, and
with the support of Congress, we really need to invest and
focus.
Mr. Langevin. Very good.
Thank you, Madam Chair. Thank you to our witnesses for
their testimony.
I yield back.
Chairwoman Clarke. So I wish to thank the witnesses for
their valuable testimony and the Members for their questions
today.
The Members of the subcommittee may have additional
questions for the witnesses and we ask that you respond
expeditiously in writing to those questions.
The Chair reminds Members--it looks as though we do have
another question from--we are working hybrid here, so I did
recognize that our chair--excuse me, Congresswoman Sheila
Jackson Lee of Texas is now recognized for 5 minutes. Excuse
me. Congresswoman Lee, I think you need to unmute. We can't
hear you, can you unmute?
Ms. Jackson Lee. Can I be heard now?
Chairwoman Clarke. Yes, you can.
Ms. Jackson Lee. All right. Well, let me just say that
hybrid is certainly helpful, but challenging sometimes.
To the witnesses, let me thank you for your testimony. To
Madam Chair, thank you and Ranking Member for very important
hearing. Members are detained in other matters and I did want
to make sure in this important hearing I raise two questions.
So I would like the witnesses to answer them as they are
able to do so.
We have been working with the issue of industrial
infrastructure for a very long time. I remember chairing the
Transportation Security Committee, which had infrastructure as
part of its jurisdiction. Really, in the old days, if you will,
we had not reached the level of fear or apprehension about
cyber attacks. They were probably more physical attacks as
relates to industrial infrastructure. But I would like to ask
the level of threat, the level or the rate of threats you think
are to America's industrial infrastructure. What level are we
at? How can we educate the industrial community--I think some
are more informed than others--on the level of threat?
Secondarily, as relates to the work force, are you working
with historically Black colleges, Hispanic-serving institutions
to help them steer toward programs that would help build the
work force?
If those who are able to answer those questions to do so, I
would appreciate it. I thank the Chair for her indulgence.
Mr. Goldstein. Thank you, ma'am.
On the first question, the level of threat facing control
systems and operational technology is significant. I will call
particular attention to the variety of products that CISA and
our partners released during our Shields Up campaign subsequent
to Russia's unprovoked invasion of Ukraine, which included
advisories focused on threats to, for example, programmable
logic controllers, interval power supplies, and similar
technology widely used in the ICS and OT context. We know that
the consequentiality of an intrusion into these systems is very
significant and therefore we must be concerned about steps to
ensure their security and resilience under all conditions.
On the second question, ma'am, absolutely. You know, as
much as we need to address the cybersecurity work force gap in
this country, we need a cybersecurity work force that reflects
the diversity of America. So at CISA we are deeply focused on
working with HBCUs, with MSIs. We are excited to host our
upcoming CISA Cyber Summit in October with a number of HBCUs in
the Atlanta, Georgia area in coordination with those entities
to ensure that we have a pipeline that dramatically changes.
The diversity of our cyber work force is foundational to our
strategy.
Ms. Jackson Lee. I think I still have a little bit of time.
I think many of us would be very much interested in a
summit of that form. Are you suggesting that colleges outside
of Atlanta can come? Or otherwise would you reach my office? I
think the southwest region sometimes gets overlooked and we
have a sizable population of historically Black colleges in the
region and would like to offer that region, and Houston in
particular, for another site for such a summit. Because this is
crucial to help build the platforms of programs that colleges
can begin to start with to help assist in the work force
development going forward.
Mr. Goldstein. Yes, ma'am. I am confident that we value the
chance to work with HBCUs and MSIs in your district and will
certainly follow up with your team.
Ms. Jackson Lee. Thank you so very much.
Madam Chair, I thank you so very much for this hearing and
I yield back.
Chairwoman Clarke. Before we close, I am going to give one
more opportunity. Anyone virtually who has any questions at
this time and wishes to be recognized?
Very well.
With that, I thank you once again. I thank our witnesses
for your valuable testimony and the Members for their
questions. The Chair reminds Members that the subcommittee
record will remain open for 10 business days.
Without objection, the subcommittee stands adjourned.
[Whereupon, at 11:28 a.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions From Chairwoman Yvette D. Clarke for Eric Goldstein
Question 1a. CISA has published a fact sheet supporting and
prioritizing the migration to post-quantum cryptography for public and
private entities. Given that National Critical Functions (NCFs) are
reliant on ICSs, how can Congress support CISA's efforts to provide
additional targeted guidance to NCFs that require more aide?
Question 1b. Can CISA provide a list of NCFs that require the most
aide based on level of priority?
Question 1c. What additional resources are shared with SRMAs to
provide support as the entities transition to post-quantum
cryptography?
Answer. The transition to post-quantum cryptography (PQC) requires
that the National Institute of Standards and Technology (NIST)
standardize the new algorithms that have been developed to resist
attack by a cryptographically-relevant quantum computer. These
algorithms are not yet standardized and therefore not included in
commercially-available systems for ready adoption by critical
infrastructure owners and operators. As PQC proceeds through the
standardization process at NIST and more PQC algorithms appear in
systems that owners and operators can adopt, the Cybersecurity and
Infrastructure Security Agency (CISA) will achieve a better
understanding of which sectors and functions need greater aid and
support to transition to PQC.
CISA and NIST recently held an all-sector call with a large number
of critical infrastructure cybersecurity executives to inform them of
the upcoming transition to PQC and recommend that they conduct an
internal inventory of their current cryptosystems to better understand
the scope of what their organizations will need to transition.
CISA has highlighted several National Critical Functions that are
dependent on ICS and may benefit from additional support to prepare for
and execute the migration to post-quantum cryptography:
Generate Electricity
Distribute Electricity
Transmit Electricity
Transport Cargo and Passengers by Rail
Transport Cargo and Passengers by Vessel
Transport Materials by Pipeline
Transport Passengers by Mass Transit
Manage Hazardous Materials
Manage Wastewater
Store Fuel and Maintain Reserves
Exploration and Extraction of Fuels
Fuel Refining and Processing Fuels
Manufacture Equipment
Produce and Provide Agricultural Products and Services
Produce and Provide Human and Animal Food Products and
Services
Produce Chemicals
Provide Metals and Materials
Supply Water
Provide Internet-Based Content, Information, and
Communication Services
Provide Identity Management and Associated Trust Support
Services
Provide Information Technology Products and Services
Protect Sensitive Information.
CISA continues to partner closely with NIST, other U.S. Government
partners, and private-sector partners to support a smooth transition to
post-quantum cryptography, as called for in National Security
Memorandum-10, when new standards are available.
Questions From Ranking Member Andrew R. Garbarino for Eric Goldstein
Question 1. A major challenge public and private-sector critical
infrastructure owners and operators face is balancing the priorities of
enhancing security and modernizing legacy equipment. There are
sensitivities around when certain devices on the network can be taken
off-line for updates versus when they need to be on-line and operating.
With the introduction of new regulations and guidelines related to
industrial control system (ICS) modernization and security,
organizations are forced to make difficult decisions.
Understanding these difficulties, can you describe how CISA is
partnering with its Federal agency partners to provide owners and
operators with assistance in market research to better understand what
resources are available to assist with these common issues?
Answer. CISA has received substantial input during stakeholder
outreach activities in support of the development of cybersecurity
performance goals for critical infrastructure that echoes the challenge
you have outlined. CISA's primary forum for engaging with interagency
counterparts on the topic of modernization is the monthly Control
Systems Interagency Working Group. Additionally, CISA leads a Control
Systems Working Group that brings together both industry and
interagency representatives to talk through ICS challenges. Going
forward, CISA intends to use both bodies, as well as the activities
associated with our roll-out of the cybersecurity performance goals, as
opportunities to both garner feedback and share recommendations and
best practices with the community on how to safely and effectively
approach modernization.
As an example, CISA has worked with the U.S. Department of Energy
(DOE) to support market research, including through publication of
recommended considerations for organizations seeking to adopt and
deploy ICS/operational technology (OT) monitoring solutions. These
recommendations consist of a vendor-agnostic framing of capabilities
and feature-sets, which CISA and DOE believe to be most critical in
ensuring the procured tool delivers value to the adopter and
meaningfully reduces risk to ICS/OT assets.
Another example of support that can aid in market research for ICS
investment are the recently published Cybersecurity Performance Goals
(CPGs) for Critical Infrastructure. These goals were developed as a
minimum baseline of cybersecurity activities for critical
infrastructure, that should inform where organizations should
prioritize resource investments for the most effective reduction of
cyber risk. While the goals themselves are vendor and platform-
agnostic, they do inform what practices organizations should be
implementing.
Question 2a. Core to CISA's mission is gaining centralized,
holistic visibility across Federal Civilian Executive Branch (FCEB)
networks. Recognizing that you can't secure what you can't see, the
fiscal year 2022 Consolidated Appropriations Act included $65 million
in CISA funds for ``attack surface management and National
vulnerability incident response.'' The accompanying House report for
this funding appropriately recognizes that, ``Unlike DoD, CISA remains
heavily dependent on manual self-reporting for situational awareness of
internet-facing attack surfaces, creating a fractured and inaccurate
snapshot of vulnerabilities in the Federal civilian cybersecurity
ecosystem.'' Effective execution of these fiscal year 2022 funds could
finally give CISA continuous visibility over the entirety of the
internet-facing FCEB attack surface through the eyes of the adversary.
Recognizing Congressional intent, what is CISA's plan to execute
the $65 million of fiscal year 2022 funds? How much of those funds have
been executed to date?
Question 2b. In line with the direction of the report language, how
is CISA evaluating state-of-the-art commercial solutions?
Question 2c. Are the lessons from successes elsewhere in Government
standing up similar attack surface management programs being
appropriately incorporated into CISA's plans?
Answer. CISA remains appreciative of Congress' on-going support of
the Agency's cybersecurity mission, including support of enhanced
visibility into threats targeting the internet-facing Federal Civilian
Executive Branch attack surface.
CISA has obligated 100 percent of the funds appropriated in fiscal
year 2022 for Attack Surface Management (ASM). To date, the agency has
executed a portion of the obligated appropriations (�20 percent) to
initiate a technology assessment to identify candidate tools to advance
CISA's ASM capabilities, specifically in the areas of asset discovery,
vulnerability enumeration, domain and subdomain discovery, passive
scanning, and web app scanning. In addition to the technology
assessment, funding has been executed to bolster CISA's analytic
capabilities through enhanced data feeds data analytics, a necessary
prerequisite to expansion of our ASM capabilities.
CISA's evaluation has consisted of in-house market research and
proof-of-value assessments, coordination with other Federal agencies
(including the U.S. Department of Defense (DoD)) who have stood up
similar ASM capabilities, and an independent assessment conducted by
Lawrence Livermore National Laboratory, which concluded in September.
CISA intends to execute the remainder of the obligated-but-not-yet-
expended fiscal year 2022 appropriations to implement state-of-the-art
commercial technologies over the duration of this fiscal year to ensure
that the agency is providing maximum benefit to our stakeholders, and
will continue to coordinate with DoD and other Federal agencies
throughout the duration of funding execution and associated capability
implementation.
Question 3. How should the adoption of modern ``zero trust''
architectures and the latest cybersecurity standards be encouraged as
ICS and operational technology (OT) systems become more internet-
connected?
Answer. Due to the unique design limitation inherent in many ICS
and OT assets, full implementation of Zero Trust across ICS and OT
environments is especially difficult. Wide-spread utilization is likely
not feasible until there is a critical mass of available products and
infrastructure that supports such efforts. While wide-spread adoption
may be difficult, more mature organizations can likely begin applying
Zero Trust concepts to some elements of their infrastructure where
possible. CISA continues to leverage our monthly Control Systems
Interagency Working Group (CSWG), public-private Control Systems
Cybersecurity Working Group (CSCSWG), and our Joint Cyber Defense
Collaborative-ICS group to share lessons learned and best practices to
accelerate adoption of Zero Trust controls across ICS and OT
environments.
Question 4. CISA helps Federal agencies implement the Cybersecurity
Executive Order and Federal Zero Trust Strategy to move to more modern,
defensible cyber architectures.
How is CISA working to encourage adoption of ``zero trust''
approaches to cybersecurity by critical infrastructure owners?
Answer. CISA has developed guidance and is planning to establish a
Zero Trust program office to lead and support the adoption of Zero
Trust in the Federal Civilian Executive Branch. The guidance
publications are Cloud Security Technical Reference Architecture
(CSTRA) and the Zero Trust Maturity Model (ZTMM), and are intended to
address modernization, cloud migration, and zero trust strategies and
approaches that can be broadly applied to support Executive Order 14028
and associated strategies and policies.
The CISA Zero Trust Program Office was identified in the National
Security and Telecommunications Advisory Committee's Report To The
President, Zero Trust and Trusted Identity Management, February 23,
2022. The report provided recommendations that CISA should take to
incorporate Zero Trust practices into Federal cybersecurity programs
and services. To date, the CISA Cybersecurity Division has initiated
planning efforts to support the establishment of the program office
with key lines of effort intended to address critical. This work will
will be necessary to evolve and mature Zero Trust implementations
within Federal agencies.
The CSTRA was co-authored by CISA, Federal Risk and Authorization
Management Program, and United States Digital Services and addresses
Zero Trust architecture and protections concepts and approaches
intended to guide agencies that modernize and migrate applications,
data, and services to the cloud. This guidance focuses on cloud hosting
environments to ensure that cybersecurity and data protections, as well
as monitoring and visibility, are consistent with organizational risk
management practices. The ZTMM was developed to support and guide
agencies as they develop strategies and implementation plans to
transition from perimeter-focused architectures to Zero Trust. The
maturity model utilizes five pillars and cross-cutting functions to
explain key capabilities to advance and evolve zero trust within on-
premise and cloud hosting environments.
Question 5. In July, TSA issued a revised cybersecurity directive
for pipelines owners to apply ``zero trust'' cybersecurity elements to
any information technology (IT) or OT system connected to a critical
pipeline or facility. Federal agencies are also implementing zero trust
architectures following requirements from the Cybersecurity Executive
Order.
Should similar zero trust requirements for IT and OT systems be
encouraged across all critical infrastructure sectors?
Answer. The disruptive ransomware attack on Colonial Pipeline in
May 2021 revealed a continuing significant National security risk with
critical vulnerabilities in the pipeline sector that previous voluntary
efforts did not sufficiently mitigate. Following the incident, the
Transportation Security Administration (TSA) issued two Security
Directives mandating that pipeline owners and operators implement
several critically-important and urgently-needed cybersecurity
measures. TSA developed these directives in close consultation with
Federal partners, including CISA, the Pipeline Hazardous Materials and
Safety Administration, and DOE. TSA is working closely with the
pipeline industry to ensure the successful implementation of the
measures required by the directives.
While Zero Trust does represent an effective approach to security,
and is certainly a strong and growing trend, there are unique
considerations to its utilization in OT environments. The most
pertinent of these considerations is that many OT assets were
originally designed with a focus on safety and reliability with limited
focus on security. Therefore, many OT environments likely do not
support effective utilization of Zero Trust, at this time. Before
adoption can be widely encouraged, the most effective immediate action
would likely entail working with OT vendors to recognize Zero Trust as
a desired attribute in future product sets. Additionally, Zero Trust is
likely too complex of an implementation for many small and medium-sized
entities for the time being; it may however, be a more realistic goal
state for more mature and better-resourced organizations.
Questions From Honorable James Langevin for Vergle Gipson
Question 1. What are some of the major impediments facing critical
infrastructure owners and operators and their Federal partners in
cataloguing Operational Technology (OT) assets and instances of
Information Technology (IT)/OT convergence, and what can Congress do to
help overcome those impediments?
Answer. The convergence of IT/OT is not understood well enough
within critical infrastructure owners and operators. From Idaho
National Laboratory's (INL's) perspective, we have seen cases where
owners and operators were not aware of IT/OT convergence in their
systems. More educational training and improved information sharing
between public and private-sector partners are needed. INL recommends
Congress support these measures in the National Plan and Presidential
Policy Director-21 rewrites.
Further, many OT assets do not support the typical tools--like
asset identification--commonly used by the IT sector. In fact, many IT
tools may negatively impact OT operation because of their interrogation
techniques. The commercial and research communities are working to
address this problem and further investigation and testing against
representative models of common process environments will be needed to
achieve higher rates of success of these solutions. We recommend that
Congress continue to support development and expansion of Digital Bill
of Material (DBOM), to include Software Bill of Material (SBOM) and
Hardware Bill of Material (HBOM), as the most promising method to
document OT assets.
Question 2. Critical infrastructure cybersecurity, especially as it
pertains to the security of industrial control systems (ICS), requires
a workforce with specific skills that are not always identical to those
needed for traditional IT cybersecurity. To be sure, traditional IT
cybersecurity skills are valuable for a critical infrastructure
cybersecurity operator to have. But equally importantly, I think those
operators must have an understanding of the engineering principles
underlying specific ICS devices and the systems they control, as well
as the knowledge of how to maintain physical and environmental safety
in the operation of such devices.
Have you seen challenges in critical infrastructure owners and
operators' ability to attract ICS cybersecurity talent with expertise
in each of these areas, and are there opportunities for the Federal
Government, and Congress specifically, to support the development of
these skills across the ICS cybersecurity workforce?
Answer. There is a Nation-wide shortage of workers with IT
cybersecurity skills, and an even larger shortage of workers with OT
cybersecurity skills. Asset owners and operators, as well as vendors
and others, have had significant challenges in attracting right-skilled
workers. In addition to OT cybersecurity courses offered in the private
sector, Idaho National Laboratory (INL) continues to develop and offer
advanced and tailored OT cybersecurity training. Furthermore,
specialized programs, such as the Department of Energy's ``Operational
Technology Defenders Fellowship,'' have brought together the right
industry and Government stakeholders to develop the knowledge and the
relationships to better defend U.S. critical infrastructure. We
recommend Congress support expansion of the OT Defender Fellowship to
sectors beyond the energy sector and to additional stakeholders.
Further, there is a shortage of OT cybersecurity workers who have
working knowledge of the systems and processes their operational
technology is controlling. Perhaps even more detrimental to security,
there is a shortage of engineers and operators who have a working
knowledge of cybersecurity. We recommend Congress expand its support of
Cyber-Informed Engineering (CIE) and Consequence-Driven CIE to sectors
beyond the energy and defense sectors and to additional stakeholders.
Questions From Ranking Member Andrew R. Garbarino for Vergle Gipson
Question 1. Critical National infrastructure is susceptible to a
variety of cybersecurity threats, reliability concerns, aging
equipment, and resource limitations. To add to the complexity, grid
modernization efforts are well under way with the advent of smart
devices, renewable technologies, and cellular connectivity.
How does INL and Cybersecurity and Infrastructure Security Agency
(CISA) plan to mitigate a growing threat landscape beyond simply
network monitoring and detection?
Answer. Investments continue to be made by Idaho National
Laboratory and CISA in developing advanced cybersecurity tools and
analysis capabilities that are far beyond ``simply network monitoring
and detection.''
We recommend Congress support a ``defense in depth'' and ``security
by design'' approach for U.S. critical infrastructure. Additional
funding is needed to expand Cyber-Informed Engineering (CIE) and
additional test environments are needed at both small-scale and full-
scale to develop and demonstrate effective mitigations. Further
investments and a build-out of more full-scale and small-scale test
ranges will allow high-fidelity research to better understand this
growing landscape, as well as provide the needed research environment
to develop capabilities and collaborate with asset owners, vendors, and
Government to solve this evolving problem.
Question 2. The National Laboratories invest in cutting-edge,
innovative technologies aimed at tackling some of the hardest
cybersecurity challenges. However, the transition of emerging,
desperately-needed technology lacks the funding, sponsorship, and
ultimately the deployment to secure the grid.
What strategies and approaches do you recommend at INL to
transition technology to the utility sector, like the Constrained
Communications Cyber Device?
Answer. Federal agencies must commit to the long-term deployment of
the technology and support collaborative projects to pilot and mature
them through operational testing with interested private-sector
commercialization partners so that technology comes to market. The key
barrier facing deployment of laboratory-developed technologies to the
utility sector is the ``valley of death.'' This phenomenon happens when
funding for initial technology development concludes after a proof-of-
concept effort with a technology not yet mature enough for use in
critical infrastructure environments. It is often difficult for
laboratory researchers to attract funding to mature technology through
the maturity cycle, and often the National Laboratories are not the
most cost-effective entities to perform that work. However, INL and
other National Laboratories are exploring solutions to obtain funding
and support to mature these technologies for deployment.
For example, INL, along with Pacific Northwest National Laboratory,
Oak Ridge National Laboratory, and Sandia National Laboratories,
executed a trial program partnered with the Department of Energy's
Office of Technology Transitions (DOE-OTT) and a venture advisory
company. In this program, National Laboratories work with the venture
advisory company to select technologies within their portfolios that
are highly aligned with the growing needs of highly-regulated
industries. The venture advisory company establishes an investor
network to create start-up companies that can develop the technology
toward the maturity needed for deployment in critical infrastructure.
The trial of this program was very successful, and DOE-OTT has invested
in an additional year of execution. Additional funding focused on
leveraging venture capital to mature technologies past the ``valley of
death'' into deployable maturity would hasten the deployment of
technologies like the Constrained Communications Cyber Device.
We recommend that Congress fund activities to further mature
appropriate technologies to the operational pilot stage and fund
activities for the National Laboratories to team with potential
private-sector partners to demonstrate, operationalize, and deploy
those technologies.