[House Hearing, 118 Congress]
[From the U.S. Government Publishing Office]
SECURING OPERATIONAL TECHNOLOGY: A DEEP
DIVE INTO THE WATER SECTOR
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
CYBERSECURITY AND INFRASTRUCTURE
PROTECTION
OF THE
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTEENTH CONGRESS
SECOND SESSION
__________
FEBRUARY 6, 2024
__________
Serial No. 118-51
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
57-219 PDF WASHINGTON : 2024
-----------------------------------------------------------------------------------
COMMITTEE ON HOMELAND SECURITY
Mark E. Green, MD, Tennessee, Chairman
Michael T. McCaul, Texas Bennie G. Thompson, Mississippi,
Clay Higgins, Louisiana Ranking Member
Michael Guest, Mississippi Sheila Jackson Lee, Texas
Dan Bishop, North Carolina Donald M. Payne, Jr., New Jersey
Carlos A. Gimenez, Florida Eric Swalwell, California
August Pfluger, Texas J. Luis Correa, California
Andrew R. Garbarino, New York Troy A. Carter, Louisiana
Marjorie Taylor Greene, Georgia Shri Thanedar, Michigan
Tony Gonzales, Texas Seth Magaziner, Rhode Island
Nick LaLota, New York Glenn Ivey, Maryland
Mike Ezell, Mississippi Daniel S. Goldman, New York
Anthony D'Esposito, New York Robert Garcia, California
Laurel M. Lee, Florida Delia C. Ramirez, Illinois
Morgan Luttrell, Texas Robert Menendez, New Jersey
Dale W. Strong, Alabama Yvette D. Clarke, New York
Josh Brecheen, Oklahoma Dina Titus, Nevada
Elijah Crane, Arizona
Stephen Siao, Staff Director
Hope Goins, Minority Staff Director
Sean Corcoran, Chief Clerk
------
SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION
Andrew R. Garbarino, New York, Chairman
Carlos A. Gimenez, Florida Eric Swalwell, California, Ranking
Mike Ezell, Mississippi Member
Laurel M. Lee, Florida Sheila Jackson Lee, Texas
Morgan Luttrell, Texas Troy A. Carter, Louisiana
Mark E. Green, MD, Tennessee (ex Robert Menendez, New Jersey
officio) Bennie G. Thompson, Mississippi
(ex officio)
Cara Mumford, Subcommittee Staff Director
Moira Bergin, Minority Subcommittee Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable Andrew R. Garbarino, a Representative in Congress
From the State of New York, and Chairman, Subcommittee on
Cybersecurity and Infrastructure Protection:
Oral Statement................................................. 1
Prepared Statement............................................. 2
The Honorable Eric Swalwell, a Representative in Congress From
the State of California, and Ranking Member, Subcommittee on
Cybersecurity and Infrastructure Protection::
Oral Statement................................................. 3
Prepared Statement............................................. 4
Witnesses
Mr. Robert M. Lee, Chief Executive Officer and Co-Founder, Dragos
Inc.:
Oral Statement................................................. 6
Prepared Statement............................................. 8
Mr. Charles Clancy, PhD, Chief Technology Officer, The Mitre
Corporation:
Oral Statement................................................. 14
Prepared Statement............................................. 16
Mr. Kevin M. Morley, PhD, Manager, Federal Relations, American
Water Works Association:
Oral Statement................................................. 19
Prepared Statement............................................. 20
Mr. Marty Edwards, Deputy Chief Technology Officer, Operational
Technology and Internet of Things, Tenable:
Oral Statement................................................. 24
Prepared Statement............................................. 25
For the Record
The Honorable Eric Swalwell, a Representative in Congress From
the State of California, and Ranking Member, Subcommittee on
Cybersecurity and Infrastructure Protection::
Question From Rep. Robert Garcia............................... 51
Joint Statement of Dr. Amit Elazari, J.S.D., CEO and Co-Founder
of Open- Policy, ISO/IEC 27402 Co-Editor and Lucian Niemeyer,
CEO of Building Cyber Security.org........................... 52
Statement of NACWA............................................. 55
Letter From Association of Metropolitan Water Agencies......... 57
Appendix
Questions From Chairman Andrew Garbarino for Robert M. Lee....... 61
Questions From Chairman Andrew Garbarino for Charles Clancy...... 62
Questions From Chairman Andrew Garbarino for Kevin M. Morley..... 62
Questions From Chairman Andrew Garbarino for Marty Edwards....... 63
SECURING OPERATIONAL TECHNOLOGY: A DEEP DIVE INTO THE WATER SECTOR
----------
Tuesday, February 6, 2024
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity and
Infrastructure Protection,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., at
Room 310, Cannon House Office Building, Hon. Andrew R.
Garbarino [Chairman of the subcommittee] presiding.
Present: Representatives Garbarino, Gimenez, Ezell, Lee,
Swalwell, Carter, and Menendez.
Also present: Representative Pfluger.
Chairman Garbarino. The Committee on Homeland Security,
Subcommittee on Cybersecurity Infrastructure Protection will
come to order. Without objection, the Chair may recess at any
point.
The purpose of this hearing is to receive testimony from a
panel of expert witnesses on securing operational technology,
or OT, across critical infrastructure sectors with a specific
focus on threats to the water sector.
Without objection, the gentleman from Texas, Mr. Pfluger,
is permitted to sit on the dais and ask questions to the
witnesses.
I now recognize myself for an opening statement.
Thank you to our witnesses for being here today to discuss
the importance of securing operational technology or OT. OT
systems are responsible for controlling the reliable delivery
of lifeline functions across the United States, including clean
water and electricity. It is a national imperative to secure
the foundational technology and infrastructure that underpins
our Nation's most critical functions.
During my tenure in this committee, we have made great
strides to focus on CISA's efforts on securing OT, but given
recent incidents, we must revisit this topic to consider how
Congress may further refine and strengthen CISA's support to
critical infrastructure owners and operators. In late 2023, we
saw the latest nefarious cyber activity against OT devices in
multiple sectors, including water and wastewater systems, by
Iranian-affiliated cyber actors. This malicious activity
against Israeli programmable logic controllers, or PLCs, is
unacceptable. I was glad to see the Treasury Department
announce sanctions for 6 Iranian government officials late last
week. This is the first step to holding these bad actors fully
accountable.
Unfortunately, this exploitation was not isolated to one
sector, underscoring the risks associated with critical
infrastructure interdependencies. Owners and operators across
all sectors must raise the level of security for OT systems.
Important first steps include following CISA's guidance to
change default passwords and disconnect OT systems from the
internet.
But in my conversations with owners and operators across
sectors, I learned that sometimes basic cyber hygiene
principles for information technology or IT systems may not
translate to OT systems. Many OT systems rely on legacy
equipment that owners and operators may not have the capacity
to secure in the same way as traditional IT. Given this, the
system must update traditional IT guidance to reflect the
realities of OT systems. I look forward to hearing from our
private-sector experts today on how this translation can be
most impactful.
As a Sector Risk Management Agency, or SRMA, for 8 of the
16 critical infrastructure sectors, CISA should lead by example
and prioritize OT personnel and resources internally. I look
forward to working with the 6 other committees of jurisdiction
to ensure the remaining SRMAs also prioritize OT personnel and
resources.
As we discuss roles and responsibilities today, I would
like to highlight CISA's success as a partner with industry
rather than a regulator. I hope my colleagues will join me in
continuing to empower CISA as an SRMA and also as the national
coordinator for critical infrastructure, security, and
resilience. I look forward to our witnesses' testimony and
developing productive solutions to strengthen our Nation's
baseline security for the OT that underpins all aspects of
American life.
[The statement of Chairman Garbarino follows:]
Statement of Chairman Andrew Garbarino
February 6, 2024
Thank you to our witnesses for being here today to discuss the
importance of securing operational technology, or OT. OT systems are
responsible for controlling the reliable delivery of lifeline functions
across the United States, including clean water and electricity. It is
a national imperative to secure the foundational technology and
infrastructure that underpins our Nation's most critical functions.
During my tenure on this committee, we have made great strides to
focus CISA's efforts on securing OT. But given recent incidents we must
revisit this topic to consider how Congress may further refine and
strengthen CISA's support to critical infrastructure owners and
operators.
In late 2023, we saw the latest nefarious cyber activity against OT
devices in multiple sectors, including water and wastewater systems, by
Iranian-affiliated cyber actors. This malicious activity against
Israeli programmable logic controllers, or PLCs, is unacceptable. I was
glad to see the Treasury Department announce sanctions for 6 Iranian
government officials late last week--this is the first step to holding
these bad actors fully accountable.
Unfortunately, this exploitation was not isolated to one sector,
underscoring the risks associated with critical infrastructure
interdependencies. Owners and operators across all sectors must raise
the level of security for OT systems. Important first steps include
following CISA's guidance to change default passwords and disconnect OT
systems from the internet.
But in my conversations with owners and operators across sectors I
learned that sometimes basic cyber hygiene principles for information
technology, or IT, systems may not translate to OT systems. Many OT
systems rely on legacy equipment that owners and operators may not have
the capacity to secure in the same way as traditional IT.
Given this, CISA must update traditional IT guidance to reflect the
realities of OT systems. I look forward to hearing from our private-
sector experts today on how this translation could be most impactful.
As the Sector Risk Management Agency, or SRMA, for 8 of the 16
critical infrastructure sectors, CISA should lead by example and
prioritize OT personnel and resources internally. I look forward to
working with the 6 other committees of jurisdiction to ensure the
remaining SRMAs also prioritize OT personnel and resources.
As we discuss roles and responsibilities today, I would like to
highlight CISA's success as a partner with industry rather than a
regulator. I hope my colleagues will join me in continuing to empower
CISA as a SRMA and also as the national coordinator for critical
infrastructure security and resilience.
I look forward to our witnesses' testimony and to developing
productive solutions to strengthening our Nation's baseline security
for the OT that underpins all aspects of American life.
Chairman Garbarino. I now recognize the Ranking Member, the
gentleman from California, Mr. Swalwell, for his opening
statement.
Mr. Swalwell. Thank you. I thank the Chairman for stitching
together such an impeccable panel of witnesses for an urgent
and important topic.
You know, right now, the United States is involved in a
number of different global conflicts, from aiding Ukraine as it
defends its own territorial integrity against Russia, helping
Taiwan as it prepares for the threat of a Chinese invasion,
and, of course, working in the Middle East to assist Israel in
defending itself against terrorism and the allies of Hamas in
the region who are targeting Israel, which includes Iran.
Having such a presence like that puts an even greater
target on the back of the United States and our infrastructure,
and makes us more and more vulnerable to a cyber attack or an
attack on particularly our water infrastructure. We don't have
to imagine what this could look like, because we are already
seeing actors like China and Iran carry out and execute these
attacks.
So today we have an opportunity to really, you know, take a
deep dive into what our water infrastructure looks like. I want
to commend, as the Chairman noted, CISA's director, Jen
Easterly. Last week, she testified to another committee that
CISA has observed a ``deeply concerning evolution in Chinese
targeting of U.S. infrastructure,'' and that Chinese intrusions
have already been eradicated across multiple sectors, including
water.
The FBI also announced last week that it had disrupted Volt
Typhoon, and I want to thank the Bureau for their work there.
It doesn't change the fact, though, that Chinese hackers, you
know, likely under the direction of President Xi, will continue
to target the United States, and China will leverage its
significant cyber arsenal to undermine the efforts of the
United States and others who are interested in helping Taiwan
preserve its democracy against a violent attack.
Since 2018, CISA has been warning about Russian hackers as
well, targeting U.S. critical infrastructure, including the
water, energy, nuclear, and aviation sectors. But China,
Russia, and Iran, of course, are only the tip of the iceberg.
In addition to those nations, you have rogue cyber actors who
are capable of targeting and disrupting our water
infrastructure.
So there is a lot that we can do, from expanding the
CyberSentry program to signing into legislation that I have
drafted, the Industrial Control System Cybersecurity Training
Act, President Biden and CISA are raising the bar on OT
security, but we still are not as prepared and as resilient as
we need to be. It is target-rich, resource-poor sectors like
the water sector that remain particularly vulnerable to cyber
attacks.
So, Chairman, again, I would rather get to the witnesses
here. I think you and I are in alignment about what we need to
do and just grateful that you have called us together as we
face so many threats from so many places and want to make sure
that our locals are particularly prepared.
[The statement of Ranking Member Swalwell follows:]
Statement of Ranking Member Eric Swalwell
February 6, 2024
Good morning. I want to thank Chairman Garbarino for holding
today's hearing on how we can improve the cybersecurity of operational
technology, particularly as it is deployed across the water sector.
Everyday our adversaries grow bolder and more capable of exploiting
vulnerabilities across OT networks.
Just last week, Cybersecurity and Infrastructure Security Agency
(CISA) Director Jen Easterly testified before another committee that
CISA has observed a ``deeply concerning evolution in Chinese targeting
of U.S. infrastructure'' and that Chinese intrusions have already been
eradicated across multiple sectors, including water.
Director Easterly's comments build on an advisory issued last year
by the United States and its Five Eyes partners, which described the
increasingly sophisticated and difficult-to-detect tactics of Chinese
threat actor Volt Typhoon.
The FBI announced last week that it had disrupted Volt Typhoon, and
I commend them.
But it doesn't change that fact the President Xi has been clear
about his ambitions regarding Taiwan, and Director Wray has said that
China will leverage its significant cyber arsenal to undermine the
efforts of the United States and others who are interested in helping
Taiwan preserve its democracy.
China's hackers will continue to be a menace to U.S. critical
infrastructure for years to come.
But it isn't just China.
Late last year, Iranian hackers targeted and compromised water
utilities across the country.
And since at least 2018, CISA has been warning about Russian
hackers targeting U.S. critical infrastructure, including the water,
energy, nuclear, and aviation sectors.
But China, Russia, and Iran are just the tip of the iceberg.
Other nations are rapidly developing their capabilities, and that
is to say nothing of cyber criminals looking to make a buck.
For too long, the Federal Government has left critical
infrastructure owners and operators on their own to defend against
these sophisticated threat actors and failed to integrate the unique
security concerns of OT in its guidance and programs.
Even efforts to improve cyber workforce training overlooked the
skills required to develop the OT security experts we will need as
technology deployed across critical infrastructure networks continues
to evolve.
I commend the Biden administration for accelerating efforts to
improve OT security across critical infrastructure networks.
From expanding the CyberSentry program to signing into law
legislation I drafted, the Industrial Control Systems Cybersecurity
Training Act, President Biden and CISA are raising the bar on OT
security.
Despite this progress, our critical infrastructure networks are not
as prepared or resilient as they need to be.
Target-rich, resource-poor sectors--like the water sector--remain
particularly vulnerable to cyber attack.
In my view, there are three things we can do that would have a
meaningful impact on OT cybersecurity, particularly in target-rich,
resource-poor sectors.
First, many critical infrastructure owners and operators lack the
resources necessary to modernize and secure the technology they use.
For the past two budget cycles, CISA has proposed a Critical
Infrastructure Cybersecurity Grant Program, but it has never provided
authorization language and Congress has never funded it.
Moving forward we should explore opportunities to provide resources
for critical infrastructure to improve cybersecurity--whether it is
through grants or through a revolving fund program.
Second, we need to ensure that the programs, tools, and guidance
CISA and its Federal partners are offering are accessible, usable, and
provide security value to their full spectrum of stakeholders--from
target-rich, resource-poor sectors to those who have been building
cybersecurity capacity for decades.
Too often, I have heard the Federal Government's tools and services
are too difficult to navigate and that it is too difficult to
understand which are appropriate for a particular entity's needs.
Finally, we need to formalize CISA's approach to collaborating with
the private sector to defend against threats to OT, including by
authorizing the Joint Cyber Defense Collaborative.
When it was first established, JCDC galvanized the public-private
response to Log4j and Russia's invasion of Ukraine.
Although JCDC continues to provide an important forum for public-
private collaboration, there have been complaints that activity has
slowed absent a momentum-driving--or formal authorization legislation--
event to drive activity.
For over a year, I have been working on legislation to authorize
JCDC, collecting and incorporating multiple rounds of feedback from
both private-sector and Government partners.
My legislation recognizes the potential of JCDC, and puts it on a
path of realizing it.
Before I close, I would be remiss if I did not acknowledge an
article I read in Politico yesterday regarding growing concerns about
the value of JCDC.
Many of the concerns raised in the story can and should be resolved
by Congress stepping in to provide direction and accountability to JCDC
through authorization--and that work is under way.
More concerning, however, is the apparently growing sentiment among
some in the private sector that collaborating with CISA--and JCDC in
particular--could put them in the ``crosshairs'' of conservative
critics who buy the former President's election fraud claims and are
therefore rethinking whether they should collaborate with Government on
cybersecurity issues.
Given the pressing cyber threats facing the United States, we
cannot allow for CISA's cybersecurity work to become politicized and
the trusted partnerships it has spent multiple administrations
cultivating to erode.
I look forward to working with my colleagues on legislative
solutions to improve OT security, particularly in target-rich,
resource-poor sectors.
With that, I look forward to the witnesses' testimony and I yield
back.
Chairman Garbarino. Thank you, Ranking Member Swalwell.
Other Members of the committee are reminded that opening
statements may be submitted for the record. I am pleased to
have these witnesses before us today to discuss this very
important topic. I ask that our witnesses please rise and raise
their right hand.
[Witnesses sworn.]
Chairman Garbarino. Let the record reflect that the
witnesses have all answered in the affirmative. Thank you.
Please be seated.
I would now like to formally introduce our witnesses.
Robert Lee is chief executive officer and cofounder of Dragos,
a global technology leader in cybersecurity for OT. Mr. Lee
also serves on the Department of Energy's Electricity Advisory
Committee, is a member of the World Economic Forum's
Subcommittees on Cyber Resilience for the Oil and Gas and
Electricity Communities. He began his work in OT as a U.S. Air
Force cyber warfare operations officer tasked to the National
Security Agency. Throughout his career, he has supported
analysis of some of the most significant cyber attacks on
industrial infrastructure, including the 2021 Colonial Pipeline
ransomware attack.
Dr. Clancy is senior vice president and chief technology
officer for MITRE and heads MITRE's labs. MITRE operates 6
Federally-funded research and development centers for the U.S.
Government and provides agencies like CISA with deep technical
capabilities. Dr. Clancy also sits on several boards and
executive committees on intelligence, systems engineering,
telecommunications, and artificial intelligence. Previously,
Dr. Clancy led Virginia Tech's research programs in defense and
intelligence. He started his career at the National Security
Agency with a focus on research and engineering for wireless
communications.
Dr. Morley is a manager of Federal relations for the
American Water Works Association. For 20 years, he has worked
to advance security and preparedness in the water sector. He is
also a disaster resilience fellow for the National Institute of
Standards and Technology, a member of the President's National
Infrastructure Advisory Council, and a representative on the
Water Sector Coordinating Council.
Marty Edwards is deputy chief technology officer for OT and
internet of things at Tenable. Mr. Edwards leads Tenable's role
in the OT Cybersecurity Coalition and served as a working group
lead for the National Security Telecommunications Advisory
Committee Report to the President on IT-OT convergence. Prior
to his time at Tenable, he held leadership roles at the
International Society of Automation, the U.S. Department of
Homeland Security's Industrial Control Systems Cyber Emergency
Response Team, and the U.S. Department of Energy's Idaho
National Laboratory. Thank you all for being here today.
Mr. Lee, I now recognize you for 5 minutes to summarize
your opening statement.
STATEMENT OF ROBERT M. LEE, CHIEF EXECUTIVE OFFICER AND CO-
FOUNDER, DRAGOS INC.
Mr. Lee. Chairman Garbarino, Ranking Member Swalwell, and
Members of the subcommittee, thank you for providing me the
opportunity to testify before you today. My name is Robert Lee,
and I'm the CEO and cofounder of Dragos, a leading OT
cybersecurity technology provider.
Today, water utilities and other critical infrastructure
organizations find themselves on the front lines, defending
against both state actors and criminal groups. They face
growing threats, most importantly to their OT or operational
technology networks. These systems are the critical part of
critical infrastructure.
In 2018, I testified before Congress that Dragos tracked 5
state actors specifically focused on OT networks. Today, we
track over 20 such groups, and my message has more urgency. My
testimony focuses on three core points.
First, there are fundamental differences between OT and IT
networks. The biggest difference is the mission or business
purpose of these systems. Generally, IT supports how you manage
a business where OT is the reason the business exists. They're
the specialized computers and networks that interact with the
physical world around us, including things like control pumps,
chemical levels, and so forth at water treatment facilities.
OT security is also unique from IT security. Most of our
standards and regulations and best practices simply apply IT
security controls to OT without considering whether or not they
should be applied. This results in wasted resources and
operational disruptions. OT security instead should focus on
unique OT security controls and adopt from IT security only
when it makes sense, such as those in the SANS Institute's ICS
Five Critical Controls.
My second point is that cyber threat landscape for OT has
shifted irreversibly. More standardized infrastructure has
brought efficiencies, a homogeneous infrastructure, to manage.
But it's also opened the door for reusable, scalable
capabilities that can be used across sectors.
In 2022, Dragos worked with our partners, as well as
closely with the U.S. Government, to identify and analyze a
state actor capability, or malicious software, called Pipe
Dream. It was the first reusable capability to cause the
ability for disruptive as well as destructive capabilities
across industrial equipment. This class of capabilities will
increase the frequency of high-consequence attacks we observe.
There's a victory here as well. Dragos and his partners
worked with Federal agencies to report out to the broader
infrastructure community prior to the capability being
employed. It's one of the most significant public-private
partnership wins of all time for OT security.
My third point is that public and private sectors must work
together to secure water security and water sector operational
technology. For Federal agencies, this means providing clear
and consistent guidance to the industry that identifies
specific requirements they need to support, such as realistic
threat scenarios and opportunities to exercise them.
When it comes to regulation, the Government must harmonize
across frameworks and use an outcome-based approach that
defines why they are concerned, what the outcome is that we are
driving toward. and leaves the how to the private sector or,
simply stated, give us the requirements, not the answers.
Government resources also should not be directed to
programs that replicate technologies and services already
available in the private sector. A good example is the
Department of Energy's cyber-informed engineering that operates
in an area where there is no market and rethinks how we design
the energy system to engineer out some of the cyber risk.
The water sector resources need to be made available as
well. As an example, at Dragos we launched a program called the
Community Defense Program, which gives all U.S.-based utilities
with under $100 million in resources and under $100 million in
annual revenue free access forever to our tech and resources.
Yet, most water sites will never be able to take advantage of
this. Even something as simple as a $3,000 one-time investment
at water utilities for basic hardware and networking gear is
almost impossible due to budget limitations and overly
difficult spending approval processes that aren't informed by
appropriate cybersecurity knowledge. Taxpayer-funded Government
assessments or further Federal investments to develop the next
great technology acutely miss the need. Small municipal water
and wastewater facilities need direct resourcing.
In conclusion, I have so much optimism that what we all can
do together will work. We know what to do, oftentimes as simply
as making it happen. However, a major shift must take place in
order to solve the underlying economic issue that happens at
our local water facilities.
Together, we can figure out a way to make sure that those
bad actors do not impact our local communities. I would very
much love for my children to grow up in a world with safe water
and electricity. Again, we know how to do it, but we must work
together to get it done with an OT-first mindset and all
playing to our strengths.
I sincerely thank the subcommittee for providing me the
opportunity to testify today and welcome any questions or
requests for additional information as we go on.
[The prepared statement of Mr. Lee follows:]
Prepared Statement of Robert M. Lee
6 February 2024
Chairman Garbarino, Ranking Member Swalwell, and distinguished
Members of the subcommittee, thank you for providing me the opportunity
to testify before you today. My name is Robert M. Lee and I am the CEO
and co-founder of Dragos, Inc. a leading industrial cybersecurity
technology and services provider. Additionally, I serve in advisory
roles to numerous governments and international organizations across
the world including the United States Department of Energy (DOE),
Singapore's Cyber Security Agency, and the World Economic Forum's
cybersecurity committees on oil and gas and electricity. I am a veteran
of the United States Air Force and National Security Agency. It has
been my privilege to be on the front lines of this problem in both
Government and the private sector.
Both Government and industry have invested significantly in the
cybersecurity of our Nation's critical infrastructure. However, a vast
majority of the focus has been on securing information technology (IT)
networks. Less emphasis was traditionally placed on cybersecurity for
operational technology (OT) and industrial control systems (ICS). These
systems are the specialized computers and networks that interact with
the physical world, including assets like a control system that opens a
circuit breaker on an electric substation or operates pumps at a water
facility. Most executives and policy leaders are shocked to find that
upwards of 95 percent of cybersecurity budgets go to the Enterprise IT
portions of the business and not the OT networks that can impact
safety, the environment, and generate the revenue for the organization.
OT systems are the critical part of critical infrastructure.
Even 20 years ago, ICS and OT were largely disconnected from other
networks. The infrastructure was also complex and heterogenous with
little in common between two facilities even in the same industry,
making it more difficult and more costly for adversaries to create
attacks that caused disruption or physical destruction in a way that
was repeatable across sites and industries. Now, these systems,
including those in the water and wastewater sector, are increasingly
digital and homogenous by necessity. Threat groups can develop
capabilities that target devices commonly used in OT environments
across sectors and have found new ways to access and manipulate them
causing disruption and posing safety risks.
In 2018, I testified before Congress that Dragos, Inc. tracked 5
state actor cyber groups that targeted industrial networks
specifically. At the time, I noted that while that sounded alarming, we
had time to address these issues if we worked diligently. Today, Dragos
tracks over 20 such groups and my message has more urgency. Water
utilities and other critical infrastructure organizations are also
facing challenges stemming from the current geopolitical environment.
They find themselves on the front lines, often with very limited
resources, needing to defend against both state actor cyber groups and
criminal groups.
To protect and defend OT in the water sector requires both an
understanding of the environment and investment in the right resources.
My testimony focuses on three key points that are relevant to the
subcommittee and this hearing's focus.
The first point is that there are fundamental differences
between the operational technology and information technology
that underpin our Nation's critical infrastructure. IT is
focused on how you enable and manage the business while OT is
focused on why you are a business. The different missions, or
purposes, of IT and OT systems dictate what is required of them
and how organizations manage risk to them. The risks and
threats to those systems, how the threats operate, the
consequence of attacks, as well as the controls used to manage
that risk, are also different across OT and IT environments.
The second point is that the cyber threat landscape for
operational technology and industrial control systems,
including those used in facilities in the water and wastewater
sector, has shifted irreversibly in recent years. The same
digitalization, connectivity, and uniformity in OT that is
enhancing efficiency and reliability for infrastructure owners
and operators is also adding risk. This digital transformation
of our industrial industries is necessary but without investing
in cybersecurity in advance of that transformation the
consequences will be dire. To minimize that risk and defend
water systems and other infrastructure against those
adversaries, the community must invest in and prioritize the
cybersecurity of OT and ICS networks with a focus on
implementing security controls that have demonstrated success
against the methods used by those threat groups.
The third point is that the public and private sectors must
continue to work together to make sure infrastructure owners
and operators, including small and under-resourced
organizations, have the information, tools, and resources they
need to protect their systems. Both Government and industry
have unique capabilities and insights that provide real value
to operators of infrastructure, including water and wastewater
systems. We need to remove barriers that those operators face
in accessing information, tools, and equipment they need to
defend their systems. We must also not forget that the issues
are primarily an economics and awareness issue at our numerous
municipally-owned water utilities across this country. No
amount of free vendor tools or taxpayer-funded cybersecurity
services will alleviate this issue without addressing the core
economic challenge.
i. it and ot are fundamentally different
Both conceptually and functionally, IT and OT are fundamentally
different. The biggest difference between IT and OT is the mission or
business purpose of the system. Generally, IT systems are designed to
support how you manage business. OT systems focus on the reason the
business or organization exists. OT systems are the specialized
computers and networks that interact with the physical environment to
do things like control the pumps or chemical levels at a water
treatment facility.
The distinct mission, or purpose, of those systems dictates what is
required of them and informs how risks and threats to the system are
defined and managed. For example, a Windows operating system computer
hosting a database for a financial institution has a distinctly
different purpose and impact of failure than a Windows operating system
hosting the Human Machine Interface (HMI) for a nuclear power plant. An
adversary may be able to exploit a targeted Windows system in a similar
way across IT and OT, but their behavior within that system will differ
depending on whether they are focused on intellectual property theft of
the financial institution's database or on causing an unsafe operating
condition and physical impact.\1\
---------------------------------------------------------------------------
\1\ https://www.sans.org/white-papers/36297/.
---------------------------------------------------------------------------
The impact of a breach or compromise is different as well. IT tends
to be focused on system and data security, and OT tends to focus on the
system of systems and physics. In many IT compromises, gaining access
to the system and understanding the system or its data are critical.
The goal is likely data theft or disabling the systems. The adversary,
in this case, does not often seek to cause physical impacts. In the OT
cybersecurity community, the types of attacks that cause the greatest
concern are those that seek to disrupt operations, cause physical
damage, or even cause safety-related incidents that lead to equipment
damage or loss of life. The threats operate differently, often using
unique methods and capabilities to achieve their goals in OT networks.
OT also has unique requirements. While the requirements of both IT
and OT environments sound similar--high uptime, redundancy, low
latency--OT must support specific circumstances. High uptime for OT,
for instance, is often measured in years, not months, with systems that
literally run for multiple years between rounds of maintenance.
Redundancy for OT focuses on availability more than security. Many OT-
critical components can't be turned off. Instead of the time it takes
to move data from one place to another, latency in OT deals with the
milliseconds that determine whether an assembly line functions
correctly.
OT security requires a different mentality. It is unique from IT
security. This is due to the nature of the physical environments and
also because the threats that target them are different. The way threat
groups operate, as well as the tactics and techniques they use, are
different across IT and OT environments. Even just a decade ago, the
threat landscape for operational technology (OT) and industrial control
systems (ICS) was very limited. As a result, many of the security
controls for OT have traditionally been IT controls that can be applied
to OT environments. Many standards, regulations, and ``best practices''
are often focused on how to apply IT security controls to OT and not
whether they should be applied. There are many IT cybersecurity
practices, such as vulnerability management and endpoint protection
systems, that have a completely different value proposition, emphasis,
and effect in OT networks. Applying all of the IT cybersecurity
controls of a business to the OT networks would yield wasted resources
and likely cause more disruption to the environment than all the state
actors currently tracked combined. Simply put, organizations should
look to unique OT cybersecurity controls and then evaluate the IT
cybersecurity controls based on what risk they reduce and, if so, the
unique way they should be applied. Our communities cannot afford for
companies to ``gold plate'' the problem nor can they afford them to
ignore it.
ii. the cyber threat landscape for ot has shifted irreversibly
Increasing digitalization, connectivity, and homogeneity in OT is
changing the threat landscape
The same digitalization, connectivity, and uniformity in OT that is
enhancing efficiency and reliability for infrastructure owners and
operators is also adding risk. At the same time, a growing number of
threat groups are targeting OT. To minimize that risk and defend water
systems and other infrastructure against those adversaries, the
community must invest in and prioritize the cybersecurity of OT and ICS
networks with a focus on implementing security controls that have
demonstrated success against the methods used by those threat groups.
Twenty years ago, manual and truly disconnected OT environments
meant that cyber adversaries could not as easily reach or interact with
OT systems through cyber means. However, as those environments started
becoming connected and digitalized, adversaries have paid attention. In
2015 and 2016 Ukraine experienced the first power outages due to cyber
attacks that used malicious software, or malware, that could be
deployed at other electric transmission substations around the world.
In 2017 the first-ever cyber attack that targeted human life directly
took place in a Saudi Arabian petrochemical facility by targeting an OT
safety system.
As industry has moved toward more homogenous infrastructure with
common software packages, common network protocols, and common facility
designs, it has brought both cost and operating efficiencies. At the
same time, it has also reduced the complexity in which adversaries have
to operate and opened the door for reusable, scalable adversary
capabilities that can be used to target the OT of multiple
organizations within and across sectors. Threat groups are also taking
advantage of native functionality in increasingly digitalized and
connected systems, demanding an emphasis on detection and response
efforts, in addition to prevention.
In 2022, Dragos and its third-party partner in collaboration with
the U.S. Government discovered and analyzed PIPEDREAM, the first
reusable cross-industry capability that can cause physical disruption
or destruction. The PIPEDREAM toolkit has the capabilities to impact
devices that control critical infrastructure in different sectors--
devices that manage electrical systems, oil and gas pipelines, water
systems, manufacturing plants, and even the control systems in military
assets such as unmanned aerial vehicles and naval ships. PIPEDREAM also
cannot simply be patched away as it takes advantage of native
functionality in the software and network protocols available cross-
industry. Prevention is important to attempt but the necessity is on
identifying, detecting, responding, and recovering correctly. At best
guess currently less than 5 percent of global infrastructure has the
ability to achieve this against PIPEDREAM-like capabilities.
Though a capability like PIPEDREAM is concerning, it is important
to take a moment to acknowledge the victory here as well. Dragos and
its partners worked with Federal agencies to identify, analyze, and
report on PIPEDREAM to the broader infrastructure community prior to
PIPEDREAM being employed. This is one of the most significant public-
private partnership wins of all time in cybersecurity and truly
represents a ``left of boom'' moment for the industry. The capability
can still be used in the future though and it would be shocking if
other countries were not developing similar capabilities.
Threats to water and wastewater systems have the potential to disrupt
operations and pose safety risks
Water and wastewater systems are vulnerable to a variety of cyber
attacks that have the potential to disrupt operations and pose safety
risks to the systems' ability to perform fundamental functions. In over
half of our engagements with customers, Dragos has encountered issues
with ICS/OT network accessibility from the internet.\2\ Using weak or
default credentials, which are often publicly available in the vendor's
documentation, for OT devices increases the threat of exposure. Several
recent examples demonstrate adversaries exploiting ICS/OT exposed
systems.
---------------------------------------------------------------------------
\2\ https://www.dragos.com/year-in-review/.
---------------------------------------------------------------------------
In November 2023, CyberAv3ngers, a self-styled hacktivist
collective, executed an exploitation campaign targeting
Unitronics programmable logic controllers (PLCs) across
multiple sectors, including the water and wastewater sector.
The campaign employed unsophisticated methods such as secure
shell (SSH) brute-forcing and exploiting default
configurations.\3\ In December 2023, government agencies from
the United States and Israel released a joint Cybersecurity
Advisory linking the activity to Iranian National Revolutionary
Guard (IRGC) activities targeting an Israeli company.\4\ The
campaign's impact was notable, causing operational disruptions
such as the shutdown of a water scheme in North Mayo, Ireland,
and affecting wastewater treatment facilities in the United
States. Despite the unsophisticated nature of the attacks, they
underscored the potential for high-impact consequences in
industrial control systems (ICS) environments, highlighting the
disparity between attack sophistication and potential
operational impact. This also emphasizes the urgent need for
organizations with OT environments to implement fundamental
security measures, adhere to critical controls, and conduct
regular monitoring to mitigate risks.
---------------------------------------------------------------------------
\3\ https://www.dragos.com/blog/cyber-av3ngers-hacktivist-group-
targeting-israel-made-ot-devices/.
\4\ https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-
335a.
---------------------------------------------------------------------------
In January 2021, an adversary used stolen TeamViewer
credentials to delete programs related to the water treatment
system for a San Francisco water utility.\5\ Dragos is unaware
whether the deleted water treatment programs were in an ICS/OT
system, but had the attack been successful, San Francisco's
water operations certainly would have been impacted through
loss of control, availability, and safety.
---------------------------------------------------------------------------
\5\ https://www.nbcnews.com/tech/security/hacker-tried-poison-
calif-water-supply-was-easy-entering-password-rcna1206.
---------------------------------------------------------------------------
In February 2021, similar to the attack against the San
Francisco water treatment facility, an adversary leveraged
stolen TeamViewer credentials to access a human-machine
interface (HMI) in the ICS/OT environment of an Oldsmar,
Florida, water supply organization to change the water's sodium
hydroxide (NaOH) level.\6\ If successful, the Oldsmar water
supply would have been poisoned and may have impacted the
health of Oldsmar's citizens. The similarity of the San
Francisco and Oldsmar attacks, including the same initial
intrusion techniques, highlights how universal OT architecture
within the water and wastewater sector can lower the barrier
for adversaries to attack. Successful tactics, techniques and
procedures (TTPs) used against one entity can be effective
against others as well.
---------------------------------------------------------------------------
\6\ https://www.dragos.com/blog/industry-news/recommendations-
following-the-oldsmar-water-treatment-facility-cyber-attack/.
---------------------------------------------------------------------------
Adversaries are also targeting remote service technologies and
solutions, as well as communications protocols. In 2023, Dragos
observed an uptick in the water and wastewater sector in adversary
actions using these types of connectivity. This highlights the
importance of properly securing remote service applications and
coordinating with third-party vendors and contractors to do the same.
In October 2021, in a joint advisory, the U.S. Federal
Bureau of Investigation (FBI), the Cybersecurity and
Infrastructure Agency (CISA), the Environmental Protection
Agency (EPA), and the National Security Agency (NSA) stated
that between 2019 and 2021, adversaries gained access to water
and wastewater sector ICS/OT environments through spearphishing
as an initial intrusion and then pivoting to ICS/OT
environments through internet-accessible PLCs that required no
authentication using remote services.\7\
---------------------------------------------------------------------------
\7\ https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-
287a.
---------------------------------------------------------------------------
In January 2024, CyberArmyofRussia--Reborn, a known
hacktivist group that has been associated with a known state
actor, posted a video to their Telegram channel showing the
manipulation of water tanks associated with two water
authorities in Texas in the United States. Based on information
in the video, it appeared that they changed the tank water
level indicators, which turned on the pumps. The adversary
remotely accessed the human-machine interface (HMI) via remote
services, likely causing Damage to Property, Denial of Control,
Manipulation of Control, and Loss of Availability.
Also notable, almost all of the activity observed by Dragos in the
water and wastewater sector was indicative of reconnaissance efforts,
suggesting adversaries are using tools to map out water entities'
public-facing internet infrastructure for future operations.
While largely opportunistic, ransomware operators are increasingly
attacking industrial organizations in several sectors, including water
and wastewater. Ransomware has primarily threatened organizations' IT
systems, without proper network hygiene, the connectivity between the
IT and ICS/OT environments often provides a pathway for adversaries to
attack ICS/OT systems directly. Double extortion tactics used by
ransomware operators add to the threat for water and wastewater
organizations because releasing sensitive ICS/OT data and diagrams
could provide other capable adversaries with valuable information they
can use in campaigns with ICS/OT disruptive or destructive objectives.
In August 2022, adversaries attacked a United Kingdom (UK)
water supply company, South Staffordshire Water (SSW), using
the cl0p ransomware. The ransomware operators disrupted SSW's
corporate Information Technology (IT) network; however, their
ability to supply clean public water was not impacted. On 16
August 2022, the ransomware operators posted pictures on its
leak site of what appear to be stolen identification documents
and screenshots of SSW's Human Machine Interfaces (HMIs). They
claimed to have gained access to SSW's ICS/OT network and could
manipulate chemical processes.\8\
---------------------------------------------------------------------------
\8\ https://thecyberwire.com/newsletters/control-loop/1/4.
---------------------------------------------------------------------------
iii. the public and private sectors must work together to make sure
infrastructure owners and operators have the information, tools, and
resources they need to protect their systems and communities
The best way to help the water and wastewater sector, as well as
other critical infrastructure sectors, protect against threats to their
OT environments and to manage risk is for Government and industry to
work together, each using our unique capabilities, insights, and
expertise to provide real value to operators. We need to remove
barriers that those operators face in accessing information, tools, and
equipment they need to defend their systems.
For Federal agencies, such as CISA and EPA, this means focusing
efforts at the strategic level, providing direction to industry
regarding what to focus on protecting (i.e. what is a critically
important entity/asset), what scenarios to protect against (such as the
known threat scenarios to OT water systems), and provide opportunities
to practice efforts while sharing knowledge. It also means investing in
areas where the private sector isn't already investing and providing
guidance that must come from the Government. As an example, the
Department of Energy's Cyber-Informed Engineering operates in an area
where there is no market. It is intended to build cybersecurity
resilience and principles into engineering efforts so that some of the
cyber risks that we are concerned about are engineered out at a control
and physics level before adversaries can exploit them. On the other
hand, Government resources continue to get funneled into grant programs
and Government initiatives that completely replicate technologies and
services already available in the private sector that have been
developed at lower costs with more expertise.
When it comes to regulation, the Government must define and
communicate what it is seeking to accomplish and prioritize outcomes.
Dictating highly-prescriptive controls that tell infrastructure owners
how to run security in their own environments, which they know better
than the Government, will not reduce risk and is often
counterproductive. I would recommend, instead, that the Government
coordinate with the private sector to use their expertise and knowledge
of their systems to inform outcome-based regulations. Regulations
should also be informed by research such as the SANS Institute's 5 ICS
Cybersecurity Critical Controls,\9\ which analyzed all known cyber
threat attacks to industrial systems and identified the most effective
and efficient controls against them.
---------------------------------------------------------------------------
\9\ https://www.sans.org/white-papers/five-ics-cybersecurity-
critical-controls/.
---------------------------------------------------------------------------
We have seen this work well with models that the Federal Energy
Regulatory Commission (FERC) and North American Energy Reliability
Corporation (NERC) use. A regulatory agency proposes a regulation with
details on what it seeks to achieve. NERC then forms a committee of
members across the community to evaluate the effectiveness and
feasibility of the proposed changes. This allows time for input and
alignment and creates regulations that better meet the objectives.
Further, models for collaboration instead of simply information sharing
have begun to show value. NERC also facilities GridEx, a valuable
sector-wide, large-scale operational exercise that brings Government,
vendors, and operators together under blue sky conditions to simulate
real-world scenarios. The exercise provides real, valuable insights
that inform future priorities.
Another example of Government successfully providing this strategic
level of direction is when the administration reached out to the
Electricity Subsector Coordinating Council, the industry-CEO-led group
that collaborates with CISA and DOE, to coordinate on its priorities on
threats to electricity ICS and OT. The administration essentially laid
out why they were concerned, including insights to cyber threats, what
outcome was necessary to detect and respond to such ICS/OT cyber
threats, but left the how to the private sector. The CEOs led a group
to rapidly enhance the visibility across our industrial networks in the
sector to detect industrial cyber threats by deploying commercial
technologies, including one developed by Dragos called Neighborhood
Keeper. The result is that the United States Government now voluntarily
receives real-time insights from across the ICS and OT networks of the
power companies that serve over 70 percent of Americans for free and at
any time can identify new cyber threats and vulnerabilities.\10\ This
model of why, and what, but not how allows for the Government to set
and communicate straightforward priorities while allowing the expertise
and innovation of the infrastructure operators to advise on how best to
achieve the desired outcomes.
---------------------------------------------------------------------------
\10\ https://www.utilitydive.com/news/an-eye-for-an-eye-the-
electric-sectors-defense-will-depend-on-Federal-g/601643/.
---------------------------------------------------------------------------
In another example of successful public-private sector
collaboration, Dragos worked with Rockwell Automation and the U.S.
Government in advance of the disclosure of a novel exploit capability
attributed to a state actor that affected select communication modules
by Rockwell Automation deployed in industrial companies across the
country. The U.S. Government was able to leverage the insights from
Neighborhood Keeper to determine how far wide these assets and
vulnerabilities could be found, work with Dragos and Rockwell to
develop detections and mitigations, deploy them in real time to the
asset owners in the Neighborhood Keeper network, and simultaneously
make the insights available to those who were not.\11\ Another great
``left of boom'' example of what right can look like when the public
and private sector utilize their strengths.
---------------------------------------------------------------------------
\11\ https://www.dragos.com/blog/mitigating-cves-impacting-
rockwell-automation-controllogix-firmware/.
---------------------------------------------------------------------------
When the Government speaks with one voice, the infrastructure
community listens. However, when owners and operators receive different
priorities and guidance from different agencies, it can cause analysis
paralysis in security teams. Agencies like CISA and EPA have tremendous
opportunity to help critical infrastructure organizations prioritize
security efforts to ensure they are investing in the things that truly
reduce risk. For small organizations, like many water utilities, clear,
relevant and aligned guidance really matters because they do not have
large teams to analyze and prioritize recommendations.
Additionally, these efforts need to be properly resourced, both in
the private sector and in the Government. Some organizations have the
resources and mechanisms to invest in cybersecurity. Many do not. There
are thousands of water utilities across the country that share
information technology contractors with other organizations simply to
do basic information technology support. They do not have the expertise
or resources for cybersecurity efforts, including those to protect
operational technology. Free Government assessments or further
Government investments in trying to develop the next greatest
technology acutely miss their need. These smaller municipal and public
utility infrastructure sites need direct resourcing through changes at
a State and local level or resourcing from a Federal level to go out
and hire talent and purchase proven tools and technologies. Though we
know ``what'' to do, the unfortunate reality is it is absolutely an
economics issue.
In my role at Dragos, I see the challenges that these organizations
face every day in building their OT cybersecurity programs. And so, in
December, Dragos expanded our Community Defense Program to give under-
resourced U.S.-based utility providers with under $100 million in
annual revenue free access, forever, to Dragos products and training to
build their operational technology cybersecurity programs, improve
their security posture, and reduce operational technology cyber risk.
And yet, even with access to tens of thousands of dollars' worth of
free technology and training each year most water sites will be unable
to take advantage of the program. To use any technologies most of the
water municipalities need basic infrastructure upgrades. Even a one-
time cost of $3,000 on hardware and networking gear would be completely
out of budget for these organizations and require a city council vote
on the topic of cybersecurity that they do not likely understand. I
have so much optimism about what we all can do together by playing to
our strengths and caring enough about our communities to act using our
knowledge to counter even the most sophisticated cyber threats.
However, a major shift must take place in order for us to solve the
underlying economic issues that would make any of it work at scale,
especially in the water sector.
iv. conclusion
In conclusion, in order to help secure operational technology in
the water sector, we must first understand the fundamental differences
between the operational technology and information technology. The
risks and threats to those systems, as well as the controls used to
manage that risk, are also different across OT and IT environments. The
cyber threat landscape for the OT environment has also shifted
irreversibly. The same digitalization, connectivity, and uniformity in
OT that is enhancing efficiency and reliability for infrastructure
owners and operators is also adding risk. To adequately defend water
systems and other infrastructure against threats and adversaries, the
community must invest in and prioritize the cybersecurity of OT and ICS
networks using security controls that have demonstrated success against
actual threats. Finally, the public and private sectors must work
together using our unique capabilities and expertise to ensure that
water and wastewater organizations have the tools and resources they
need to protect their systems. But all of this is predicated on
addressing the economics and awareness of issues that exist at our
local municipalities and town water systems.
I sincerely thank the subcommittee for providing me the opportunity
to testify today and welcome any questions or requests for additional
information.
Chairman Garbarino. Thank you, Mr. Lee.
Dr. Clancy, I now recognize you for 5 minutes to summarize
your opening statement.
STATEMENT OF CHARLES CLANCY, PH D, CHIEF TECHNOLOGY OFFICER,
THE MITRE CORPORATION
Mr. Clancy. Chairman Garbarino, Ranking Member Swalwell,
and committee Members, my name is Charles Clancy. I'm a senior
vice president at the MITRE Corporation, where I serve as chief
technology officer. It's my pleasure to address the committee
today.
Given the testimony last week in the House Select Committee
on the CCP hearings from Directors Wray and Easterly and
General Nakasone, I need not belabor the threat. Suffice it to
say that President Xi has tasked the PLA with being ready to
invade Taiwan by 2027, and our intelligence community assesses
that such an invasion would include wide-spread attacks against
U.S. lifeline critical infrastructure sectors, including water.
This is not a hypothetical threat. We've seen through Volt
Typhoon as an example that China is preparing for such an
action.
Software supply chains is one potential area of
vulnerability, and the Software Bill of Material, or SBOM,
industry has matured significantly over the last couple of
years. One option is to create an SBOM clearinghouse for
critical infrastructure sectors that notifies both vendors and
utilities when new vulnerabilities affect their products. Much
like safety recalls in the automobile sector, it would prompt
operators to close security gaps in a more timely manner.
Another area to improve is incident response, particularly
in the water sector. Presidential Policy Directives 21 and 41
create the status quo that we operate under today, but they
also silo our SRMAs from our incident responders within CISA
and the FBI. By resourcing SRMAs to be more involved in
incident response, they can better understand the current
threat environment and bring much-needed context to that
incident response.
Today's process is often open-loop. We don't learn--learn
the regulatory environment doesn't improve based on learnings
we get from incidents, which runs counter to the NIST
cybersecurity framework. Reforms here can help close the loop
for many sectors, including water.
But if you agree with the intelligence assessments, we
can't tackle the gravity of the threat we face with policy
reforms just around the edges. In 3 years, we'll still be
negotiating the footnotes of a PPD 21 rewrite as our
adversaries launch wide-spread destructive cyber attacks
against our critical infrastructure.
Today, we view cyber attacks against our infrastructure as
tactical discrete events that we can identify, respond to, and
recover from. Depending on the scope, scale, and impact of such
attacks, we may respond proportionately, such as the sanctions
against Iran we saw last week.
But this thinking does not scale to the strategic threat
that we face. Instead, we must think of these attacks in the
same veins as a major natural disaster, where the solution is
not technology band-aids, but it's more about procedures and
people. We need to plan, practice, and be prepared to act.
Military systems have what are called wartime reserve modes
that change the configuration and operating posture to confound
adversary exploitation, and our critical infrastructure systems
need an intellectually similar set of contingencies that can be
activated in a period of major conflicts.
Unless we prepare, train, and exercise for isolated
operations where we can literally pull the plug between our IT
and OT systems, physically separating them from the internet,
we really won't have much of an ability to defend ourselves.
This dramatically limits our adversaries' ability to activate
destructive logic that's embedded in our systems or to gain new
accesses to our systems.
Likely, many critical infrastructure operators lack the
needed engineering staff to sustain isolation operating systems
in an on-going capacity. So new programs are needed to train
National Guard units or create a civilian core reserve of cyber
physical operators and experts to augment utilities to sustain
such operations.
Moreover, we need to practice for multiple-sector failures
in population centers and assess cascading impacts. This
includes not only tabletop exercises and hypothetical
wargaming, but also live drills where we test contingency
operations.
The cost of compliance is a common pushback for levying new
responsibilities on public and private-sector utilities. To
offset, FEMA should extend their existing grants program in
partnership with the SRMAs to fund necessary preparation,
training, and exercises. CISA should be resourced to manage
systematic exercise programs to ensure that we have the
National experience necessary to act under such urgent
circumstances.
There is considerable opportunity for EPA to step up, CISA
and FBI to systematically engage across, and for industry to do
better with information sharing, but these modest reforms must
be measured against the scale of the threat that we face. With
the limited time and resources available, we should certainly
begin piloting, exercising, and preparing for contingency
scenarios that require isolated operations across our lifeline
critical infrastructure sectors.
I look forward to answering questions from the committee.
Thank you.
[The prepared statement of Mr. Clancy follows:]
Prepared Statement of Charles Clancy
6 February 2024
Chairman Garbarino, Ranking Member Swalwell, and Committee Members:
Thank you for inviting me to testify before you today on a topic of
critical national importance. My name is Charles Clancy, and I am a
senior vice president and chief technology officer at MITRE where I
lead science, technology, and engineering for the company. MITRE is a
non-profit, non-partisan research institution that operates Federally-
Funded Research and Development Centers (FFRDCs) on behalf of the U.S.
Government. Among other technical disciplines, our team of over 1,500
cybersecurity professionals provide deep expertise across the Executive
branch, including in support of organizations like the Cybersecurity
and Infrastructure Security Agency (CISA), the National Institute of
Standards and Technology (NIST), and U.S. Cyber Command. MITRE's
ATT&CKTM framework has become the de facto language between
Government and industry for describing and combatting cyber threats.
Prior to joining MITRE, I spent 9 years as a member of the faculty
at Virginia Tech where I held the Bradley Distinguished Professorship
of Cybersecurity in the Department of Electrical and Computer
Engineering, and served as executive director of what is now the
Virginia Tech National Security Institute. I started my career at the
National Security Agency leading advanced research and development
programs.
It is my pleasure to address this committee.
threat environment
Threats to our Nation's critical infrastructure cybersecurity have
heightened dramatically over the past 7 years as Russia and China have
shifted to using cyber access to U.S. critical infrastructure as a
strategic instrument of state craft. Targeting and penetrating our
infrastructure have grown precipitously, leading then-Director of
National Intelligence Dan Coats to famously say the ``warning lights
are blinking red again'' in 2018,\1\ comparing warning signs about
critical infrastructure penetrations to the pre-9/11 indicators. Just
last week FBI Director Christopher Wray testified that the U.S.
Government had successfully disrupted Volt Typhoon,\2\ a persistent and
sophisticated Chinese Communist Party (CCP) campaign to gain strategic
access to U.S. critical infrastructure systems for disruptive and
destructive effects.
---------------------------------------------------------------------------
\1\ https://www.npr.org/2018/07/18/630164914/transcript-dan-coats-
warns-of-continuing-russian-cyberattacks.
\2\ https://www.washingtonpost.com/national-security/2024/01/31/
china-volt-typhoon-hack-fbi/.
---------------------------------------------------------------------------
In its 2023 annual threat assessment,\3\ the intelligence community
assessed that the CCP would launch widespread cyber attacks against
U.S. critical infrastructure ahead of an invasion of Taiwan to ``deter
U.S. military action by impeding U.S. decision making, inducing
societal panic, and interfering with the deployment of U.S. forces.''
Their primary targets are assessed to be energy, transportation,
communications, and water infrastructure.
---------------------------------------------------------------------------
\3\ https://www.dni.gov/files/ODNI/documents/assessments/ATA-2023-
Unclassified-Report.pdf.
---------------------------------------------------------------------------
With President Xi's asserted time line of being ready for a Taiwan
invasion by 2027,\4\ the U.S. military is kicking its response planning
into high gear, but the United States may be existentially unprepared
to defend its critical infrastructure for what would undoubtedly be an
initial wave of attacks, followed by a sustained cyber campaign
targeting U.S. infrastructure. Campaigns like Volt Typhoon demonstrate
that this threat is not hypothetical: the CCP is deliberately gaining
access to critical infrastructure so it can strategically disrupt and
destroy these systems at a future time.
---------------------------------------------------------------------------
\4\ https://www.reuters.com/world/china/logistics-war-how-
washington-is-preparing-chinese-invasion-taiwan-2024-01-31/.
---------------------------------------------------------------------------
Much of the U.S. strategy to date has focused on strengthening our
systems to keep adversaries out of our critical infrastructure and to
blunt the first wave; however, this strategy fails to recognize that
CCP attacks in conjunction with a Taiwan invasion will not be discrete
events for which we can respond proportionately, but an enduring cyber
conflict. Our current approach is inadequate. Advanced persistent
threat actors are frequently obviating protections we have placed in
these systems. It also doesn't address the rapid response and
restoration activities that will inevitably be needed to reconstitute
when attacks occur.
needed strategic posture
Much can be done to improve the current apparatus for securing
critical infrastructure, and I will address those within the context of
the water sector shortly. But I fear those actions miss the forest for
the trees.
Nationally, we need to prepare for a more realistic adversary
operational plan. Military systems have wartime reserve modes that
change their configuration and operating posture to confound adversary
exploitation, and the United States' critical infrastructure systems
need an intellectually similar set of contingencies that can be
activated in a period of major conflict.
Many critical infrastructure operators already contemplate such
impacts through the lens of natural disasters. For example, electric
grid operators consider ways to minimize the impacts of geomagnetic
disturbances from the sun by modifying the state and configuration of
their operations. This operational adaptability mindset needs to extend
to cyber-attack scenarios.
Operators need to prepare, train, and exercise for isolation
operations where they operate their operational technology (OT) systems
physically isolated from the information technology (IT) systems and
the internet. This includes creating continuity of operations plans
that sever IT and OT systems to disrupt an adversary's ability to
command and control malicious tools deployed into OT systems. Given CCP
threat actors have adopted a strategy of ``living off the land'' where
they do not install detectable malicious agents in target networks, but
rather access systems like authorized administrators,\5\ severing IT-OT
connectivity would prevent them from triggering effects to degrade or
destroy critical infrastructure sytems.
---------------------------------------------------------------------------
\5\ https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-
144a.
---------------------------------------------------------------------------
Likely many critical infrastructure operators lack the needed
engineering staff to sustain isolation operations in an on-going
capacity, so new programs are needed to train National Guard units or
create a civilian reserve corps of cyber physical operators and experts
to augment critical infrastructure operators to sustain isolation
operations. Moreover, we need to practice for multiple sector failures
in population centers and assess cascading impacts. This includes not
only tabletop exercises and hypothetical wargaming, but also live
drills where we test contingency operations.
The cost of compliance is a common pushback to levying new
responsibilities on private-sector critical infrastructure asset-owner-
operators, therefore, to incentivize adoption of cyber best practices,
the Federal Government needs to reduce that burden. The Federal
Emergency Management Agency (FEMA) should extend their existing grants
program,\6\ in partnership with Sector Risk Management Agencies
(SRMAs), to fund the necessary preparation, training, and exercises.
The Cybersecurity Infrastructure Security Agency (CISA) should be
resourced to manage a systematic exercise program to ensure that, if
necessary, we have the national experience necessary to act under
urgent circumstances.
---------------------------------------------------------------------------
\6\ https://www.cisa.gov/state-and-local-cybersecurity-grant-
program.
---------------------------------------------------------------------------
Given the scale of the challenge, FEMA and CISA should focus on the
current CISA lifeline sectors: energy, water, communications, and
transportation.\7\
---------------------------------------------------------------------------
\7\ https://www.cisa.gov/sites/default/files/publications/Guide-
Critical-Infrastructure-Security-Resilience-110819-508v2.pdf.
---------------------------------------------------------------------------
water sector
The water sector is perhaps the most under-resourced and
disadvantaged among the lifeline sectors. In addition to preparing and
practicing contingencies for a large-scale and enduring cyber conflict,
there are plenty of more targeted things that could help improve
cybersecurity and make China and Russia's cyber exploitation efforts
more difficult.
Presidential Policy Directive (PPD) 21,\8\ Critical Infrastructure
Security and Resilience, and PPD 41,\9\ United States Cyber Incident
Coordination, organized the ecosystem we have today between CISA, the
Federal Bureau of Investigation (FBI), and SRMAs. Accordingly, SRMAs
bear the front-end regulatory responsibilities, while CISA and the FBI
are responsible for back-end incident management and investigation
after a cyber attack has occurred. There is a perception by operators,
however, that systematically engaging SRMAs in incident response could
lead to punitive regulatory actions. That, combined with their frequent
lack of incident response experience and expertise, leads to an open
loop system where we do not learn from attacks, which is antithetical
to the goals of the NIST Cybersecurity Framework \10\ and Executive
Order 13636.\11\ While sectors like the bulk electric power system \12\
have been forced to ameliorate this through robust working-level
relationships, public-private partnerships, and unique authorities held
by the Secretary of Energy,\13\ other sectors such as water lack this
scale, sophistication, and authorities.
---------------------------------------------------------------------------
\8\ https://obamawhitehouse.archives.gov/the-press-office/2013/02/
12/Presidential-policy-direc- tive-critical-infrastructure-security-
and-resil.
\9\ https://obamawhitehouse.archives.gov/the-press-office/2016/07/
26/Presidential-policy-directive-united-states-cyber-incident.
\10\ https://www.nist.gov/cyberframework.
\11\ https://obamawhitehouse.archives.gov/the-press-office/2013/02/
12/executive-order-improving-critical-infrastructure-cybersecurity.
\12\ https://www.nerc.com/pa/Stand/Pages/default.aspx.
\13\ https://www.energy.gov/ceser/energy-security-provision-within-
fixing-americas-surface-transportation-act-fast-act.
---------------------------------------------------------------------------
At a national level, water's SRMA, the Environmental Protection
Agency (EPA) needs to deepen its in-house cybersecurity expertise and
develop a strategy to promote cybersecurity more effectively within the
sector. This strategy should be informed by threat and incident
information by EPA being much more engaged with CISA in incident
response and analysis. The recently-released incident response guide
\14\ is a good indicator that these connections are strengthening.
Given the large number of water entities without any cybersecurity
expertise and limited resources, implementation guidance, in plain
language, will likely be needed to translate existing CISA, FBI, and
NSA guidance to a simplified list of priority actions.
---------------------------------------------------------------------------
\14\ https://www.cisa.gov/resources-tools/resources/water-and-
wastewater-sector-incident-response-guide-0.
---------------------------------------------------------------------------
Grass-roots efforts being led by the Water Sector Coordinating
Council and Water Information Sharing and Analysis Center (ISAC) are
also important positive steps. In fact, both MITRE and Dragos are
working closely with the Water ISAC on constructive solutions.\15\ More
broadly, MITRE has recommended SRMAs shift the focus from compliance
checking to self-assessments, threat sharing, technical assistance, and
fostering the organizational capacity and expertise execute.\16\
---------------------------------------------------------------------------
\15\ https://www.waterisac.org/portal/water-and-wastewater-
utilities-and-other-critical-infra- structure-fortify-defenses-against.
\16\ https://www.mitre.org/sites/default/files/2023-11/PR-23-02057-
08-Cybersecurity-Regulatory-Harmonization.pdf.
---------------------------------------------------------------------------
Another important step is standardizing reporting of cyber
incidents. Despite highlighting significant cybersecurity gaps within
the water sector, prior EPA efforts were withdrawn over legal
challenges.\17\ The Cyber Incident Reporting for Critical
Infrastructure Act (CIRCIA) of 2022 \18\ offers the potential to close
this gap if the information collected is robust and focused on
reporting tangible threat behaviors and indicators. Similarly, improved
coordination and interoperability among OT security vendors \19\ could
also help close the information and reporting gap.
---------------------------------------------------------------------------
\17\ https://www.securityweek.com/epa-withdraws-water-sector-
cybersecurity-rules-due-to-lawsuits/.
\18\ https://www.cisa.gov/topics/cyber-threats-and-advisories/
information-sharing/cyber-incident-reporting-critical-infrastructure-
act-2022-circia.
\19\ https://www.nozominetworks.com/blog/ethos-emerging-threat-
open-sharing-platform.
---------------------------------------------------------------------------
Meanwhile, since Executive Order 14028,\20\ industrial capacity to
generate and deliver software bills of material (SBOMs) has been
improving. Open-source software underpins most of the internet, and is
also pervasive in OT networks. In most cases, this software has dubious
supply chains \21\ and critical infrastructure operators need tools to
better manage this risk. One approach is to have OT vendors selling
into the U.S. market provide SBOMs for their products to a
clearinghouse that notifies them if a new vulnerability is disclosed
that impacts their product. Much like safety recalls for automobiles
governed by the National Highway Traffic Safety Administration (NHTSA),
similar notices could be combined with regulatory rulemaking to prompt
critical infrastructure operators to close security gaps in a timelier
manner.
---------------------------------------------------------------------------
\20\ https://www.whitehouse.gov/briefing-room/Presidential-actions/
2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.
\21\ https://industrialcyber.co/reports/fortress-research-finds-
most-us-energy-software-contains-code-from-russian-chinese-developers/.
---------------------------------------------------------------------------
conclusion
In closing, there is a considerable opportunity for EPA to step up,
CISA and FBI to systematically engage across, and the network of
security vendors to make it easier for everyone to coordinate. But
these modest reforms should be kept in context with the scale of the
threat, and the limited amount of resources available to critical
infrastructure operators, particularly in the water sector. We should
urgently begin piloting, exercising, and preparing for contingency
scenarios that require isolated operations across lifeline critical
infrastructure sectors.
Chairman Garbarino. Thank you, Dr. Clancy.
Dr. Morley, I now recognize you for 5 minutes to summarize
your opening statement.
STATEMENT OF KEVIN M. MORLEY, PH D, MANAGER, FEDERAL RELATIONS,
AMERICAN WATER WORKS ASSOCIATION
Mr. Morley. Good morning, Chairman Garbarino, Ranking
Member Swalwell, and Members of the subcommittee. My name is
Kevin Morley. I'm the Federal relations manager for the
American Water Works Association, or AWWA.
Established in 1881, AWWA provides solutions to improve
public health, protect the environment, strengthen our economy,
and enhance our quality of life. In the modern era of utility
operations this mission also includes managing cybersecurity
risks that could threaten the essential lifeline function that
water professionals provide 24/7/365.
In terms of prioritizing cybersecurity in the water sector,
AWWA has been at the forefront with our partners in building
cybersecurity awareness and providing resources to support the
implementation of best practices. Collaboration has been a core
organizing principle. For example, AWWA worked closely with
NIST, CISA, EPA, and subject-matter experts from the water
sector to develop a sector-specific approach to implementing
the NIST cybersecurity framework, as called for in Executive
Order 13636.
Our guidance and assessment tool, first issued in 2014,
helps the utility identify and address the highest priority
controls based on their application of various IT and OT
systems. More recently, in 2021, AWWA assessed the potential
for regulatory oversight options. Our recommended approach
would create an independent, non-Federal entity to lead the
development of minimum cybersecurity requirements, leveraging
subject-matter experts from the field.
Federal oversight and approval of those requirements would
be provided by EPA as the Sector Risk Management Agency. This
collaboration approach builds on a similar model used in the
electric sector, with Congressional approval via FERC and NERC.
In a maturing CISA, consistent public-private collaboration
is essential. Recent examples of the benefits include filling
the water sector liaison position in the Stakeholder Engagement
Division, which has provided continuity of communications and
engagement with the Sector Coordination Council and the EPA. A
recent stakeholder engagement process facilitated by the JCDC
has generated a new water sector cyber incident response guide
informed by subject-matter experts and the needs of utility
owner-operators. More recently, as noted in Director Easterly's
testimony last week, threat hunting is obviously a critical
value that CISA can provide to multiple critical infrastructure
sectors.
There continues to be significant opportunity to
collaborate to support the cybersecurity needs of 50,000
community drinking water systems and nearly 16,000 wastewater
systems, including the following: unified messaging to launch
an outreach campaign with partners to expedite enrollment in
CISA's vulnerability scanning service to help utilities address
threat exposure; inform and enable utilities by investing in
capacity development to empower utility owner operators to
effectively engage cybersecurity issues that are aligned with
their needs.
We believe, for example, AWWA's small systems guidance
provides a robust Getting Started guide focused on 6 key
domains from the NIST cybersecurity framework. Training on the
application of guidance delivered by trusted partners like AWWA
is highly effective and has been a proven force multiplier for
building awareness and enabling utilities to assess potential
vulnerabilities and implement controls to mitigate risk.
Frankly, we do not need new resources. We need to organize
those that we already have in place in a manner that is more
accessible to owners and operators.
Technology transformation, as noted, drinking water-
wastewater utility operators have been evolving and adapting to
new technologies since the turn of the last century. The
difference today as it relates to cybersecurity is the
convergence of technology systems that have traditionally
operated independently.
This integration of IT and OT systems has definitely
improved operational efficiencies, but legacy OT systems were
not designed to be connected. Many of these OT systems were
major capital investments at the time of their implementation,
with an expected service life of 20 to 25 years.
The difficulty that we faced is that IT systems cycle
through upgrades at a rate that has simply outpaced those OT
systems. This digital divide has stranded many utilities on
legacy OT systems.
Funding that prioritizes and expedites technology upgrades
to address legacy OT systems is necessary to overcome this
digital divide. We must also ensure that those new technologies
apply a Secure by Design principle as recommended by CISA.
Improving threat information sharing also requires EPA and
CISA to work collaboratively with the water ISAC to establish
standard operating procedures for the inclusion of SMEs to
ensure that those advisories inform--information is transmitted
in a concise, actionable, and properly contextualized manner.
With that, sir, I appreciate the opportunity of the
committee to share these points and welcome your questions.
[The prepared statement of Mr. Morley follows:]
Prepared Statement of Kevin M. Morley
February 6, 2024
Good morning, Chairman Garbarino, Ranking Member Swalwell, and
Members of the subcommittee. My name is Kevin Morley, and I am the
federal relations manager for the American Water Works Association
(AWWA), on whose behalf I am speaking today. Established in 1881, AWWA
is the largest nonprofit, scientific, and educational association
dedicated to managing and treating water, the world's most vital
resource. We represent water systems large and small, municipal and
investor-owned, urban and rural. With approximately 50,000 members,
AWWA provides solutions to improve public health, protect the
environment, strengthen the economy and enhance our quality of life. In
the modern era of water utility operations, that mission also includes
managing cybersecurity risks that could threaten the essential lifeline
function water professionals provide 24/7/365.
it & ot in the water sector
Drinking water and wastewater utility operations have been evolving
and adapting to new technologies since the turn of the last century. A
paper presented during AWWA's 1965 Annual Conference includes a
statement that is just as relevant today as it was then:
``The complex expansion of water systems has resulted in substantial
adoption of instrumentation by the water industry. Modern instrument
systems have made possible the surveillance and remote control of
wells, treatment facilities, pumping stations, storage tanks, and
transmission main valving, while rising labor costs have prompted water
utility management to follow other industries in establishing some
degree of automation and centralized control.''\1\
---------------------------------------------------------------------------
\1\ Crow, W.B. & Eidsness, F.A (1965) Savings Through
Instrumentation and Control In Two Water Systems. Journal AWWA,
57:12:1509.
The difference today as it relates to cybersecurity is the
convergence of technology systems that had traditionally operated
independently. Information technology (IT) are the business enterprise
systems like laptops and software systems used to manage email,
payroll, customer billing, and service contracts. The operational
technology (OT) are the systems used to manage and control various
physical operations for the treatment and distribution of drinking
water or the collection and treatment of wastewater. The integration of
IT and OT systems has improved operational efficiency to optimize
various unit processes and allowed greater visibility into those
systems.
The challenge is that many current IT systems were designed to be
connected to the internet, while OT systems were not but have since
been plugged in. This integration began before the prospect of
cybersecurity threats targeting today`s critical infrastructure systems
were envisioned. The cost savings realized were long ago absorbed into
capital projects and reconfigurations of the workforce. Those OT
systems were capital-intensive and often had an expected service life
of 20-25 years. This is very different than IT systems which have
cycled through new versions at a pace that has outpaced the support for
OT systems. As a result, older legacy OT systems are dependent on IT
systems that are no longer supported and are unable to communicate with
the new versions.
The ``fix'' for this digital divide is complex since utility
services must continue working 24/7 until the transition is complete.
While implementation of certain controls can help to manage cyber risk,
ultimately IT upgrades may require total overhaul, rip and replace, of
various OT elements. These capital projects are often lengthy and cost-
intensive. As an example, a large water system recently embarked on a
5-year, $80 million capital project to complete these upgrades. The
financial cost associated with this type of transformation is amplified
by the reality that 90 percent of water systems serve less than 3,300
people and have severely constrained budgets.
Drinking water utilities are already facing significant costs to
comply with multiple regulations, including the revised lead and copper
rule and pending PFAS standards. The treatment processes necessary to
comply with these rules will require greater automation and digital
dependency. The compliance costs for new regulatory obligations come on
top of the $1.2 trillion that AWWA estimates is needed over 20 years
for the repair and replacement of aging distribution and transmission
lines nationally.\2\ Escalating supply chain costs on essential
treatment chemicals, piping materials and equipment have also imposed
considerable pressure on operating budgets, which are not expected to
moderate in the near term.\3\
---------------------------------------------------------------------------
\2\ AWWA (2012) Buried No Longer: Confronting America's Water
Infrastructure Challenge.
\3\ Morley, KM. (2023) Supply Chain Threats Persist. Journal AWWA
115(2):6. https://doi.org/10.1002/awwa.2048.
---------------------------------------------------------------------------
Unlike other critical infrastructure sectors, to date, there has
been no dedicated funding appropriated to expedite technology upgrades
at water systems with legacy OT systems. While cybersecurity is one of
many eligible activities within the State Revolving Fund (SRF) program,
constraints on that program may not allow utilities to acquire the
optimal cybersecurity support they need. If the water sector is truly a
national security priority, then it will need support to expedite
technology transformations to address the digital divide in a manner
that is not punitive and fulfills our shared commitment to the
communities we serve.
prioritizing cybersecurity in the water sector
Drinking water and wastewater systems sustain our way of life and
support public health, safety, and economic vitality. These systems are
robust and resilient but, like all critical infrastructure entities,
are not immune to cyber threats. In recognition of this threat, AWWA
has actively engaged our members, and the sector at large, in building
cybersecurity awareness and providing resources to support the
implementation of best practices. As evidence of growth in awareness,
utility leaders have consistently rated cybersecurity as a very high
priority in AWWA's annual State of the Water Industry report for
several years. This trend runs parallel to AWWA's collaboration with
water utility subject-matter experts and Federal partners to provide a
water sector-specific approach for implementing the NIST Cybersecurity
Framework (CSF), as called for in Executive Order 13636.
AWWA's Water Sector Cybersecurity Risk Management Guidance and
Assessment Tool, first issued in 2014, helps a utility examine which
cybersecurity controls and practices are most applicable based on the
technology applications they have implemented. The resource emphasizes
actions that address the highest-priority controls expected to quickly
provide the greatest risk reduction value. AWWA also partnered with the
United States Department of Agriculture to develop the Water Sector
Cybersecurity Risk Management Guidance for Small Systems, a ``getting
started guide'' that helps small, rural utilities serving fewer than
10,000 people assess and implement cybersecurity best practices.
Strong cybersecurity measures are essential to ensuring a cyber
incident does not threaten public health. Several cyber incidents led
AWWA in 2021 to assess a variety of potential options, which resulted
in our recommendation to establish a new cybersecurity governance
framework in the water sector. Our recommended approach would create an
independent, non-Federal entity to lead the development of minimum
cybersecurity requirements, leveraging subject-matter experts from the
water sector. Federal oversight and approval of requirements would be
provided by the EPA. This framework builds on a similar model that has
been applied in the electric sector with Congressional approval.
This governance model would follow a tiered, risk- and performance-
based approach that accommodates the differences in operational
complexity and maturity in the sector. This recommendation aligns with
calls for public-private collaboration included in the National Cyber
Strategy. It recognizes that cybersecurity is a shared responsibility
that benefits from the direct engagement and operational knowledge of
owner/operators and the accountability that comes with Federal
oversight.
We believe it is timely and prudent for Congress to authorize this
collaborative model to ensure utilities are directly engaged in
developing appropriate cybersecurity requirements--with oversight from
EPA--to create a robust cybersecurity risk management paradigm in the
water sector.
In addition to establishing a sound oversight model, it is critical
to recognize other collaborative opportunities to support cybersecurity
in the water sector.
consistent public-private collaboration
CISA's maturity has evolved significantly since its formation,
including predecessor functions. Most notable is the permanent addition
of a water sector liaison in the Stakeholder Engagement Division. This
has provided continuity in communications and generated productive
engagement with the Water Sector Coordinating Council (SCC) and EPA as
the Sector Risk Management Agency (SRMA). The most recent output was a
stakeholder engagement process facilitated by the Joint Cyber Defense
Collaborative (JCDC) which published ``Incident Response Guide: Water
and Wastewater Systems (WWS) Sector.'' This effort integrated the
insights and recommendations provided by the stakeholder community to
ensure that the guidance is best suited address their needs.
Another useful outcome was a collaborative effort to raise the
visibility and awareness of CISA's Vulnerability Scanning service, as
recommended in prior testimony. Before the fact sheet developed with
the WSCC and Association of State Drinking Water Administrators, the
value and purpose of this tool was not accessible to the entities that
would derive the greatest benefit if enrolled. The fact sheet requires
an organized outreach campaign that can provide a unified message on
the resources provided by CISA and their relationship with other
resources.
In the earlier years of CISA's predecessor, the SCCs would come
together with agency staff for strategic planning, a requirements
assessment of sorts, to identify the needs of the various critical
infrastructure sectors. While not all sector needs became action items
for agency workplans, it was a useful exercise to examine unique
conditions and identify cross-sector needs. The WSCC, working with
State and Federal partners, has developed a strategic roadmap that
defines top-level priorities for managing risk and building resilience.
When Federal partners initiate projects to act on those priorities, it
is in our collective interest that collaboration occurs early and often
to ensure the approach is aligned with the needs of the stakeholders
for whom it is presumably designed to support. Miscues lead to missed
opportunities, duplication of effort and products that do not fulfill
the needs of owner/operators.
As we did following 9/11, collaboration with trusted partners like
AWWA is a high-value force-multiplying capability that should be
maximized to address the national security risk cyber threats impose on
drinking water and wastewater systems. Other action items to be
considered further include the following:
1. Unified Messaging.--Launch a collaborative campaign to expedite
enrollment in CISA's vulnerability scanning service to help
utilities address threat exposure. This is a highly-valuable
service for systems with limited in-house resources to provide
timely information on exposures and recommended mitigations.
Work with stakeholders in the water sector to review the myriad
resources and prepare a matrix that communicates, in plain
English, the function they provide and associated relationship.
Currently, the array of ``stuff'' is overwhelming and as a
result undersubscribed or inaccessible to those with the
greatest need, absent some order or clearly-defined progression
of applicability.
2. Inform and Enable.--Invest in capacity development to empower
utility owner/operators to effectively engage cybersecurity
issues that are aligned with their needs. We believe AWWA's
small system guidance provides a robust ``getting started''
guide focused on six key domains from the NIST CSF.
Training on the application of this guidance delivered by trusted
partners like AWWA is a highly effective and proven force
multiplier for building awareness and enabling utilities to
assess potential vulnerabilities and implement control to
mitigate risks. There is a significant opportunity to
collaborate to support the cybersecurity needs for 50,000
community drinking water systems and nearly 16,000 wastewater
systems.
3. Technology Transformation.--Funding that prioritizes and
expedites technology upgrades to address legacy operational
technologies will be necessary to overcome the growing digital
divide. These legacy OT systems simply cannot operate on newer
enterprise platforms and, in many instances, this requires a
rip and replace project that is capital- and time-intensive.
4. Improve threat information sharing.--We recommend that CISA and
EPA work with partners like the WaterISAC and the Water Sector
Coordinating Council to establish a standard operating
procedure for the inclusion of SMEs in the development of
threat alerts and advisories to ensure that the information
transmitted is concise, actionable, and properly
contextualized.
In addition, it is critical to recognize and address the
unconscious competence associated with many cybersecurity
advisories. Simply state the problem and the recommended
mitigation. We would recommend putting the TTPs and MITRE
Attack explanation in an appendix, as they are interesting but
often a distraction from the action being recommended to
mitigate the threat.
5. Research and Development.--The Water Security Test Bed (WSTB),
developed by Idaho National Laboratory (INL) and the EPA Office
of Research and Development's (ORD), can help support research
into water sector-specific vulnerabilities and coordinate
information sharing. The WSTB is a large-scale, adaptable
testing environment that can be disrupted or destructively
tested by Government and industry partners. Funding for this
program would provide an objective platform to evaluate cyber
intrusion scenarios, demonstrate physical impacts, deliver
scalable mitigations useful for water utilities of various
sizes and budgets, and provide realistic utility operator
training.
Chairman Garbarino. Thank you, Dr. Morley.
Mr. Edwards, I now recognize you for 5 minutes to summarize
your opening statement.
STATEMENT OF MARTY EDWARDS, DEPUTY CHIEF TECHNOLOGY OFFICER,
OPERATIONAL TECHNOLOGY AND INTERNET OF THINGS, TENABLE
Mr. Edwards. Chairman Garbarino, Ranking Member Swalwell,
and Members of the subcommittee, thank you for the opportunity
to testify on securing the industrial control systems that
underpin our Nation's water sector.
I am Marty Edwards, deputy chief technology officer for
operational technology and internet of things at Tenable, a
leading cybersecurity exposure management company with 43,000
customers world-wide, including just about every Federal
department and multiple critical infrastructure providers.
In recent years, there has been an increase of successful
cyber attacks against U.S. infrastructure, including the water
sector. In November, attackers targeted the Municipal Water
Authority of Aliquippa, Pennsylvania, exploiting OT assets that
were directly accessible from the internet. Just last week, we
learned of Chinese attempts to plant malware within U.S.
critical infrastructure systems, including water treatment
plants.
Efforts to infiltrate the underlying systems that support
not only the daily lives of Americans, but also the economy,
are emerging as an acute national security risk. We must accept
that our national security defense requires securing all of the
systems that keep U.S. water infrastructure operational.
There is no doubt that the history of OT systems and the
current challenge of IT, OT, and even IoT convergence makes
securing our critical infrastructure more difficult. But we
have the tools and resources to be successful. The Federal
Government has several on-going initiatives to improve critical
infrastructure, OT, and IoT security, including for the water
sector. I've outlined many of these in my written testimony.
These are strong starting points, but there are
insufficient to address the challenge. There is still
significant opportunity for Congress to enhance critical
infrastructure cyber preparedness.
First, Congress should establish baseline cybersecurity
requirements or standard of care for critical infrastructure.
Based on effective cyber hygiene and preventative security
practices, these should be developed in partnership with
stakeholders and align with CISA's cross-sector cybersecurity
performance goals, the NIST cybersecurity framework, and
international standards.
Basic cyber hygiene for critical infrastructure operations
includes continuous visibility into what assets are on your
network, strong identity and access management, discovering and
remediating known vulnerabilities, and implementing incident
detection and response capabilities. These baseline
requirements must also address the challenges of securing
converged IT and OT systems.
Second, Congress should prioritize robust cybersecurity
funding for programs and initiatives aimed at improving OT
security. CISA's cyber hygiene program provides a range of
cybersecurity assessments to critical infrastructure and other
organizations. However, it does not currently include
assessments of OT and IoT systems. The program should be
expanded and resourced to include these services.
Congress should support CISA and the Federal civilian
Executive branch agencies to implement cybersecurity policy
recommendations, like binding Operational Directive 2301 and
M2404. Protecting our Nation's cybersecurity requires
comprehensive knowledge of our networks, including conducting
inventories of IT, OT, and IoT assets and prioritizing risk
reduction accordingly.
CISA and the Office of the national cyber director should
have adequate budgets to fulfill their missions and continue to
break down silos. CISA must serve as an effective operational
coordinator to strengthen security in these environments in
real time. ONCD should serve as a strategic coordinator across
Government agencies.
Last, cybersecurity should be incorporated into
infrastructure funding. Modern infrastructure projects rely
more on digital technologies and network connectivity, so it is
imperative that OT cybersecurity is addressed in all phases of
Federal infrastructure projects. Recipients should be allowed
to allocate funds toward OT security, and any projects seeking
funding should include a cybersecurity risk assessment.
Thank you again, Chairman Garbarino, Ranking Member
Swalwell, and Members of the subcommittee for the opportunity
to testify before you today on the critical subject of securing
the industrial control systems vital to our Nation's water
sector. I appreciate the work of this committee and the
bipartisan support that is here for cybersecurity.
I look forward to the on-going collaboration to safeguard
the IT, OT, and IoT systems that form the foundation of our
Nation's critical infrastructure, and I'm happy to answer your
questions.
[The prepared statement of Mr. Edwards follows:]
Prepared Statement of Marty Edwards
February 6, 2024
introduction
Chairman Garbarino, Ranking Member Swalwell, Chairman Green,
Ranking Member Thompson, and Members of the subcommittee, thank you for
the opportunity to testify before you today on securing the industrial
control systems that underpin our Nation's water sector.
My name is Marty Edwards and I am the deputy chief technology
officer for operational technology (OT) and internet of things (IoT) at
Tenable, a cybersecurity exposure management company that provides
organizations, including the Federal Government, with an unmatched
breadth of visibility and depth of analytics to measure and communicate
cybersecurity risk. In collaboration with industry, Government, and
academia, Tenable is raising awareness of the growing security risks
impacting critical infrastructure and the need to take steps to
mitigate those risks.
My expertise is in OT and Industrial Control System (ICS)
cybersecurity, and my work with Tenable has focused on furthering
Government and industry initiatives to improve critical infrastructure
security. I also previously served as the working group lead in the
development of the Information Technology (IT)/OT Convergence Report
\1\ issued by The President's National Security Telecommunications
Advisory Committee (NSTAC) in August 2022.
---------------------------------------------------------------------------
\1\ President's National Security Telecommunications Advisory
Committee, ``Information Technology and Operational Technology
Convergence Report,'' https://www.cisa.gov/sites/default/files/
publications/NSTAC%20IT-
OT%20Convergence%20Report_508%20Compliant_0.pdf.
---------------------------------------------------------------------------
Prior to joining Tenable, I worked in the industry as an industrial
control systems engineer and as a program manager at the U.S.
Department of Energy's Idaho National Laboratory focused on
cybersecurity. I was the last and the longest-serving director of the
U.S. Department of Homeland Security's Industrial Control Systems Cyber
Emergency Response Team (ICS-CERT), which is now part of the
Cybersecurity and Infrastructure Security Agency (CISA).
about tenable
Tenable� is the Exposure Management company. Approximately 43,000
organizations around the globe rely on Tenable to understand and reduce
cyber risk. As the creator of Nessus�, Tenable extended its expertise
in vulnerabilities to deliver the world's first platform to see and
secure nearly any digital asset on any computing platform, including OT
and IoT. Tenable customers include approximately 60 percent of the
Fortune 500, approximately 40 percent of the Global 2000, and large
Government agencies.\2\
---------------------------------------------------------------------------
\2\ Tenable, ``About Tenable,'' www.tenable.com.
---------------------------------------------------------------------------
why ot and why now
On January 31, 2024, news broke that the U.S. disrupted attempts by
China to plant malware within U.S. critical infrastructure systems,
including water treatment plants. That same day, General Paul Nakasone,
commander of U.S. Cyber Command; Jen Easterly, director of the
Cybersecurity and Infrastructure Security Agency (CISA); Christopher
Wray, director of the Federal Bureau of Investigation (FBI); and Harry
Coker, Jr., director of the Office of the National Cyber Director
(NCD), appeared before your colleagues on the House Select Committee on
the Chinese Communist Party (CCP).
The testimonies of these four cyber leaders addressed the threats
to our critical infrastructure. Director Wray stated that, ``cyber
threats to our critical infrastructure represent real-world threats to
our physical safety,''\3\ and Director Easterly echoed that sentiment,
saying ``cybersecurity is national security.''\4\
---------------------------------------------------------------------------
\3\ House Select Committee on the Chinese Communist Party, ``The
CCP Cyber Threat to the American Homeland and National Security,''
testimony of FBI Director Christopher Wray (22:10), https://
www.youtube.com/watch?v=MJOX3cpHfUI.
\4\ House Select Committee on the Chinese Communist Party, ``The
CCP Cyber Threat to the American Homeland and National Security,''
testimony of CISA Director Jen Easterly (36:10), https://
www.youtube.com/watch?v=MJOX3cpHfUI.
---------------------------------------------------------------------------
Tenable CEO Amit Yoran responded to Director Wray's comments,
calling his warning ``an urgent call to action. Continuing to turn a
blind eye to the risk sitting inside our critical infrastructure is the
definition of negligence.''\5\
---------------------------------------------------------------------------
\5\ https://apnews.com/article/fbi-china-espionage-hacking-
db23dd96cfd825e4988852a34a- 99d4ea.
---------------------------------------------------------------------------
Efforts to infiltrate the underlying systems that support not only
the daily lives of Americans but also our economy are emerging as an
acute national security risk. Cyber attacks against water systems can
cause significant health effects, render property uninhabitable, and
displace entire communities. We live in a digital world, and as a
Nation we must accept that our national security defense requires
securing the IT and OT systems that keep U.S. critical infrastructure
operational.
While Government and industry OT security initiatives are moving in
the right direction, another key component to ensuring success is
Federal funding. As Tenable CEO Amit Yoran stated in a recent letter to
Congressional appropriators, robust cybersecurity funding must continue
to be prioritized to ensure we can meet the cyber threats of today
while securing against those of tomorrow.\6\
---------------------------------------------------------------------------
\6\ Amit Yoran, ``Support for Prioritizing CISA Funding,''
LinkedIn, November 8, 2023, https://www.linkedin.com/posts/
ayoran_support-for-cisa-activity-7128398109985935360-xj7C/.
---------------------------------------------------------------------------
There is no doubt that the history of OT systems and the current
challenge of IT/OT/IoT convergence makes securing our critical
infrastructure all the more difficult. However, we have the tools,
knowledge, and capabilities to be successful.
the complicated history of securing operational technology
While OT has always been part of utilities, manufacturing, and
other critical infrastructure sectors, OT technology was considered
``safe'' from attacks because most OT devices were not connected to
outside networks. It has been commonplace for software-dependent
systems to be placed into service and never touched again for the next
10 years, resulting in OT systems left unincorporated into standard
processes for regular software updates, vulnerability assessments, and
risk mitigation practices. With the convergence of IT and OT in today's
modern facilities, these devices are often no longer air-gapped and in
many cases are exposed to the internet--and to the threat of ransomware
and cyber attacks.\7\
---------------------------------------------------------------------------
\7\ Tenable, ``Operational Technology (OT) Security: How To Reduce
Cyber Risk When IT and OT Converge,'' https://www.tenable.com/source/
operational-technology.
---------------------------------------------------------------------------
The siloed nature of cybersecurity, especially between IT and OT
teams, presents additional challenges for those tasked with securing
OT. OT systems have yet to advance their security posture to be on par
with their IT counterparts. In addition, IT and OT systems have their
own goals and priorities, performance requirements, purposes, and life
cycles. To reduce cyber risk, organizations world-wide must consider
the deeply entrenched people, process, and technology issues within
both IT and OT.\8\
---------------------------------------------------------------------------
\8\ Tenable, ``Zero Day Vulnerabilities in Industrial Control
Systems Highlight the Challenges of Securing Critical Infrastructure,''
https://www.tenable.com/blog/zero-day-vulnerabilities-in-industrial-
control-systems-highlight-the-challenges-of-securing.
---------------------------------------------------------------------------
OT and IoT systems require specialized asset discovery solutions in
order to not disrupt the safety and reliability of these environments.
However, in a converged system-of-systems, asset owners must
continuously evaluate all aspects of their systems, to include IT, OT,
IoT, Cloud, Asset Exposure, and Identity. If all of these
characteristics are being measured by separate security systems, it can
make the CISO's job to provide concise, consolidated reporting
difficult. Modern exposure management platforms can provide this
overarching measurement of risk that can then be communicated to senior
executives or to boards of directors.
Today's environment brings numerous opportunities for
misconfigurations and overlooked assets which makes it nearly
impossible for cybersecurity leaders to obtain a unified view of their
exposure. Too often, cybersecurity professionals develop an orientation
toward reactive, incident-focused practices.
Therefore, preventive tasks are often relegated to nothing more
than a compliance exercise which leaves security teams unable to
effectively evaluate what's happening across the attack surface.
It has long been challenging for organizations to reduce cyber
exposure with existing preventive tools. The new expanding complexity
of the modern attack surface--encompassing multiple cloud systems,
numerous identity and privilege management tools, multiple web-facing
assets along with OT and IoT systems and software--can make exposure
management all the more difficult.
Security professionals need a unified view of their environments to
realistically identify the objective security truths that indicate
their exposure to risk. For operators of critical infrastructure
environments, practices focused on cybersecurity governance, risk, and
compliance must be revamped to improve exposure visibility. Management
and remediation of security weaknesses in OT systems must be as routine
a part of plant maintenance as the mechanical servicing of hardware.
the state of operational technology in the water sector recent threats
In recent years, there has been an increase of successful cyber
attacks against U.S. water systems and utilities, as well as wastewater
systems. California, Maine, and Nevada's water facilities have all
fallen victim to ransomware attacks. These attacks are continued
evidence that industrial security is in need of significant
improvements. In addition, some level of Government regulation is
necessary to ensure the cyber safety of water and wastewater systems.
More recently, the Municipal Water Authority of Aliquippa,
Pennsylvania was the target of the exploitation of Unitronics'
programmable logic controllers (PLCs).\9\ Programmable logic
controllers (PLCs) are common tools utilized in the water and
wastewater sectors. The exploitation of PLCs and similar OT systems are
not new nor uncommon, but this set of attacks took advantage of direct
internet accessibility, which enables control systems assets to be
accessed remotely.
---------------------------------------------------------------------------
\9\ CNN, ``Federal investigators confirm multiple US water
utilities hit by hackers,'' https://www.cnn.com/2023/12/01/politics/us-
water-utilities-hack/index.html.
---------------------------------------------------------------------------
In a water or wastewater facility, PLCs are the literal brains of
the operation. They are often programmed to do virtually all of the
operational functions at a water treatment plant. When PLCs are
compromised, threat actors can take control of motor and pump
functions, and manipulate chemical settings. The effects on water
quality and safety can be immediate or programmed to cause disruption
at a future time.
Attacks such as the one in Aliquippa, Pennsylvania, are largely due
to poor cyber hygiene. Bad actors can easily roam the internet in
search of assets that still have the factory default password. Allowing
for direct accessibility from the internet, default passwords, and a
lack of authentication security is more than negligent; it is a failure
of not only the asset owner but of the complete OT security
environment. The attack on Aliquippa's Municipal Water Authority
underscores the critical need to enhance security measures within the
water sector. This, along with robust multi-factor authentication, is
imperative for critical infrastructure organizations to strengthen
their cybersecurity posture.
federal support for bolstering sector security
In an effort to safeguard U.S. water and wastewater systems, CISA
partnered with the Environmental Protection Agency (EPA) to develop a
comprehensive toolkit designed to ``help water and wastewater systems
build their cybersecurity foundation and progress to implement more
advanced, complex tools to strengthen their defenses and stay ahead of
current threats.''\10\
---------------------------------------------------------------------------
\10\ U.S. Department of Homeland Security Cybersecurity and
Infrastructure Security Agency, ``Water and Wastewater Cybersecurity
Toolkit,'' https://www.cisa.gov/water.
---------------------------------------------------------------------------
Additionally, CISA, the FBI, and the EPA recently issued a joint
water sector incident response guide, which was developed under the
Joint Cyber Defense Collaborative (JCDC), with participation from
Tenable. The guide provides an extensive range of resources that cover
the four stages of the incident response life cycle, from preparation
to proactive post-incident activities. The guide also offers best
practices for cyber incident reporting. CISA Executive Assistant
Director for Cybersecurity Eric Goldstein emphasized, ``In the new
year, CISA will continue to focus on taking every action possible to
support `target-rich, cyber-poor' entities like WWS utilities by
providing actionable resources and encouraging all organizations to
report cyber incidents.''\11\
---------------------------------------------------------------------------
\11\ U.S. Department of Homeland Security Cybersecurity and
Infrastructure Security Agency, ``CISA, FBI and EPA Release Incident
Response Guide for Water and Wastewater Systems Sector,'' https://
www.cisa.gov/news-events/news/cisa-fbi-and-epa-release-incident-
response-guide-water-and-wastewater-systems-sector.
---------------------------------------------------------------------------
The EPA also issued--and then rescinded--its cybersecurity rule
which mandated that states evaluate the cybersecurity capabilities of
their drinking water systems. This mandate included assessing the
cybersecurity of their public water systems' OT environment. Despite
the rule no longer being in effect, the EPA continues to recommend
aligning cybersecurity practices with CISA's CPGs.\12\ Tenable strongly
encourages water infrastructure entities to follow this guidance as it
empowers users to inventory assets, proactively assess vulnerabilities,
implement robust cybersecurity protocols, and mitigate potential risks
to build resilient water and wastewater systems.
---------------------------------------------------------------------------
\12\ Regulatory Oversight, ``EPA Withdraws Cybersecurity Rule for
Public Water Systems,'' https://www.regulatoryoversight.com/2023/11/
epa-withdraws-cybersecurity-rule-for-public-water-systems/.
---------------------------------------------------------------------------
It is worth noting that following the EPA's decision to rescind its
cyber rule, there have been significant efforts within the water sector
to support a collaborative approach with Federal partners to develop a
framework similar to that employed by the North American Electric
Reliability Corporation (NERC) and the Federal Energy Regulatory
Commission (FERC) in the electric sector.\13\ We are pleased to see
this high level of stakeholder engagement in the development phase and
the strategic utilization of preexisting successful frameworks to
enhance cybersecurity in the water sector. However, while this long-
term initiative is considered, it is imperative that we also support
more immediate actions. CISA's CPGs should be the blueprint for
implementing effective risk reduction practices in the interim.
---------------------------------------------------------------------------
\13\ American Water Works Association, ``AWWA repeats call for
strong cybersecurity measures after EPA withdraws rule,'' https://
www.awwa.org/AWWA-Articles/awwa-repeats-call-for-strong-cybersecurity-
measures-after-epa-withdraws-rule.
---------------------------------------------------------------------------
There is no denying that foreign adversaries will continue to
target the U.S. water sector and its more than 148,000 public water
systems. How we address vulnerabilities today and build security into
future systems will be the most important factors in determining the
outcome of a large-scale targeted attack on our water infrastructure.
Government officials and private-sector leaders must stay focused on
addressing critical infrastructure vulnerabilities, particularly those
stemming from the convergence of IT and OT technologies.\14\ Tenable
firmly believes this is a national security imperative.
---------------------------------------------------------------------------
\14\ U.S. Environmental Protection Agency, ``Information about
Public Water Systems,'' https://www.epa.gov/dwreginfo/information-
about-public-water-systems.
---------------------------------------------------------------------------
current federal initiatives improving ot and iot security
Until recently, Federal resources have primarily focused on
securing IT networks. While this focus was more understandable prior to
the convergence of IT and OT, the modern attack surface is rapidly
expanding. Cyber criminals continue to use effective tactics such as
exploiting known but unpatched vulnerabilities and deploying ransomware
to gain entry into and compromise unsecured OT systems.
There are several Federal initiatives to help OT organizations
address modern security challenges, including Pillar One of the
administration's National Cybersecurity Strategy, CISA's Cross-Sector
Cybersecurity Performance Goals (CPGs), the CISA Cyber Hygiene program,
the JCDC Industrial Control Systems (ICS) Working Group, the
CyberSentry program, and the EPA's Cybersecurity Resources for Drinking
Water and Wastewater Systems. Additionally, efforts like The
President's National Security Telecommunications Advisory Committee
(NSTAC) resulted in recommendations to improve IT/OT convergence.
CISA's BOD 23-01 is helping Federal civilian departments and agencies
identify assets and prioritize OT vulnerabilities. Finally,
partnerships like the OT Cybersecurity Coalition (OTCC) are bringing
together industry and Government stakeholders to better protect ICS and
critical infrastructure assets. The following initiatives discussed
below provide direction and guidance to improve OT cybersecurity
outcomes.
Pillar One of the administration's National Cybersecurity Strategy
prioritizes establishing best practices and expanding minimum
cybersecurity standards, including basic cyber hygiene and secure-by-
design principles. The Strategy highlights the persistent security
threat of IT/OT convergence, prompting organizations to strategize
responses to these challenges.\15\
---------------------------------------------------------------------------
\15\ https://www.whitehouse.gov/wp-content/uploads/2023/03/
National-Cybersecurity-Strategy-2023.pdf.
---------------------------------------------------------------------------
CISA's CPGs are a voluntary baseline of cybersecurity practices for
all critical infrastructure entities that align with functions of the
National Institute of Standards and Technology's (NIST) Cybersecurity
Framework (CSF), which is widely utilized by critical infrastructure
owners and operators. These goals integrate recommended practices for
both IT and OT owners to prioritize security measures. Primary among
these recommended practices is the requirement of a role to oversee all
OT-related cybersecurity activities which will strengthen the
relationship between IT and OT teams, improve incident response times,
and provide OT-specific training for individuals in charge of OT
operations.
While a crucial step forward, it is necessary to acknowledge that
additional efforts are needed, particularly to fortify the security of
OT systems, especially those on which our Nation's water sector
depends.
CISA's Cyber Hygiene Program provides critical infrastructure
facilities with essential services, including network discovery and
vulnerability reporting. However, the number of eligible entities that
participate in this valuable service is limited. There is an
opportunity for CISA to enhance the promotion of these services and
expand them to cover assessments of OT systems and networks. Further,
Congress should ensure the program is adequately funded so that a
greater number of resource-poor crucial infrastructure entities and
utilities can improve their baseline cyber defenses.
CISA recently established an ICS working group within the JCDC,
which enables collaboration with CISA across a range of cybersecurity
and vulnerability management issues, including bolstering the
cybersecurity and resiliency of OT systems. Managing vulnerabilities is
essential to secure critical IT and OT infrastructure and the work done
by JCDC and CISA promotes the prioritization of network security.
Tenable is a proud Alliance Partner of the JCDC.
The CyberSentry Program was also established by CISA as part of its
on-going commitment to safeguarding the Nation's critical
infrastructure against sophisticated cyber threats. This threat
detection and monitoring capability, managed by CISA, collaborates
closely with critical infrastructure providers to vigilantly monitor
and detect cyber threats targeting both IT and OT networks. CyberSentry
facilitates collective defense and mutual benefit across the critical
infrastructure landscape through these partnerships. It provides IT and
OT network operators with comprehensive visibility into both known and
unknown assets, which is essential for effectively assessing and
managing risks.
The EPA provides cybersecurity guidance and resources for drinking
water and wastewater systems.\16\ The ``EPA Cybersecurity for the Water
Sector'' guide includes resources for cybersecurity assessments,
planning, training, and response, as well as funding options available
for water utilities.\17\
---------------------------------------------------------------------------
\16\ U.S. Environmental Protection Agency Cybersecurity for the
Water Sector, https://www.epa.gov/waterresilience/cybersecurity-
assessments.
\17\ Ibid.
---------------------------------------------------------------------------
NSTAC's 2022 IT/OT Convergence Report recommendations have been
impactful for improving OT security.\18\ The report included 3
recommendations that the administration could immediately implement to
strengthen the cybersecurity posture of U.S. Government-owned and -
operated OT systems. To date, only one of those three recommendations
has been partially implemented.\19\
---------------------------------------------------------------------------
\18\ Ibid 1.
\19\ Tenable, ``IT/OT Convergence: Now Is The Time to Act,''
https://www.tenable.com/blog/itot-convergence-now-is-the-time-to-act.
---------------------------------------------------------------------------
The report recommended that the President issue a Binding
Operational Directive (BOD) (similar to what Section 1505 of the Fiscal
Year 2022 National Defense Authorization Act (NDAA) requires for the
Department of Defense (DoD)) to require Executive civilian branch
departments and agencies to maintain a real-time, continuous inventory
of all OT devices, software, systems, and assets within their areas of
responsibility. The BOD should also require such inventory to include
an understanding of any interconnectivity to other systems. Following
the release of the NSTAC report, CISA issued BOD 23-01: Improving Asset
Visibility and Vulnerability Detection on Federal Networks.\20\
---------------------------------------------------------------------------
\20\ https://www.cisa.gov/news-events/directives/bod-23-01-
improving-asset-visibility-and-vulnerability-detection-Federal-
networks.
---------------------------------------------------------------------------
Binding Operational Directive 23-01 was issued in October 2022, and
requires Federal agencies to enhance visibility into agency assets and
associated vulnerabilities. The BOD will help Federal agencies have the
necessary foundation to maintain a successful cybersecurity program,
focusing on two core activities: Asset Discovery, and Vulnerability
Enumeration.
This directive applies to all IP-addressable networked assets that
can be reached over IPv4 and IPv6 protocols and outlines new
requirements for cloud assets, IPV6 address space, and OT in an effort
to reduce cyber risk. It builds on BOD 22-01, which was issued in 2021,
and requires Federal agencies ``to remediate vulnerabilities in the
Known Exploited Vulnerabilities (KEV) catalog within prescribed time
frames.''\21\ The KEV catalog is maintained by CISA and helps
organizations prioritize remediation of listed vulnerabilities and
reduce the opportunities for threat actors to compromise systems.
---------------------------------------------------------------------------
\21\ U.S. Department of Homeland Security Cybersecurity and
Infrastructure Security Agency, ``Reducing the Significant Risk of
Known Exploited Vulnerabilities,'' https://www.cisa.gov/known-
exploited-vulnerabilities.
---------------------------------------------------------------------------
Additionally, in December 2023 the Office of Management and Budget
(OMB) issued a memorandum (memo M-24-04) to Federal departments and
agencies requiring IoT and OT asset inventory, in an effort to
``enhance the U.S. Government's overall cybersecurity posture and to
help ensure integrity of systems.''\22\ The OMB set a deadline for
agencies to inventory assets by the end of fiscal year 2024.
---------------------------------------------------------------------------
\22\ Office of Management and Budget, ``Fiscal Year 2024 Guidance
on Federal Information Security and Privacy Management Requirements,''
https://www.whitehouse.gov/wp-content/uploads/2023/12/M-24-04-FY24-
FISMA-Guidance.pdf.
---------------------------------------------------------------------------
While the release of BOD 23-01 and M-24-04 are positive directions
for Federal agencies, there remain challenges with implementation.
Compared to the IT environment, where patching, upgrading, and
replacing systems is standard, an OT environment typically requires
working with legacy technologies. To prioritize remediation efforts,
agencies need a detailed view of OT and IT assets in the OT environment
and the ability to map connections between devices and identify high-
risk assets.
To ensure that Federal Civilian executive branch (FCEB) systems,
and agencies operating those systems, meet said requirements, Congress
should appropriate funding to implement CISA's BOD 23-01, and OMB M-24-
04. This will enable agencies to maintain an updated inventory of
assets, identify software vulnerabilities, track how often an agency
enumerates its assets, and share information with CISA's Continuous
Diagnostics and Mitigation Program (CDM) Federal Dashboard. Pursuant to
BOD 23-01, the scope of this implementation encompasses all reportable
OT and IT assets.
The OTCC brings together a range of OT cybersecurity and technology
providers to promote the use of standards-based, interoperable
cybersecurity solutions to help critical infrastructure and other
organizations defend themselves against growing threats. The OTCC also
works with Government stakeholders to promote effective operational
technology cybersecurity.
policy recommendations
Tenable recommends that Congress enact the following policy
objectives to enhance the cyber preparedness of U.S. critical
infrastructure:
Establish baseline cybersecurity requirements or standards
of care for critical infrastructure that align with CISA's
Cross-Sector Cybersecurity Performance Goals, international
standards, and the NIST CSF, based on effective cyber hygiene
and preventive security practices. Basic cyber hygiene for
critical infrastructure operators includes continuous
understanding of what assets are on networks, ensuring strong
identity and access management, discovering and patching known
vulnerabilities, and implementing incident detection and
response capabilities. For critical infrastructure providers,
these baseline requirements must address the challenges of
securing converged IT and OT environments. Pillar One of the
recently released National Cybersecurity Strategy calls for
baseline cybersecurity requirements for critical infrastructure
providers. The CISA Cross-Sector Cybersecurity Performance
Goals, based on the NIST CSF, are an excellent resource for
industry and Sector Risk Management Agencies to utilize in the
development of baseline requirements and standards of care.
Prioritize robust cybersecurity funding for programs and
initiatives that support improving OT security, including:
CISA Cyber Hygiene services, to provide expanded services,
including OT and IoT assessments, to critical
infrastructure entities and utilities, enabling them to
achieve a minimum cybersecurity posture.
CISA and FCEB agencies, to implement BOD 22-01, and BOD
23-01, and M-24-04 policy recommendations. Protecting our
Nation's cybersecurity means knowing what is on our
networks and maintaining such networks in good working
order, which includes conducting an inventory of OT assets
and prioritizing remediation of known vulnerabilities. If
an organization does not know an asset exists, it cannot
assess it for vulnerabilities. With the issuance of BOD 23-
01, Federal agencies need comprehensive visibility into
their assets and vulnerabilities across their organization.
This includes:
External unknowns
Cloud workload and resources
Operational technology
Network infrastructure and endpoints
Web application
Identity systems.
CISA and the Office of the National Cyber Director, to
ensure they can meet mission requirements. The threats to
Federal networks and critical infrastructure are growing at
a significant rate and CISA must serve as an effective
coordinator to strengthen security in these environments.
Tenable supported the creation of the Office of the
National Cyber Director and applauded efforts to stand up
this office.
Ensure that cybersecurity is incorporated for infrastructure
grant funding. Modern infrastructure projects increasingly
leverage digital technologies and network connectivity. OT
cybersecurity should be addressed in all Federal infrastructure
grant projects and should be an allowable expense for
infrastructure grant recipients.
In its oversight of CISA implementation of CIRCIA, Congress
should ensure that CISA is adequately resourced to ingest the
wealth of information that will be shared by critical
infrastructure entities. CISA should request and share
anonymized cyber incident data. It should provide actionable
information through trusted partners, such as JCDC Alliance
Partners, to provide cyber situational awareness to the broader
critical infrastructure ecosystem. Finally, CISA should move
toward automated and machine-readable formats to ingest and
share this information to the full extent possible.
Continue implementation of the NSTAC IT/OT Convergence
Report policy recommendations.
Direct Federal civilian agencies to inventory their OT
assets and provide OT asset and vulnerability information
to the CDM Dashboard. CISA has already taken steps to
address this obstacle through BOD 23-01, but Congress
should reinforce the need to gain visibility into these
mission-critical environments so we can understand the
scale of cybersecurity challenges and begin to
systematically address serious risks. The foundation for
every security framework, whether IT or OT, always begins
with visibility into the assets for which you are
responsible. Achieving this visibility is a significant
step forward for Federal departments and agencies to
protect their critical IT and OT assets against evolving
cybersecurity threats.
Develop enhanced OT-specific cybersecurity procurement
language. Public and private-sector OT procurements should
require the inclusion of risk-informed cybersecurity
capabilities for products and services. Updating
procurement language guidance will help asset owners
specify that cybersecurity be built into products and
projects rather than bolted on as an afterthought.
Including cybersecurity in both Government and private-
sector procurement vehicles will significantly enhance the
resilience of critical infrastructure systems.
Implement standardized, technology-neutral, real-time
interoperable information-sharing mechanisms to promote the
sharing of sensitive information across agencies and to
break the traditional siloed approach. Cyber attacks often
target multiple critical infrastructure sectors and
attackers have the ability to move at machine speed to
compromise multiple industrial sectors. Our defenses need
to match this threat. It is imperative for our critical
infrastructure sectors to securely communicate with each
other to get the right information to the right person, at
the right time. This requires a standardized, technology-
neutral approach, in order to leverage cyber threat and
vulnerability information from the broader critical
infrastructure ecosystem.
Support the JCDC and provide oversight of CISA to clarify
roles and responsibilities of other public-private
partnerships. Congress should continue to support the JCDC as
it advances strategic planning and incident response
capabilities for the industry. However, it is important for
Congress to provide robust oversight of CISA's JCDC efforts to
ensure there is a clear delineation of roles and
responsibilities and appropriate opportunities for industry to
engage. Congress should also provide oversight to ensure that
JCDC adequately addresses OT cybersecurity risks, threats, and
operational response capabilities.
Improve the ICS cyber workforce by ensuring CISA implements
the ICS cybersecurity training initiative included in Ranking
Member Swalwell's Industrial Control Systems Cybersecurity
Training Act, which was passed as part of the fiscal year 2024
Defense Authorization bill.
Require Independent Assessments of critical software (to
include OT and IoT). CISA should apply the Sarbanes-Oxley
``separation of duties'' principles to cybersecurity and
prohibit the provider responsible for developing and/or running
critical software from also conducting its exposure management
or otherwise testing its security, conducting security audits,
or reporting on its security.
conclusion
There are fundamental steps all Federal agencies and critical
infrastructure entities must take to improve their OT cybersecurity
posture. Security professionals need visibility into which assets are
on their networks and whether those assets are vulnerable. Known
exposures should be addressed in a timely manner and user access and
privileges must be effectively controlled. Finally, security teams must
have unified visibility into, and management of, interconnected
critical systems. These steps make it more difficult for bad actors to
compromise interconnected IT and OT systems. Government policy can help
drive these effective practices for critical infrastructure owners and
operators.
Risk assessment and asset inventory processes are desperately
needed as rapid expansion of access and interconnectivity dramatically
increase risk. Policy guidance for minimum security requirements and
standards of care are needed to help drive improvements in risk
management practices while at the same time act to foster innovation.
Government support and funding are necessary to strengthen
cybersecurity programs for critical infrastructure providers which lack
the resources to protect themselves from malicious actors. Finally,
stakeholder engagement through public-private partnerships and other
collective defense efforts can improve cyber situational awareness,
strengthen policy guidance, and enhance broad adoption of cybersecurity
best practices.
Chairman Garbarino, Ranking Member Swalwell, Chairman Green,
Ranking Member Thompson, and Members of the subcommittee, thank you for
the opportunity to testify before you today on the critical matter of
securing the industrial control systems vital to our Nation's water
sector. I appreciate the work this committee is doing to elevate
cybersecurity issues with bipartisan support. I look forward to on-
going collaboration to safeguard the IT/OT/IoT systems that form the
foundation of our Nation's critical infrastructure.
Chairman Garbarino. Thank you, Mr. Edwards.
Members will be recognized by order of seniority for their
5 minutes of questioning. An additional round of questioning
may be called after all Members have been recognized.
I now recognize my friend from Florida, Mr. Gimenez, for 5
minutes.
Mr. Gimenez. Thank you, Mr. Chairman.
I was privy to a kind-of informational kind of briefing the
other day about quantum computing, and the CCP is engaged in a
Manhattan Project-level effort to develop quantum computing.
So, you know, a lot of people don't know what that is, and
I certainly didn't. But one of the things that struck me is an
example they gave me, that today's supercomputer could be able
to crack a certain code, it would take about 15,000 years for
that supercomputer to crack the code. A quantum computer can do
it in 30 seconds.
So, and the CCP is actually kind-of laser-focused on
developing quantum computers that will crack codes. So if
that's the case, is any IT system safe? Mr. Lee.
Mr. Lee. Thank you, sir, for the question.
So I think this is absolutely the right question to start
thinking about where the state is going. But when you look at
the current state of our infrastructure, most of these water
facilities, as an example, lack a firewall. So we talk about
quantum computing and AI and similar, and you could just log
into the system and change the water levels. So it's
appropriate to think long-term about that. But it's not
actually the problem that we face today. Moreover, you
absolutely can always do defense. It's just we have to actually
start investing in it.
Mr. Gimenez. Yes, but wouldn't defense be the only defense
at the end, when you're facing quantum computers that can crack
any code, can get into any system, wouldn't it be to go back to
the future, or in other words, go back where you have to
disconnect and then have manual systems again where, you know,
it's cracked? Also now we have to manually start to do this and
the switches and all that.
Because it seems to me that if you get into this realm and
they actually can do that, and you can crack any code in 30
seconds, 10 seconds, et cetera, you can get into anything.
Therefore, all of our systems that are actually tied into it
are super vulnerable or will be super vulnerable. So shouldn't
we be preparing for that today, not when it happens?
Mr. Lee. We absolutely should be. We're just very far
behind already. Additionally----
Mr. Gimenez. No, but it seems that your solutions is to get
more integrated with IT.
Mr. Lee. I'm more advocating the fact that the horse is out
of the barn. Like, we are not going back to manual operations
or disconnecting it. Sounds great, but you can't operate a
digital system that way at scale.
Mr. Gimenez. Well, that is the problem. You are in a
digital system, so you are leading to inevitable failure,
inevitable defeat.
Mr. Lee. Well, yes, sir. So I would argue, though, that the
inability to operate the system in the first place would end up
being more risky. So we actually can't go back to that way of
operating. We don't have the staff physically possible to do
that, and our vendors aren't providing anything that's not
digital. There's good reason for that. You want to be able to
reduce the cost and operate the system. But ultimately, if we
take the position that we have to do manual for everything, we
won't be able to run the system.
Mr. Gimenez. I am not saying that you have to do it for
everything, but you have to have a way to get back to manual if
the system is completely compromised. So you are saying, OK,
that is it, we are done? All right, so the quantum computers
are here. Everything is, boop, we can be compromised. They can
shut us down any time they want. So we are done because we
can't go back to a manual system. Is that you are saying?
Mr. Lee. I would actually argue that we--you're going to
lose the battle of trying to prevent everything. But when you
put humans in the loop to start doing detection, response,
recovery, you can win. We've shown that over and over again.
Mr. Gimenez. How, if you are all dependent on IT?
Mr. Lee. So as we----
Mr. Gimenez. You are dependent on a digital world, and that
digital world can be compromised at any time. How are you going
to win that battle?
Mr. Lee. You put humans and you defend, and you allow them
to be in defensible environments. So we've got plenty of case
studies that never go to the public on state actors from China,
Russia, Iran, et cetera, getting into systems that A player
teams and well-resourced teams running circles around them.
Defenders have an advantage. You're just not going to have an
advantage on every single front.
Mr. Gimenez. That is today's reality with today's
computers, where you actually need people to infiltrate your
system. In the future, with AI and quantum, you are not going
to need people. The computers will be unleashed against us. I
don't care how many people you have, you are not going to be
able to defend it. The only way you can defend it is with your
own quantum computer and your own AI.
Mr. Lee. I think there's a lot of argument to be made of
that, but a lot of that is theory. Ultimately, what we've seen
consistently over and over again is well-resourced offenders
beat well-resourced adversaries.
Mr. Gimenez. I hope you are right, but I also think that we
have got to have a plan B. The plan B is, hey, we may be able
to need to turn that off and operate somewhat of a manual
system, because if not, if they somehow defeat us, we are done.
They can get our electrical grid. They can get our water
supply. They can, you know, run havoc with transportation. They
can do all kinds of things that can, you know, really disrupt
our way of life.
With that, my time is up and I yield back.
Chairman Garbarino. The gentleman yields back.
I now recognize Mr. Carter from Louisiana for 5 minutes of
questions.
Mr. Carter. Mr. Chairman, Ranking Member, thank you very
much. To the witnesses, thank you very much for being here for
a timely discussion about something that is obviously
critically important.
I represent Louisiana, and, as you may know, we narrowly
averted a real catastrophe with salt intrusion due to low water
content and the issues with climate change. How will Federal
agencies such as CISA collaborate with State and local
authorities to implement proactive measures aimed at preventing
and mitigating saltwater intrusion in vulnerable areas, such as
in my district in New Orleans?
Dr. Morley, you want to take a crack at that?
Mr. Morley. Planning for alternative water supply is
certainly a critical need, and the challenges that were faced
in that portion of Louisiana were certainly challenging. I
think it requires a collaborative approach between EPA, the
Corps of Engineers, to some extent CISA, to evaluate some of
those opportunities. The Water Sector Coordinating Council, for
example, has made wide-scale--or regional-scale emergency water
supply a critical priority. The challenge, obviously, is the
scale. Right? Moving--I think they were estimating barging.
Mr. Carter. Well, we did water barging.
Mr. Morley. Right.
Mr. Carter. We did reverse osmosis. We were fortunate that
the weather changed and we got a little break, and it wasn't as
bad as it could be. But now, given that we have had that test,
what are we doing going forward? Because this was Mother
Nature. This was climate. This was issues that were done by
humans.
Mr. Morley. Right.
Mr. Carter. What happens if it were used in that capacity
by a bad actor?
Mr. Morley. Well, that's where the contingency is managing
for the consequence, independent of cause, is, I think, some of
the challenge that we need to overcome and address some
innovative opportunities to provide new and different water
sources.
Mr. Carter. In light of climate change, what funding
initiatives and Federal resources are being proposed to support
long-term resilience and adaptation efforts in addressing
saltwater intrusion within areas that are impacted? Anyone care
to chime in? Dr. Morley, thank you. Mr. Edwards, Mr. Lee, Dr.
Clancy.
Mr. Morley. I'm not sure on a specific funding program
specifically targeted at saltwater intrusion, sir, but programs
like the State revolving loan fund and the WIFIA program are
set up to help utilities get low-cost loans to invest in new
treatment technologies and alternative water supply.
Mr. Carter. Have you guys looked at this, what happened in
Louisiana, to use it as a case study to determine how we might
address it in the future?
Mr. Morley. I think that's an area for continued research
and analysis and how to overcome such a large-scale type of
incident.
Mr. Carter. What partnerships and coordination efforts are
being established between Federal, State, and local
stakeholders to ensure a cohesive and comprehensive approach in
addressing saltwater intrusion? How can these collaborations
strengthen and be sustained effectively going forward?
As my dear friend from Florida just said, we shouldn't wait
until these things happen. In this case, it did happen. We saw
what we narrowly averted, what could have been a major, major
issue for my State in multiple parishes. What are we learning
from that and what are we doing?
You four are notable experts in the area of water and
infrastructure and critical infrastructure. Surely you have
thought about this, and there are some thoughts on what we can
do. You are now sitting before this committee, and we want to
be able to arm you with the necessary tools that we don't wait
until we have a catastrophe. You now have the opportunity to
make an ask. What might that be to ensure that we are better
prepared going forward?
Mr. Lee.
Mr. Lee. Yes. I would add in that we need a consistent
message from Government. You go to different agencies and
you'll hear different things.
We need requirements. On the Department of Energy side of
the House, on the Advisory Committee side, we talk about cyber
resilience, cyber safety, climate change discussions, go down
the list of it, and every time from the actual electric
companies, well, here, we can do anything you want. Just pick
three and who's resourcing it.
I think we need to standardize on what are actually the
requirements and communicate with one single voice out to the
asset owners.
Mr. Carter. OK. This administration has invested a great
deal of money in mitigating lead and the issues with lead
poisoning and lead in our water. How is that working, and what
can we do to further enhance that?
Dr. Clancy? You can't take a nap in the middle of the
course, man.
Mr. Clancy. So that is not my area of expertise.
Mr. Carter. OK, fair enough. Anybody else? Dr. Morley. Mr.
Edwards.
Mr. Morley. Yes. There has been a substantial amount of
funding made available directly to support lead service line
replacement through EPA. In addition, the agency is going
through a regulatory revision process on programs or
regulations to protect the public from lead exposure.
Mr. Carter. My time has expired. I yield back, Mr.
Chairman.
Chairman Garbarino. The gentlemen yields back.
I now recognize my friend from Mississippi, Mr. Ezell, for
5 minutes of questioning.
Mr. Ezell. Thank you, Mr. Chairman. Thank you all for being
here today and discussing this very important matter.
Considering the Iranian-backed cyber attacks on our
country's water infrastructure recently, I am glad to discuss
today how CISA and the Federal Government can better understand
these events and increase its security measures.
Dr. Morley, I understand that CISA has released their
cross-sector cyber performance goals. Do you believe these
goals align with existing Federal frameworks? How can CISA
further ensure coordination with other Federal agencies?
Mr. Morley. Yes, sir. So I am familiar with the cyber
performance goals, or the CPGs. They're derived from the NIST
cybersecurity framework. So I think some of the resources that
we've already developed align with those principles.
I think it is a little bit of a branding shift from the
NIST cybersecurity framework, which has created a little bit
confusion outside of Washington, DC. But I think we're prepared
to continue moving forward and have those all mapped together
and support utilities and other critical infrastructure systems
in addressing some of those performance goals.
Mr. Ezell. Thank you. Dr. Clancy, you raised a point about
CISA needing to prioritize its efforts based on the specific
risk and threat levels for each sector. For example, the water
sector may face more risk based on a historic lack of
investment and expertise. On the other hand, the energy sector
is more prone to threats from our adversaries. Both of these
seem like pretty big threats to me. How do you believe CISA
should navigate the balance between risk and threat
considerations in the OT space?
Mr. Clancy. I think we--every sector faces risk. I think
some of the more resourced and more mature sectors have been
able to better manage that risk. But I think less resourced
sectors, like the water sector, have a significant accumulated
risk because they're so fragmented. There's so many individual
water utilities and just a lack of cyber capacity across the
whole ecosystem.
I think where we see the adversaries focusing are really
these lifeline sectors. So CISA has prioritized energy, water,
telecommunications, and transportation as sort-of the four
sectors that they think are the sort-of must-survive sectors
with respect to critical infrastructure attacks. So I think we
need to continue to prioritize those sectors, because without
those sectors, many of the other sectors would see cascading
failures.
Mr. Ezell. Can you expand on the level of risk and threat
posed to OT systems as compared to IT systems?
Mr. Clancy. I think IT systems have been the primary target
of adversaries for a long time. I think Russia, China, and
others, in addition to criminal organizations, have been
primarily focused on either criminal enterprises or espionage.
But I think what we're seeing fundamentally different in the
threat landscape is Russia and China beginning to shift from
penetrating IT systems to now starting to attack OT systems.
The number of attacks that we're starting to see that are
destructive really paint the picture that we're headed in a
really bad direction in terms of fundamentally established
international norms around what it means to cause a destructive
attack to critical infrastructure.
Mr. Ezell. Thank you. As CISA designates important
entities, what kind of OT-specific risk and threat
consideration should these agencies be looking at?
Mr. Clancy. Which agencies? The Sector Risk Management
Agencies----
Mr. Ezell. Yes, sir.
Mr. Clancy [continuing]. Or CISA? I think we have a fairly
comprehensive set of frameworks in place, all starting with
Executive Order 13636. I think the challenge is less about
having the right framework and infrastructure in place, and
it's more about the utilities being able to effectively
implement those frameworks. It's a complex ecosystem and just
the very limited IT staff, much less cybersecurity staff, it
just makes it impossible.
Mr. Ezell. I will tell you, you know, just each time we
come to these hearings, I get a little nervous and I get a
little more confident, but I would like to express my sincere
whatever effort I can put into this for you. You know, we
cannot wait. We cannot procrastinate. We have got to do
everything within our power, and you have got to get the
information to us so we can make sure that we can cut through
some of the red tape that continually surrounds Government
operations. So, you know, please work with us as hard as you
can so that we can make you be successful and we can protect
this country.
So with that, Mr. Chairman, I yield back.
Chairman Garbarino. The gentleman yields back.
I now recognize Mr. Swalwell, the Ranking Member, for 5
minutes of questioning.
Mr. Swalwell. Great, thank you. Any sort of scoring system
as far as vulnerability that water agencies could have, and I
am of two minds of this. I mean, you don't really want to put
out there who is the most vulnerable, but you can also almost,
I don't want to say publicly shame, but, you know, call out the
most vulnerable to try and get them, you know, to update their
systems. You know, Mr. Edwards pointed out, you know, a recent
attack occurred on a system, you know, via the internet.
So is that out there? Like, is there more that the private
sector can do or trade associations can do to just make sure
everyone is, you know, at a high standard?
Mr. Morley. Sure. Appreciate the question. Give it a shot
here.
There's not a scoring system. I think the complexity and
diversity of the sector makes that quite challenging. Where I
was leading in some of my testimony was, I think this requires
it's a shared responsibility. Right?
There's excellent knowledge and information available from
agencies like CISA on the threats, folks like MITRE and others
at the table that inform that process. Getting it into the
hands of a utility to actualize it and take action on it,
that's where we need greater investment in capacity development
and leveraging trusted partners like AWWA and others in the
sector to work in the field with utilities to actually
implement these controls. Right?
There's a capacity issue. You noted the work force
challenges that we have, you know, the skill sets are excellent
at treatment of water. They're not cybersecurity experts like
the gentlemen surrounding me. So that's where I think there's
great opportunity to improve our shared responsibility to
protect----
Mr. Swalwell. But, I guess, are there, like, just across
the board metrics that CISA could use or a trade association
could use, you know, on multifactor authentication?
Mr. Morley. Sure.
Mr. Swalwell. You know, level of training for, you know,
anyone, you know, who operates, you know, the systems'
accessibility, you know, the public has, you know, from, you
know, the outside? I just wondered, like, is there more we
could do to try and, as I said, just kind-of bring everybody up
to the highest standards?
Mr. Morley. Well, I think that's where, I think Rob
mentioned this, right, we need to define the outcome that we're
trying to achieve and kind-of unify around what that message is
and then put resources toward enabling entities to achieve
those outcomes.
Mr. Swalwell. Great. Mr. Edwards, one key program at CISA
to facilitate cooperation between the agency and critical
infrastructure is the Joint Cyber Defense Collaborative, also
known as JCDC. As part of an expansion of JCDC, CISA has
established an ICS working group to focus on operational
technology security issues, and I am pleased to see that it has
prioritized work in the water sector.
As a member of JCDC, Tenable, would you agree that JCDC
would benefit from a formalized structure and accountability?
What kind of results have you seen from its ICS work, and how
would you like to see it build on its ICS work going forward?
I guess, you know, the bigger question here is, does it
need more scaffolding and structure and be less opaque so that
people know how to get into JCDC and JCDC has an ability to
also throw people out if they are not faithful, trusted
partners? Is it a one-way relationship as far as you sharing
information with them or do you feel like you are benefiting
from what is coming to you?
Mr. Edwards. Yes, thank you. It's a great question.
I think from Tenable's perspective, there's no doubt that
the JCDC provides some significant value. I think when CISA
focuses on the operational aspects of information sharing, you
know, sharing information that's pertinent for a current threat
or an emerging threat, and they have sort-of a finite time
window or activity around that, it really shines. You known, so
we see great value there.
I think as a constructive criticism, perhaps, some
additional thought around how CISA incorporates other sort-of
what I would almost consider program offices into the JCDC
construct. Right? They tend to want to paint everything with
the JCDC brand. Quite frankly, I don't think that's as
effective and it dilutes some of the operational successes that
we've had.
With regards to the industrial control system group at the
JCDC, I think it's still fairly young and needs some additional
shepherding there. But we're eager, I think, to continue to
work with CISA and all of our partners at the table to improve
that entity.
Mr. Swalwell. Great. Thank you. I yield back.
Chairman Garbarino. The gentleman yields back.
I now recognize myself for 5 minutes of questions.
It is funny, the Ranking Member has asked about JCDC, that
was going to be one of my questions. Sir, you did a great job,
I think, walking the line there because we talk about JCDC I
think at every hearing we have.
I know, Mr. Lee, Dragos is also a member, so I wouldn't
mind hearing your opinion also on the question that the Ranking
Member just asked.
Mr. Lee. Yes, I think Mr. Edwards, as you said, did a good
job walking the line. Let's acknowledge that CISA consistently
cares and is putting the effort to try to collaborate, like,
and that's a beautiful thing. The reality is we're not seeing a
lot of success out of it currently, but I think that's the
growing pains.
When Government ends up focusing, especially CISA, on
here's the strategy level, it's very effective. A lot of the
messaging coming out from Director Easterly and similar is
spot-on.
When he gets into the tactical and actually having the,
sort-of the experts around the table, that tends to be a bit
lacking. I think if they continue to invest in the strategic
level and enable the group versus trying to be the players in
the field, I think they'd see more success.
Chairman Garbarino. OK, great. I appreciate that.
Dr. Morley, there are several legislative proposals
floating around that offer alternative solutions to improving
water sector cybersecurity, including a proposal for a water
sector regulatory model that is similar to the energy sector's
model. However, we have heard from the energy sector
stakeholders that some of their regulatory requirements are
compliance-based rather than security-based, and often take up
to possibly 50 percent of an operator's time that can be spent
on actual securing systems.
In any future legislative solutions how can Congress ensure
operators are consulted in a way that prioritizes outcomes-
based security?
Mr. Morley. Absolutely. So I think part of what we're
trying to achieve with the recommended approach that we've
suggested Congress take into consideration is to move to a
risk- and performance-based approach that can scale across the
sector. So the recommendation that we've suggested isn't just a
lift in their XIP model and drop it onto the sector. I think
there needs to be some recognition of the diversity and the
complexity of the operations. Some of the controls, as
Representative Swalwell noted, right, there are some baseline
requirements that we need to establish and then allow that to
scale associated with the complexity of the system. Owners and
operators in the field need to be directly involved in defining
what those are because they understand those operational
challenges, with insight that can be provided by Federal
partners at EPA and CISA, for example.
Chairman Garbarino. So when you think through the
appropriations process--I mean, what is the best process then
for us to legislative fix this or to make sure that operators
are included? I mean, this changes rather quickly, I think,
with the, you know, technology. As we heard before by my
colleague Mr. Gimenez, this stuff is moving very quickly. So
does the industry have a thought on what is the proper process
to make sure the operators are at least successful when dealing
with Congress?
Mr. Morley. Yes, I think the process that we're trying to
establish and what we've suggested sets clearly-defined
objectives for what performance would be in place to manage
cybersecurity at a water utility system with some audit and
oversight function to provide for that accountability.
Oversight from EPA would be provided as a Sector Risk
Management Agency, and certainly information and other threat
intelligence from other agencies, including CISA, would be
informative to that process.
Chairman Garbarino. EPA is the Sector Risk Management
Agency right now.
Mr. Morley. Yes, sir.
Chairman Garbarino. Do you think they should be?
Mr. Morley. Yes, sir.
Chairman Garbarino. Do they have the employees to be able
to do it?
Mr. Morley. This is why we think that there is a need to
create an independent, non-Federal entity to leverage sector-
specific knowledge of owners and operators to inform similar to
what NERC does, to establish those requirements and then be in
the field to do that. EPA does not have the staff to go out in
the field and work with 50,000 community water systems.
Chairman Garbarino. Thank you. Dr. Clancy, I understand
that EPA is, again, we just talked about this, the SRMA for the
water sector with the mandate to carry out incident management
responsibilities and to facilitate technical assistance under
the PPD 21. With this in mind, EPA--as the administration
rewrites PPD 21, what should they consider when balancing
responsibilities between CISA and each SMRA, especially when it
comes to OT technology?
Mr. Clancy. I think the primary thing would be a more
deliberate engagement of the SRMAs in the incident response
process. They can bring domain expertise and context. They can
also learn from hands-on experience in the incident response
process to better inform any regulations that they're
developing on the front end of the process.
Chairman Garbarino. I appreciate that. I know we are going
to have a second round of questions, so now my time has
expired.
So I recognize the gentleman from New Jersey, Mr. Menendez,
for 5 minutes.
Mr. Menendez. Thank you, Chairman. Thank you for bringing
us together today. Thank you to the witnesses.
In 2021, Congress passed the Infrastructure Investment Jobs
Act, a historic investment in our Nation's infrastructure that
will help build and modernize our water system, transit
networks, and broadband, among others. One struggle for much of
our critical infrastructure is a reliance on decades-old
operational technology that is hard to update and which does
not have the security for today's threats.
Mr. Edwards and Mr. Lee, how can CISA and other Federal
agencies help ensure that critical infrastructure investments
build in stronger security utilizing the latest Secure by
Design practices?
Mr. Edwards. I'll take a shot first, so thank you for the
question.
Mr. Menendez. Sure.
Mr. Edwards. You know, I think we talked earlier in our
opening testimony that there's no doubt that all infrastructure
now relies on digital equipment to function. So I think that I
would emphasize we need to continue to fund that at all aspects
of a project. So it's not just a once and done, right. This
isn't a capital expenditure like building a bridge or building
a tank with water in it. This is an on-going care and feeding
that's required of these OT networks.
I'm pretty optimistic that if the funding agencies or
entities, be them State, local, Tribal, territorial, or
Federal, follow things like CISA's cyber performance goals as
those minimum baseline requirements, that we can get there. I
think that long-term, some regulatory capabilities are
necessary to put the checks and balances in place, but we just
need to make sure that from the get-go, we're defining the
cybersecurity objectives in the project and then measuring them
with metrics and key performance indicators along the way.
Mr. Menendez. Appreciate that. Anything on the Secure by
Design practices that you would like to touch on?
Mr. Edwards. Yes, I think that that's certainly an area of
passion for me. You know, many, many entities, vendors, OEMs,
et cetera, have built equipment over the years that wasn't
necessarily Secure by Design. So I think having, again, a
minimum baseline kind-of set of requirements that in order to
be used in critical infrastructure, your equipment must meet
the minimum requirements. Right? You must change the default
password upon, you know, first installation kind-of thing. Then
we would alleviate some of the challenges we've seen recently
with equipment directly connected to the internet with default
passwords.
So, yes, I believe that this initiative by CISA has got
some really good opportunity, and I'm happy to see that they're
structuring some of IT specifically for OT and industrial
control systems.
Mr. Menendez. Sure. Mr. Lee, anything you would like to
add?
Mr. Lee. Yes, I would agree with Mr. Edwards and add that
it really goes back to the strategy of what do we actually care
about? So we can talk about cyber hygiene, cyber resilience,
all those cyber buzzwords all day long, but what are the
scenarios we actually care about? You care about ransomware in
an OT system. You care about targeted attacks, like Pipe Dream,
we've seen before. There are certain things that have happened
that we need to address. Right now, we oftentimes, especially
from a government perspective, get into how to operate the
system or how to change things, and the asset owners and
operators are confused about what we're even trying to
accomplish.
So we need to get out of the weeds a little bit and go back
to the why and what are we doing this? Leave the expertise to
the ones that are actually operating the infrastructure to
accomplish that. Or said a little bit more punchy, there's a
lot of folks that have never set foot in a pump station that
are trying to tell people how to operate it. Let's figure out
what are the scenarios and then let them go use their expertise
to do it, and we can do exactly what you're talking about.
Mr. Menendez. Sure. How quickly are those different
scenarios evolving in terms of this, like, threat landscape?
Mr. Lee. On the OT side, not as much. We have high-
consequence attacks, but they're much less frequency in terms
of IT. So in the water sector, there's probably 3 or 4
scenarios that we should really be guiding toward, and then
there's slowdown effect to a bunch of the other scenarios that
may happen by the same security controls we're putting in
place. But if we get out there and tell them to do 50 things,
and most water utilities in this country share one IT
contractor, let alone a full-time IT or security staff, it's
just not going to work that way.
Mr. Menendez. Sure. Dr. Morley, how is the water sector in
particular seeking to ensure investments in water
infrastructure built with security in mind?
Mr. Morley. Well, unlike many of the other sectors, we have
not had direct investment in supporting our technology
transformation, and so that is something that we've advocated
for. I think there are opportunities within America's Water
Infrastructure Act of 2018 to authorize some resources to
address resilience of utilities, but they have not been
appropriated to date.
Mr. Menendez. Got it. With the last question, the EPA
serves as the Sector Risk Management Agency for the water and
wastewater sector, but has often struggled to have the
resources and expertise to support the sector, making
collaboration with CISA particularly important. For anyone that
wants to answer, how can CISA and the EPA better coordinate to
improve their support for the water sector?
Mr. Morley. I guess I'll take a run at that.
Mr. Menendez. Sure.
Mr. Morley. Sitting with them, with the Sector Coordinator
Council. I think it really necessitates a much more
collaborative approach that brings the stakeholders to the
table to clearly identify the needs that we actually have, so
that the solution set satisfies those requirements.
Mr. Menendez. Got it. With that, I yield back.
Chairman Garbarino. You are out of time. The gentleman's
time has expired.
I now recognize my friend from Texas, happy he is here to
waive on today, Mr. Pfluger.
Mr. Pfluger. Thank you, Mr. Chairman. I appreciate you
letting me waive on. Thanks for holding this.
Dr. Morley, good to see you again. I know you testified in
front of the Energy and Commerce Committee on this important
subject.
Mr. Chairman, I will say that important to have both
perspectives, you know, on the homeland side with the critical
infrastructure, but also with the jurisdiction of ENC. I think
this highlights why it us important to have Members on those
committees.
We held a hearing last week. It was clear to me that any
standard or Government action has to be collaborative between
the operators who know the issues. A one-size-fits-all approach
is probably--you know, that is really what I took away from our
hearing last week.
So I will start with Mr. Lee, and I would like to hear from
you. Can you highlight a few key differences in the industrial
cybersecurity community when it comes to different operational
technologies?
Mr. Lee. Yes, and thank you for the question, sir.
Absolutely, when you look at the operational technology
side of the house, a lot of those IT security things that we
know as basics and smart things to do are maybe not even the
right emphasis. You talk about vulnerability management in IT.
When we look at it from an intelligence perspective, it's
something like 2 or 3 percent of vulnerabilities that matter to
operations technology at all. So a lot of the times we just put
the wrong emphasis on what we're supposed to do in OT. So we
give out pages of guidance to folks that actually don't move
the needle toward operational resilience.
If you steal from IT, you steal somebody's data, you target
OT, you kill people. You need to treat that differently.
Mr. Pfluger. Across industries what are the commonalities
that you are seeing?
Mr. Lee. Across industries the commonality is that the
native functionality of those systems is important and needs to
be protected, and it's also what the adversaries target. If I
can open up a circuit breaker on an electric substation as an
engineer, so can the adversary. If I can control a water
station as an operator, so can the adversary. It's not just
about exploiting the system, it's about knowing how to operate
it. That part is common. Then when it gets to the physical
process and the purpose of the operations, that's where it gets
more specific to industries.
Mr. Pfluger. Thank you very much.
I will go to Dr. Morley now. In the Energy and Commerce
hearing, the need for a collaborative approach was discussed. I
think that was a bipartisan conversation and agreement across
both sides of the aisle. We talked about the electricity sector
in that particular hearing, which is an industry with
significant risk.
Can you talk to us about how, on January 9, DHS published a
report highlighting this need entitled, ``CISA needs to improve
collaboration to enhance cyber resiliency in the water and
wastewater sector''? Based on your hearing last week, this week
as well, how can CISA improve their coordination and
communication with EPA, the water industry, and the cyber
community?
Mr. Morley. Yes. I mean, they have made some substantial
strides since the focus period of that report. First, starting
with actually having a sector liaison dedicated to the water
sector, which we didn't really have for several years. So
that's a significant improvement in the stakeholder engagement
division.
I think some of the current activities centered around
elevating visibility on the vulnerability scanning service is a
positive development, and we look forward to working to elevate
the profile on how those resources can support utilities with
some of these capacity challenges.
Mr. Pfluger. Thank you. We have got about a minute-and-a-
half left. Let's just go to that, you know, most vulnerable
situation. I want to go down the line. You know, what is the
situation, the attack scenario, specifically dealing with water
that keeps you guys up at night? Minute-and-a-half. We will
have to do about 15 seconds, 20 seconds per.
Mr. Lee. Yes, I would say, generally speaking, I care about
things at scale. Local communities can kind-of respond, but
when you start looking at sophisticated capabilities that could
be reused and you start looking at destructive or disruptive
operations, you can very quickly deny drinking water. I mean, I
can't sit through this hearing without going through this water
for, you know, 30 seconds, let alone 2 weeks. So denying access
to our communities or even manipulating chemical levels in that
at scale is a scary scenario that we have to prepare for.
Mr. Pfluger. Thank you. Dr. Clancy.
Mr. Clancy. I'm particularly concerned about the
interdependencies between several of the different critical
infrastructure sectors. You hit energy, water goes down shortly
thereafter. Same thing with natural gas. Right? So they're all
interlinked. If you have a significant attack on one, you can
cause cascading failures in others.
Mr. Pfluger. Great point. Dr. Morley.
Mr. Morley. Yes. I would signal the similar concern with
cascading implications for degradation of drinking water or
wastewater services and the consequences within the community
for that service being unavailable.
Mr. Pfluger. OK. Last, Mr. Edwards.
Mr. Edwards. Yes. I think echoing the previous witnesses,
the, you know, the reuse or the common use of some of these OT
devices, the programmable logical controllers, is across many,
many sectors. Right? So you have the same box in a water
treatment plant that you do in an electrical substation that
you do in a manufacturing plant. So kind-of my nightmare
scenario is some type of malware or ransomware that holds all
of those devices hostage or makes them inoperable, and we just
simply do not have the supply chain capacity to replace all of
them in any reasonable amount of time.
Mr. Pfluger. Thank you for all of the witnesses being here.
Chairman, I yield back.
Chairman Garbarino. The gentleman yields back. Thank you
very much for coming.
I now recognize Ms. Lee from Florida for your first round
of questions. Right? Yes. Wonderful.
Ms. Lee. Thank you, Mr. Chairman. Thank you to all of our
witnesses for joining us here today. It really helps us to hear
your insight and perspective.
One thing that I am interested in is CISA, you know, who,
as you all know, offers a lot of voluntary cybersecurity tools
and assessments and ways that they can help critical
infrastructure entities. But not all organizations really have
a lot of visibility or awareness of these tools and how they
can be useful.
So I am interested, you know, Dr. Morley, maybe we start
with you. In your view, what can CISA do to make sure that the
entities who can avail themselves of these tools and supports
know that they exist and actually engage and utilize them?
Mr. Morley. Sure. I think we've started some of those
conversations, and I think what's really important is, again,
the diversity and the complexity and capacity of the systems
within the water sector really requires us to organize the
resources in a manner that's more accessible. Some of the
resources that are there now, you know, it's one line. You
don't know what it is. If you're not a cyber expert, you're not
going to sign up for it. So I think a more collaborative effort
with stakeholders to define different entry points into those
resources, right, so it scales to what their need is, and then
they progress within a maturity model would be very effective.
Ms. Lee. Do any of the other witnesses have something to
add on that particular subject?
Mr. Lee. I would just say that, again, at a strategy level,
CISA is doing an amazing job. When you're talking about a lot
of these services, many of them are done more efficiently in
the private sector. If there was more direct resourcing to the
local communities and the water companies that actually deal
with their local integrators, the local contractors, et cetera,
you would not only achieve more efficiency, but then you
wouldn't have to worry about trying to make awareness available
to 50,000 entities, they would know who to reach out to, and
you would create jobs and resources in the local communities as
a result.
Ms. Lee. On that subject, I am also interested in your
experiences working with the regional offices. It sounds like
taking some of that national and making it more local-based and
regional-based would be effective. What is your experience
working with those regional offices?
Mr. Lee. It tends to be a wide variety of skill sets. So as
an example, where CISA can have more of the general strategy
and cybersecurity, I would look for the regionals to be much
more aware of their local sites, much more aware of how those
operations work. Region by region, it's just resourced so
differently that it's disparate.
Ms. Lee. Dr. Clancy, what is your experience or perspective
on that subject?
Mr. Clancy. I think there's something like 180,000 water
utilities. You probably know the number, something like that.
Right? So there's just so many of them, and many of them are
tiny, and they just don't have--as you talk about the ability
to apply for some CISA program, it's not even remotely on their
radar. Right? They're just trying to keep their one tiny
pumping station running. So I think the larger, better-
resourced organizations are the ones that have the capacity to
even engage in these programs, and they're perhaps the ones
that don't need as much help. So I think that's the asymmetry
we have.
Ms. Lee. What would be your thoughts on how we get these
programs and supports down to those smaller ones who, you know,
I understand often, in other sectors, too, other critical
infrastructure sectors, often are the ones that need the help
the most?
Mr. Clancy. Well, I think there's a couple different
approaches. Certainly Rob's suggestion that we better engage
the private sector, who is providing much of the support to
them already, would be one avenue. I think there's also sort-of
these mentorship-type programs where you can have the larger
operators be resourced to work more closely with the smaller
operators within their communities as a way to work across.
Ms. Lee. Thank you, Mr. Chairman. I yield back.
Chairman Garbarino. The gentlelady yields back.
We are now going to do a second round of questions for
Members who want.
I now recognize the gentleman from Florida, Mr. Gimenez,
for his second round of 5 minutes of questions.
Mr. Gimenez. Thank you. I need to go back to what my
premise was in the beginning, but I am going to. What if I told
you that we rely on a lot of systems that use GPS and that now
GPS is becoming less and less--well, it is almost becoming
useless to the point that it's being jammed? So now we have to
go back in time again to other systems for our weapon systems,
like inertial navigation and magnetic navigation.
So, you know, my first round was, hey, you have got this
threat coming. It is called quantum computing, attached to AI.
It is going to make all your efforts--it could make all your
efforts fruitless. So, you know, I was thinking about, OK, you
know, do we go back to manual? I touched on that, but instead
of relying on the internet, wouldn't it be smarter for us to
rely more on intranet, to have those systems that are vital to
us, unplug them from the internet so they can't be attacked
from the outside? It is just a closed loop. They can have all
the efficiencies of, you know, IT or operational technology, et
cetera, but they can't be attacked from the outside because
it's a closed loop.
What if I were to tell you that the Chinese are already
doing that, that they have established a vast network of
intranet, not internet? It is not connected to anything. They
are only connected to each other. That is it. You can't get to
it from the outside.
Would that make sense to protect our vital infrastructure,
like energy? Like you said, energy, if they attack our energy
sector, they will eventually get to everything else because our
water systems run on energy, all that. So would it make sense
for the United States to start investing in an intranet of
vital operating systems?
Mr. Lee. So, sir, I would generally say that I very much
prefer the American infrastructure services provided than the
ones the Chinese provide to their citizens, and it's because of
that that we have digitization and connectivity. You can't go
back.
But to your point, I think it's spot-on for what are our
strategic sites? What are the ones that we want to be able to
have that capability? Because to do it at scale across the
50,000-plus water companies cannot be resourced, especially
when we're still dealing with the trillion dollars' worth of
infrastructure upgrades we just need for clean water.
Mr. Gimenez. But, sir, I am giving you Murphy's law, and
you are denying it. You are saying it is OK. Well, you know, I
mean, we resource it, which means, to me, you need more people,
you need more money. What if I were to tell you that for every
one person that we have working on the Chinese issue or the
CCP, they have 50? You will never be able to out resource them.
OK?
Mr. Lee. Sure.
Mr. Gimenez. So shouldn't we develop walls that are really
hard to penetrate? If you are somehow attached to the internet,
you are bound to fail. We are bound to fail.
Mr. Lee. Yes, sir.
Mr. Gimenez. So, go ahead.
Mr. Lee. I'm an Air Force and NSA alum, sir. I would take 1
of ours for 50 of theirs any day.
But to your point, when you look at these systems, if we
pick out the strategic sites and do a lot of what you're
talking about, I think it's a great idea. We just cannot scale
it across the entirety of the country, especially when a lot of
water infrastructure companies share one IT contractor amongst
6 companies, you're talking about 20 more engineers per
company. It's not in the resourcing capabilities of our
country. But to pick up the strategic sites, I think you're
spot-on.
It also goes back to what the Department of Energy is doing
with the cyber-informed engineering. Here's key sites on like a
crank path to restore the electric system if it goes down.
Let's make sure those have the ability to do that. That makes a
lot of sense.
Mr. Gimenez. No, what I am saying, like the vulnerability
comes from the fact you are tied to the internet. Anybody can
attack you from anywhere in the world. If you have a closed
system, intranet, they can't attack you from anywhere in the
world because you are a closed system.
Mr. Lee. We could not operate it.
Mr. Gimenez. You what?
Mr. Lee. We could not operate it. When you look at the
operation portfolio, when you look at the OEMs, the original
equipment manufacturers, and how they build these systems and
how we work with them, you can no longer operate manually,
disconnected, or in an intranet. Unfortunately, that's just a
reality. We have to set it at a technical level. So then it's
risk management beyond that about what do we do about it?
Mr. Gimenez. Should we develop that capability?
Mr. Lee. I think there are more efficient ways to get to a
more resilient system than trying to do that again.
Mr. Gimenez. I guess I am a little bit more pessimistic
knowing what is coming. I think we should be investing in a
ways to defeat what is coming. Not what is here, what is
coming. Because at the end, if what I am hearing is true, you
won't be able to defeat it. The quantum computing attached to
AI will be able to penetrate any system anytime.
So, OK, thank you very much. Appreciate it.
Yield back.
Chairman Garbarino. The gentleman yields back. He is still
fired up today. I like it. But someone is going to give me some
nightmares, some of these doomsday scenarios you are talking
about.
I now recognize Mr. Menendez from New Jersey for a second
round of questions.
Mr. Menendez. Thank you, Chairman.
Chairman Garbarino. Yep.
Mr. Menendez. As part of the Biden administration's efforts
to strengthen OT ICS cybersecurity, it launched a series of
sector-specific sprints, including for the water sector,
reflecting the administration's desire to make OT cybersecurity
a priority and better defend critical infrastructure from our
adversaries. To any of the witnesses, what results did you see
from these efforts?
Mr. Morley. So I think in terms of the water sector in that
sprint, I think some of the resources and focus was on some
very specific technology solutions that honestly were a bit
beyond the reach of many utilities in terms of maturity. But
there are important awareness activities that have evolved from
that, such as focusing on some of the more fundamentals, like
vulnerability scanning services, that would address some of the
vulnerabilities that we've seen exposed in water utilities
recently.
Mr. Menendez. How can the Federal Government ensure that
such sprints turn into sustained actions in the future?
Mr. Lee. Yes, I would say it goes back to the direct
resourcing of those infrastructure providers. I think, you
know, this goes back to the previous question. When we looked
at the electric sector, that same kind of initiative was go out
and do whatever you think is best, and you already have the
capabilities and the rate structure to be able to get the
resources to go do this. When it got to the water sector, they
were pushed very strongly to a Government-specific answer that
didn't actually meet a lot of what they were trying to
accomplish with no resourcing behind it.
So more optionality and expertise from the asset owners and
operators with more direct lines of resourcing, and you can
achieve those outcomes.
Mr. Menendez. Good. Appropriators are currently working to
negotiate a final fiscal year 2024 appropriations package.
Fortunately, last year the House rejected an effort by some
Republicans to cut CISA's budget by 25 percent. I am hopeful
that appropriators will reach an agreement that adequately
funds CISA's needs, including with regard to OT security. To
any of the witnesses, how important is adequate CISA funding to
maintaining its support for OT security and the water sector?
Mr. Edwards. Yes, I can take that one. A little bit of my
previous role as director of the Industrial Control Systems'
cert, which is now part of CISA, you know, I think that
appropriate level of funding is imperative in this area. You
know, cyber, the threat landscape continues to expand at
unbelievable rates, and we must scale our defensive postures
accordingly.
So I think it's very easy within CISA sometimes to, you
know, I guess not fund an OT-specific initiative if they have
another compelling initiative to secure the IT systems in the
Federal Government, for example. Those are very tough
decisions, and continuing to expand to the appropriate levels
of funding would alleviate some of those challenges.
Mr. Menendez. Decision making that they have to do in terms
of looking at priorities----
Mr. Edwards. Absolutely.
Mr. Menendez [continuing]. And being able to fully
implement a cohesive strategy, a comprehensive strategy that
takes care of both of IT and OT.
Mr. Edwards. Absolutely. I think that CISA needs to have a
lot more external advertising, for lack of a better term, to
the initiatives that they have existing in OT, and essentially
bring that into a cohesive series of programs rather than they
continue to kind-of reorganize and move them around. Right?
Some of that is as a result of having to deal with funding
shortfalls.
Mr. Menendez. Sure. Just picking up off of that because you
are sort-of alluding to prioritizing, what programs are most in
need of strong funding in the coming fiscal year, in your
opinion?
Mr. Edwards. Oh, wow. CISA has a very broad remit----
Mr. Menendez. Sure.
Mr. Edwards [continuing]. And this is a hearing on
operational technology security, and it's also a passion of
mine. So I think that anything to do with industrial control
system critical infrastructure should be right at the top of
that pile.
Mr. Menendez. Appreciate that.
With that, since I do have time, I yield back.
Chairman Garbarino. The gentleman yields back. Thank you.
I now recognize myself for 5 minutes of questions for the
second round.
Dr. Clancy, we have learned that a common hurdle in
securing OT is having the personnel necessary to prioritize and
implement guidance. Small and medium organizations and the
Federal Government alike face challenges in hiring and
retaining cybersecurity personnel in every part of it, but
specifically amongst OT experts. How can CISA help build
baseline OT expertise internally and at each Sector Risk
Management Agency?
Mr. Clancy. Zooming out to the macro perspective, we have a
huge cybersecurity work force gap in the country. I think
something like 37 percent of cyber vacancies Nation-wide are
unfilled. There's, I think, 300,000 empty cyber jobs because we
just don't have the cyber work force capacity writ large across
the country. This becomes even more challenging for small
utilities, for the Federal Government, where their salaries
just aren't competitive enough to attract and retain any of the
top cyber talent.
So I think there needs to be broad efforts to just one on
the front end, increase the supply of cybersecurity talent into
the broader work force so that you have the capacity necessary
to even fill some of these jobs. Then you need to find ways
to--first off, there's very few university programs that have
any focus on OT, particularly industrial control systems, that
just does not exist in current university curriculum. I think
NSA's Center for Academic Excellence Program, for example,
could be expanded, it's something they operate currently
jointly with DHS, to include an OT cybersecurity focus and be
able to really broaden university curriculum in this area. That
would help, I think, with the front-end capacity. I don't know,
there's probably lots of things we could do on the back end to
retain them in those jobs as well, but a lot of that comes down
to compensation and other things.
Chairman Garbarino. I appreciate that. Actually we are
working, we are going to be working on some work force
legislation. So if any of you have, you know, detailed thoughts
and ideas, please share them with the committee staff, because
there is something we are going to try to move before the end
of Congress this session.
Mr. Lee, I understand some in the industry have discussed
potentially expanding CISA's Secure by Design guidance to
include a Secure by Operation type of guidance for OT. How
could something like this help OT vendors and operators?
Mr. Lee. Yes, I think, again, the increased focus on this
is the right area. I would say that at a higher level kind-of
cross industry, it really needs to be based more on principles
than specifics.
But also we have a lot of ability to have a point of view
and sometimes we don't have it. What I mean by that in terms of
soft power, if CISA even came out and said, look, here's some
basic requirements of the next generation PLC, or here's what
we think good looks like, most asset owners would staple that
to an RFP out to their vendors and it'd be in the market
tomorrow. The problem is then, though, that says it gets angry
letter from a vendor, some lawyer gets involved, and they back
off. So we got to empower them to have points of view on
national security and be protected from perception to be able
to do what you're looking for.
Chairman Garbarino. I appreciate that answer. That is
actually a great idea.
So expanding on my JCDC question earlier, I sent a letter
last year to ask CISA for details about how the JCDC will
coordinate with similar information-sharing efforts in the
private sector, like the ARC, and similar efforts in the
Federal Government, like ETAC at DOE. It is important that
whatever the structure is, OT should be a priority.
This is for both Mr. Lee and Mr. Edwards, since you are
both members of the JCDC. As CISA continues to refine the
structure of the JCDC, do you think that they should organize
these spokes on a sector-by-sector basis or by IT versus OT or
something else?
Mr. Lee. Yes, I would take for a shot and say that there
needs to be the IT versus OT separation at the macro level,
which they have done. There is an ICS or OT-specific JCDC. But
then in that spoke aspect, it's spot-on. If you look at the
ETAC as an example, it's a very promising model, but it really
comes down to all these groups want to share information, but
very few want to produce it. So we have to have the experts in
the room using the unique data sources of the governments to
produce the insights and then share versus waiting on the
vendors to give them information and then echoing it out.
Chairman Garbarino. Mr. Edwards.
Mr. Edwards. Yes, I agree with my colleague. I also would
add that when it comes to the separation of IT and OT, you
know, I think we've talked many, many times during this hearing
that that convergence issue really, we have to address both
simultaneously, right? You can no longer secure OT without
securing your IT and vice versa. So although some focus groups,
I think are a great idea, I think it's also beneficial to have
that cross-sector and cross-discipline, cross-domain
pollination, which I think that the JCDC is well-constructed to
do.
I would also add that they should build those connections
into other information-sharing programs. I think we have to
continue to break these silos down.
Chairman Garbarino. Thank you very much. All right.
Mr. Swalwell. Unanimous consent request briefly.
Chairman Garbarino. Proceed, OK.
Mr. Swalwell. Mr. Chairman, I ask unanimous consent to
insert into the record a question for the record from my
colleague, Mr. Garcia of Long Beach; a statement for the record
from Open Policy; a joint statement for the record from the
National Association of Clean Water Agencies and the Water
Environment Federation; and a statement for the record from the
Association of Metropolitan Water Agencies.
Chairman Garbarino. Without objection, so ordered.
[The information follows:]
Question From Rep. Robert Garcia
February 6, 2024
Since the Bioterrorism Preparedness Act of 2001, water systems
serving more than 3,300 persons have been required to conduct a
vulnerability assessment and prepare an emergency response plan, which
was directed to include cybersecurity threats. Then, in 2014 under
Executive Order 13636: Improving Critical Infrastructure Cybersecurity,
the National Institute of Standards and Technology created a framework,
and AWWA issued guidance that provided actionable steps to improve
cybersecurity. Now 10 years later we are still seeing water systems
facing increased cyber threats.
The EPA has now withdrawn their March 2023 cybersecurity rule
mandating that cybersecurity audits be part of the sanitary surveys;
how would the witnesses suggest the Government provide water systems
with the support, both financially and systematically, needed to
address the cybersecurity challenges immediately facing water systems?
______
Joint Statement of Dr. Amit Elazari, J.S.D., CEO and Co-Founder of
OpenPolicy, ISO/IEC 27402 Co-Editor and Lucian Niemeyer, CEO of
Building Cyber Security.org
Tuesday, February 6, 2024, 10 o'clock AM ET
Dear Chairman Garbarino, Ranking Member Swalwell, and distinguished
Members of the subcommittee, thank you for the opportunity to provide
this written testimony for the record. We appreciate your leadership
and attention to these critical matters, as well as oversight on the
key role CISA plays in this domain. My name is Dr. Amit Elazari, and
I'm the CEO and co-founder of OpenPolicy. I'm the former head of
cybersecurity policy at Intel Corp. and served as a co-editor of an
international standard on IoT Security, ISO/IEC 27402 (2023) for
Security Baseline Requirements. I am joined by the Honorable Lucian
Niemeyer, who served 11 years on the Senate Armed Services Committee
professional staff, and then as a Senate-confirmed assistant secretary
of defense responsible for the management of the Department of
Defense's facility, energy, and environmental programs. He also served
in the White House Office of Management and Budget. Based on his work
in DoD mitigating cyber threats to operational technologies in defense
assets, he currently runs a national non-profit organization,
BuildingCyberSecurity.org, committed to enhancing human cybersecurity
and physical safety in the built environment through the implementation
of performance frameworks tailored for critical infrastructure sectors.
By way of background, OpenPolicy is the world's first policy
intelligence and engagement technology platform, aiming to democratize
access to policy engagement for entities of all sizes, by leveraging
scale and technology. OpenPolicy collaborates with, and represents
leading innovative companies that develop cutting-edge technologies for
cybersecurity and AI. Members of OpenPolicy include some of the world's
leading IoT, OT, bot-net prevention and supply chain security companies
such as Armis, Human Security, FiniteState, Cybeats, and more.
OpenPolicy engages extensively on product, internet of things
(``IoT''), and Operational Technology (``OT'') cybersecurity policy
issues, globally, including on related efforts such as the FCC IoT
Cyber Trust Mark,\1\ OHS CISA Secure by Design, NIST security
guidelines development, the European Cybersecurity Resilience Act, and
more. We are also engaged in standards development initiatives. In
these engagements, we aim to represent the voice of innovative
companies that stand at the forefront of developing solutions to
address emerging threats, and we strive to focus on actionable policy
recommendations to advance our collective goal to secure and protect
the Nation.
---------------------------------------------------------------------------
\1\ See, OpenPolicy, News and events, https://openpolicygroup.com/
news-and-press-release. See also OpenPolicy statement at the launch
event, at https://www.youtube.com/watch?v=OMXQMsKSOXw.
---------------------------------------------------------------------------
As extensive hearings and reporting, including in front of your
subcommittee showcased--we are at an unprecedented level of risk to our
way of life from cyber threats. The threats on the OT environment,
including on the critical infrastructure sectors of water, grid, ports,
hospitals, and transportation systems have been broadly documented, and
the threat landscape--fueled by the use of AI by the adversaries--
expands each day exponentially.\2\ We must take action now to address
the threats of OT, IoT, and unsecure assets pose to our Nation. The
unique challenges of risk to the operational technologies in our
national infrastructure poses a direct threat to the lives, safety, and
health of every American. A catastrophic cyber attack to a water system
can be carried out from a keyboard anywhere in the world on a moment's
notice. We cannot continue to treat this threat similar to the manner
we address data breach risk or attacks. Attacks to OT can kill people.
---------------------------------------------------------------------------
\2\ See Armis, https://www.armis.com/anatomy-of-cybersecurity,
recent report showing that cybersecurity attacks more than doubled in
2023, and utilities were the most at-risk industry, with attacks
increasing over 200 percent. See also Human Security, https://
www.darkreading.com/vulnerabilities-threats/badbox-operation-targets-
android-devices-in-fraud-schemes (surveying recent threats in IoT
devices).
---------------------------------------------------------------------------
The President's National Security Telecommunications Advisory
Committee, ``Information Technology and Operational Technology
Convergence Report,''\3\ described such threats, alongside the detailed
reporting and testimonies of security experts to this committee.\4\
These testimonies elaborated on the urgent need to consider the threats
on OT, in conjunction with the broader IoT and unmanaged asset risk,\5\
at the core of this threat convergence moment. Industry leaders
articulated, at length, the need to move forward from legacy (from a
solution or threat landscape)-focused guidelines and programs to more
holistic policies for comprehensive contextual mitigation, that scale
beyond IT.\6\ Recently, Federal Guidance of OMB and FISMA 2024 \7\
priorities, building on the IoT Cybersecurity Improvement Act,
prioritized holistic IoT and OT inventory asset and intelligence, and
actions to increase IoT device security protection, for Federal
agencies. Leading experts testifying today have provided extensive
evidence on the record on the threats posed specifically for the Water
System and in OT environments, and the current inability of the Water
Sector to address such threats.
---------------------------------------------------------------------------
\3\ See, NSTAC report to the President, ``Information Technology
and Operational Technology Convergence'' https://www.cisa.gov/sites/
default/files/publications/NSTAC%201T-OT%- 20Convergence%20Report
508%20Compliant_O.pdf (NSTAC report).
\4\ See Dragos's testimony for the Subcommittee on Cybersecurity
and Infrastructure Protection entitled, ``Securing Operational
Technology: A Deep Dive into the Water Sector'', under the section
``The Cyber Threat Landscape for OT Has Shifted Irreversibly'', https:/
/homeland.house.gov /wp-content/uploads/2024/02/2024-02-06-CIP-HRG-
Testimony.pdf.
\5\ See Armis's testimony for the Subcommittee on Cybersecurity and
Infrastructure Protection hearing entitled ``Evaluating CISA's Federal
Civilian Executive Branch Cybersecurity Programs'' regarding automated
threats from US adversaries, https://homeland.house.gov/wp-content/
uploads/2023/09/2023-09-19-CIP-HRG-Testimony.pdf.
\6\ Stated in Armis's testimony, id., ``[t]he introduction of
unmanaged devices and operational technologies present challenges that
cannot be addressed with legacy models and legacy technology. Present-
day challenges and national security threats are now implementing AI
and automated capabilities to identify the weakest link in the chain.
Automated threats from U.S. adversaries requires automation and
scalability delivering prioritization of cyber defense operators.''
\7\ See OMB's ``Fiscal Year 2024 Guidance on Federal Information
Security and Privacy Management Requirements'' under the section of
``IoT Inventory'' https://www.whitehouse.gov/wp-content/uploads/2023/
12/M-24-04-FY24-FISMA-Guidance.pdf (referring to NIST SP guidance 800-
213A, requiring a broad array of on-device and process controls).
---------------------------------------------------------------------------
Last week, the Nation's cybersecurity Government leadership further
testified at length on Chinese threats and their effective infiltration
of critical infrastructure we collectively rely on, an active and
actionable threat to many U.S. human lives. They elaborated that any
path to mitigation requires a holistic, resourced, collective effort of
industry and Government. In the words of the director of the Federal
Bureau of Investigation, Christopher Wray, ``[l]et's be clear: Cyber
threats to our critical infrastructure represent real world threats to
our physical safety.'' The director of CISA, Ms. Jen Easterly further
added, ``Imagine . . . [people] start getting sick from polluted water
. . . an everything, everywhere all at once scenario''.\8\
---------------------------------------------------------------------------
\8\ See FBI Director Christopher A. Wray testimony in front of the
House Select Committee on the Chinese Communist Party's hearing
regarding Chinese cyber attacks against the U.S. https://
www.youtube.com/watch?v=W-MpWmGg5Kw.
---------------------------------------------------------------------------
The threats are clear and immediate--immediate Congressional action
paving the path to OT, IoT and Critical Infrastructure resilience--
building on public-private partnership, but equipped with resources,
measurements, and accountability is needed. Specifically, because OT--
IT convergence creates technology and threat complexity, we believe a
thoughtful, streamlined, and simple approach for policy making and
guidelines development is needed. With this in mind, we would like to
offer several policy recommendations for this honorable subcommittee
consideration:
Cyber risk to IOT, OT, and their connected IT in water
systems must be considered by both commercial and public
entities as a national human safety issue. Programs and
investments to protect water systems from cyber threats can no
longer be optional. Just as we address safety in the design and
operation of mechanical and electrical systems in water
systems, cyber safety must be formally established as an
engineering Standard of Care. All water quality safeguards and
standards must include cyber protections at the IT/OT
interface, the OT/water interface, and be evaluated with new
technologies to ensure the water leaving a treatment facility
is safe for consumption.
Critical Infrastructure sector guidelines for cybersecurity
must adopt thoughtful incentives to increase measures adoption,
focus on mitigation beyond visibility and promote consistency
with comprehensive programs for IoT, OT, and product security
threat mitigation such as, the implementation of the IoT
Cybersecurity Improvement Act (``IoT Law''), FISMA 2024
guidance, and CISA ``Secure-by-Design'' effort. The NSTAC
report outlined at great length how the adoption of such
measures can take shape, and we agree with Tenable's prior
testimony on the matter, that broader incentives are required
to increase the adoption of security baseline measures, and
that these must align with NIST and agency guidelines, but also
be adapted to address the threat (OT and IoT).\9\
---------------------------------------------------------------------------
\9\ See, Tenable testimony for the Subcommittee on Cybersecurity
and Infrastructure Protection hearing ``Securing Operational
Technology: A Deep Dive into the Water Sector'', under policy
recommendations, ``[e]stablish baseline cybersecurity requirements or
standards of care for critical infrastructure that align with CISA's
Cross-Sector Cybersecurity Performance Goals, international standards,
and the NIST CSF, based on effective cyber hygiene and preventive
security practices.'' https://homeland.house.gov/wp-content/uploads/
2024/02/2024-02-06-CIP-HRG-Testimony.pdf.
---------------------------------------------------------------------------
Despite the on-going release of ``guidance'' for OT and IoT
security, additional measures are needed to promote private
sector, Federal agencies and critical sector operators'
adoption of solutions, accountability, and resilience. These
can be done via thoughtful procurement incentives that further
reduce regulatory duplicity, similar to the IoT Law. For
example, funds allocated to technology modernization,
procurement, and grants should be accompanied by robust
measurements of security control adoption (and on-going
adherence), that prioritize innovative solutions that address
the current threats. Any further investment into the Water
sector (and other critical infrastructure sectors) should
reduce, not increase the growing security OT and IoT technical
vulnerability debt. This approach is also recognized in other
efforts, such as the CHIPS Act, where funding and grants
require illustration of approaches to address cybersecurity
threats.
Pilot programs combining solutions with run-time threat
intelligence monitoring, can support control adoption,
compliance, and scale public-private partnership as well as
regulatory adherence. We elaborated on how such a program can
support the voluntary ``IoT cyber trust mark'' and believe a
similar, technology-first, governance program can be used in
this context.\10\
---------------------------------------------------------------------------
\10\ See Open Policy Ex Parte, IoT Cyber Trust Mark, from Jan. 30,
2024 https://www.fcc.gov/ecfs/document/10202218608991/1.
---------------------------------------------------------------------------
Existing Binding Operational Directives and programs such as
BOD 23-01, the TMF, and COM program, need be adapted to
comprehend holistic unmanaged assets threats and the nature of
OT/IoT convergence, to allow faster deployment of innovative
solutions. This direction is further consistent with agency
requirements to address IoT on-device threats and prior
recommendations made on the record as well as the NSTAC
proposal. CISA should have proper resources to support such
adjustments to the programs, and to manage them.
More broadly, the holistic threat of OT and IoT should also
be addressed as part of any key cyber risk mitigation effort
supported by the Government, including controls required under
procurement guidance.\11\ Examples of such guidance include the
revision of the NIST Cyber Security Framework (CSF 2.0), the
CMMC 2.0 effort, and requirements under the Cyber EO (14028)
including the ZTA framework itself, which currently do not
address OT/IoT threat mitigation controls in a comprehensive
(or partial) manner.\12\ Such efforts tend to outline
enterprise, cloud, and IT protection controls in isolation from
OT/IoT. While forging coherence between OT, IoT, and IT risk
and mitigation in key guidance documents applicable to the
Federal sector, critical infrastructure operators and the
private sector, is a difficult and complex task--we must start
paving that path instead of furthering the OT-IT divide--
especially in regulatory and policy guidance, and given action
taken globally (see, e.g., The EU Cyber Resilience Act). In
support of broad industry adoption and innovation development,
guidelines and control development must remain outcome-focused
and vendor/technology agnostic, and follow consensus-based,
transparent, stakeholder engagement processes to develop
requirements (even in cases of requirements that are not
developed by NIST).
---------------------------------------------------------------------------
\11\ As CISA recognized in its Water security guidance, A key
challenge to the cyber resilience of the Water Sector, and arguably
additional OT sectors, is ``governance and regulation [which involves]
a mix of Federal and State, local, Tribal, and territorial
authorities''. See also NSTAC report, supra. Notably, while we agree
with the recommendation for ``enhanced OT specific cybersecurity
procurement language and ensure all USG OT procurements include
cybersecurity provisions'' we believe it must be accompanied with ample
funding and take an holistic approach to OT and IoT threats as we
describe above.
\12\ See also NSTAC Report, supra, ``Recommendation: Extend
existing Federal zero trust guidance into OT where applicable''.
---------------------------------------------------------------------------
Requirements for SBOM and asset inventory production already
exist, under both IoT and IT guidelines, such as the IoT
Cybersecurity Improvement Act and the Cyber EO (14028). Such
SBOM requirements and accompanying supply chain risk mitigation
must be prioritized, consistent with MITRE recommendations.\13\
Supply chain mitigations can be implemented through tailored
adoption of the the IEC/ISA standard 62443 and ISASecure \14\
developed by the manufacturers of operational technologies for
global adoption, among others.
---------------------------------------------------------------------------
\13\ See MITRE, testimony, supra note 4.
\14\ ISASecure--IEC 62443 Conformance Certification--Official Site.
---------------------------------------------------------------------------
While efforts to create a regulatory EPA regime to support
cybersecurity adequacy for controls progress, a voluntary pilot
program, with CISA and industry, scaled by the latest
technologies can shed light on the state of the adoption of
measures under the Water Sector Action Plan and state of
adoption of measures. The program can support threat-
information sharing and run-time intelligence gathering on IoT
and OT threats posed in these environments, taking a holistic
approach as we described above, building on existing efforts
outlined by MITRE and Dragos on the record. This pilot can
further support on-going Government initiatives such as the IoT
Cybersecurity Improvement Act implementation.
Higher levels of grant funding need to be allocated to
prioritize IoT and OT Security measures adoption and such pilot
programs, and participation thereof can be valued as part of
grant/modernization fund allocation. This approach mirrors the
policy approach taken in the IoT Cyber Trust Mark--where
voluntary incentives allow for gradual adoption of baseline
security measures while fostering accountability and
transparency.
The establishment of an independent oversight and regulatory
agency for the water sector security and safety must be
informed by an holistic assessment of the effectiveness,
timeliness, and responsiveness of Critical Infrastructure
Standards \15\ (CIP) implemented by the North American Electric
Reliability Corporation (NERC) development. A new agency would
need to have the flexibility to quickly respond to emerging OT
cyber threat advisories issued by CISA and to translate into
affordable and effective direction to the water industry. NERC
CIP standards do not currently have that flexibility and
revisions are under way to credit utilities for their own
implementation of protections above and beyond CIP guidance. An
existing water association or standards/framework organization
would have the ability to bring the water industry and
Government agencies together to develop and implement effective
measures for both large and small water systems that are
consistently informed by the evolving cyber threat.
---------------------------------------------------------------------------
\15\ Reliability Standards (nerc.com).
---------------------------------------------------------------------------
We urge the honorable subcommittee to take comprehensive action
now, so we do not allow the adversaries to seize any further advantage
due to programmatic gaps--either in approach, resources, scope, or
budget.
While we must continue and survey threats and increase visibility,
action is needed to drive resilience and mitigation. Building on the
existing DHS CISA agency work, the body of policy recommendations on
the record, and founded on persistent public-private partnership--a
more holistic path toward enhancing the adoption of OT and IoT
protection measures, increasing measurements and governance, and
outlining a flexible, vendor-neutral cohesive policy roadmap--with
accompanying resources--is needed to protect the Nation.
We thank you again for your leadership and consideration.
______
Statement of NACWA
Febuary 6, 2024.
The Honorable Andrew Garbarino,
Chairman, Subcommittee on Cybersecurity and Infrastructure Protection,
Committee on Homeland Security, U.S. House of Represenatives,
Washington, DC 20515.
The Honorable Eric Swalwell,
Ranking Member, Subcomittee on Cybersecurity and lnfrastruture
Protection, Committee on Homeland Security, U.S. House of
Representatives, Washington, DC 20515.
RE: Perspectives of Public Clean Water Agencies and Professionals on
Securing the Operational Technology of America's Water Sector Utilities
Dear Chairman Garbarino and Ranking Member Swalwell: On behalf of
the National Association of Clean Water Agencies (NACWA) and the Water
Environment Federation (WEF), we thank you for holding today's hearing
of the House Homeland Security's Cybersecurity and Infrastructure
Protection Subcommittee on Securing Operational Technology: A Deep Dive
into the Water Sector.
NACWA represents public wastewater and stormwater agencies of all
sizes nationwide, with more than 350 public agency members. WEF serves
as the not-for-profit technical and educational organization of 35,000
individual members and 75 affiliated Member Associations representing
water quality professionals worldwide.
Properly treated and managed wastewater and stormwater are
essential in protecting both public health and the environment. With
more than 16,000 publicly-owned treatment works (POTWs) throughout the
Nation that treat more than 75 percent of America's wastewater, public
clean water agencies play a prominent role in protecting the public by
treating billions of gallons of the nation's wastewater. To ensure
continuity of treatment while cyber threats continue to target
America's critical infrastructure, efforts must be made to provide
public utilities with robust voluntary resources to better protect
themselves from cyber attacks.
Many utilities have taken proactive steps to improve their
cybersecurity, investing their limited ratepayer funds to protect their
infrastructure and operations. NACWA and WEF are very appreciative of
the extensive resources that already exist at the Federal level:
The Cybersecurity and Infrastructure Security Agency (CISA)
provides free vulnerability scanning services for utilities and
resources, such as guidance on best practices, the Cyber
Security Evaluation Tool, and vulnerability alerts and updates.
The U.S. Environmental Protection Agency (EPA) provides free
technical assistance and cybersecurity assessment resources.
The National Institute of Standards and Technology (NIST)
provides many best practice resources, including the NIST
Cybersecurity Framework.
In addition to these resources, several water sector organizations
have developed additional tools for utilities to better prepare against
cyber threats:
The Water Information Sharing and Analysis Center
(WaterISAC), a non-profit organization comprised of water and
wastewater utility managers and administrators, provides up-to-
date alerts, information, and analysis specifically for the
water sector and is managed by the Association of Metropolitan
Water Agencies (AMWA).
The American Water Works Association (AWWA) has developed a
Cybersecurity Assessment Tool and Guidance, which assists water
sector utility operators on how best to implement applicable
cyber controls based on the NIST Cybersecurity Framework that
can significantly reduce a utility's vulnerability to a cyber
attack.
Congress can help support clean water agencies in their efforts to
leverage existing resources and improve cybersecurity in a variety of
ways, including:
The Energy and Commerce Committee should act favorably on
H.R. 1367, the Water System Threat Preparedness and Resilience
Act of 2023, to offset the cost of WaterISAC membership for
eligible utilities and help water systems be more aware and
prepared for cyber attacks.
Congress can require wastewater utilities to conduct risk
and resilience assessments, including cyber vulnerability
assessments, like those required for drinking water utilities
under America's Water Infrastructure Act (AWIA) of 2018, and
provide funds for small- and medium-sized utilities to conduct
these assessments.
In addition, Federal agencies should be encouraged to work with
utilities and water sector associations to improve cybersecurity in a
variety of ways that include:
EPA, CISA, and WaterISAC should work with the vendors and
contractors supplying equipment to the clean water sector to
ensure that their products and services are set up and
maintained appropriately to ensure that they are secure,
including communicating to and training utility staff on best
practices.
EPA and CISA should continue providing Federal support to
help prevent attacks through training, cybersecurity services,
technical assessments, and pre-attack planning and continue
providing an incident response to assist the sector in reducing
the scale and duration of impacts if attacked. The agencies
should consider collaborating with NACWA and WEF to develop
additional guidance documents and resources to help clean water
utilities understand and implement cybersecurity best
practices.
Speed, flexibility, and responsiveness are critical in the
rapidly-evolving world of cybersecurity. Encouraging public
utilities to use existing tools, resources, and best practices
will improve resilience to cyber attacks faster than cumbersome
regulatory structures enacted by Federal agencies or a third-
party entity.
Last, as many clean water utilities are already fully engaged in
improving and maintaining existing cybersecurity protocols, NACWA and
WEF firmly believe that allowing clean water utilities to improve their
cybersecurity voluntarily, rather than implementing a direct or third-
party quasi-regulatory system, is the best approach for wastewater
utilities for a variety of reasons that include:
Developing a regulatory approach for clean water utilities,
such as third-party oversight within EPA, will take years, and
a one-size-fits-all approach to cybersecurity will not provide
for innovative, collaborative, cross-sector approaches for
developing, designing, and implementing successful
cybersecurity programs in the sector.
Clean water utilities can leverage existing resources
immediately rather than waiting to see what regulations are
finalized to avoid taking measures that may be duplicative or
not meet the requirements of potential regulations.
Since clean water utilities may be part of city or county
government that are already subject to State cybersecurity
requirements, a voluntary approach to cybersecurity allows
flexibility for utilities to develop cybersecurity approaches
and practices that meet their needs and that can be developed
in line with best practices from other brother/sister utilities
and city/county departments.
NACWA and WEF thank the subcommittee for the opportunity to submit
comments. We look forward to working with your members on Federal
policies that maintain and provide clean water utilities with resources
that will provide speed, flexibility, and responsiveness to adapt to
cybersecurity threats. Encouraging public utilities to use existing
tools, resources, and best practices will improve resilience to cyber
attacks.
If you have any questions, please have your staff contact Matt
McKenna ([email protected]) or Steve Dye ([email protected]).
Sincerely,
Nathan Gardner-Andrews,
Chief Advocacy & Policy Officer, National Association of Clean
Water Agencies.
Steve Dye,
Senior Director, Government Affairs, Water Environment Federation.
______
Letter From Association of Metropolitan Water Agencies
February 6, 2024.
The Honorable Andrew Garbarino,
Chairman, Subcommittee on Cybersecurity and Infrastructure Protection,
U.S. House of Representatives, Washington, DC 20515.
The Honorable Eric Swalwell,
Ranking Member, Subcommittee on Cybersecurity and Infrastructure
Protection, U.S. House of Representatives, Washington, DC
20515.
Dear Chairman Garbarino and Ranking Member Swalwell: The
Association of Metropolitan Water Agencies (AMWA) appreciates the
opportunity to submit this statement for the record of today's hearing
on ``Securing Operational Technology: A Deep Dive into the Water
Sector.'' AMWA's members provide quality drinking water to more than
160 million Americans from coast to coast, and the threat of cyber
intrusions and malicious attacks is a growing concern to these water
systems as well as other critical infrastructure owners and operators.
We commend the subcommittee for looking into this important issue.
As we recently testified before the House Subcommittee on
Environment, Manufacturing, and Critical Materials,\1\ drinking water
systems represent an attractive target for cyber attackers, and a
successful attack could not only threaten water quality and public
health, but also undermine Americans' confidence in their drinking
water nationwide. The recent breach of an industrial control system
device at Pennsylvania's Municipal Water Authority of Aliquippa,\2\
along with those at several other water systems, was just the latest
example of why utilities of all sizes must remain on guard against
cyber intrusions.
---------------------------------------------------------------------------
\1\ https://www.amwa.net/testimonycomments/amwa-testimony-house-
subcommittee-hearing-cybersecurity.
\2\ https://industrialcyber.co/industrial-cyber-attacks/iranian-
hacker-group-cyberav3ngers-allegedly-breach-municipal-water-authority-
of-aliquippa/.
---------------------------------------------------------------------------
Given the complexity of the issue, it is essential that
stakeholders and the Federal Government maintain open lines of
communication and pursue cooperative approaches to closing cyber gaps.
While drinking water systems will primarily work through EPA in its
capacity as the Sector Risk Management Agency for the Water and
Wastewater Systems Sector, our members also value the guidance and
tools offered by Cybersecurity and Infrastructure Security Agency
(CISA) to help water systems remain cyber-secure.
As members of this subcommittee, along with their colleagues in
Congress, explore ways to help water systems improve their cyber
posture, AMWA believes it would be especially valuable to focus efforts
on expanding participation in existing resources like WaterISAC, and
leveraging sector-based expertise to expose water systems to
appropriate cyber best practices.
promote participation in existing resources like waterisac
The Water Information Sharing and Analysis Center, or WaterISAC,
was established in 2002 with seed money from the Federal Government and
subsequent congressional appropriations. One of two dozen ISACs
operating across the nation's critical infrastructure sectors,
WaterISAC annually issues hundreds of advisories, maintains a portal
for water utility members, and hosts webinars and threat briefings. The
center also receives incident reports and conducts threat analyses to
help water and wastewater utilities stay ahead of the threat curve.
AMWA has a management agreement through which it operates WaterISAC on
behalf of the water sector.
WaterISAC's membership is comprised of water and wastewater
utilities that serve about 60 percent of the U.S. population. The
center is funded exclusively through member dues, and although these
dues are structured on a sliding scale based on system size--with the
smallest water and wastewater systems able to join for little more than
$100 annually--WaterISAC faces challenges in connecting with the
thousands of water and wastewater systems across the country. At
present, only about 400 of the nation's nearly 50,000 community water
systems and 16,000 wastewater systems are WaterISAC members that enjoy
full access to the complete library of threat and vulnerability alerts,
subject matter expertise, and other information. Lacking access to
these essential resources could prove detrimental to a water system in
a time of crisis.
In recent years Congress has recognized the value of expanding
access to ISACs serving other critical infrastructure sectors. For
example, the Infrastructure Investment and Jobs Act of 2021 authorized
a new Energy Department program to expand bulk power systems' access to
the ISAC serving the Electric Sector.\3\ AMWA has endorsed legislation
that would direct EPA to similarly support water systems' access to
WaterISAC,\4\ but we would be eager to explore if there could be a role
for the Department of Homeland Security to help raise awareness of, and
offer support for, participation of the ISACs serving water and other
critical infrastructure sectors.
---------------------------------------------------------------------------
\3\ P.L. 117-58, Section 40125(c).
\4\ https://www.amwa.net/letter/letter-support-water-system-threat-
preparedness-and-resilience-act.
---------------------------------------------------------------------------
leverage sector-based expertise to expose water systems to appropriate
cyber best practices
Currently there is a wealth of information available to water
systems aiming to improve their cyber defenses. For example,
WaterISAC's free 15 Cybersecurity Fundamentals for Water and Wastewater
Utilities is a menu of best practices for the protection of information
technology and industrial control systems. First published in 2012 and
most recently updated in 2019, the 15 Fundamentals recommend
straightforward but sometimes overlooked tasks like enforcing user
access controls and performing asset inventories. Other recommendations
in the guide address vulnerability management and creating a
cybersecurity culture.\5\
---------------------------------------------------------------------------
\5\ The complete list of 15 water sector cybersecurity
fundamentals, available at waterisac.org/fundamentals, consists of: 1.
Performing Asset Inventories, 2. Assessing Risks, 3. Minimizing Control
System Exposure, 4. Enforcing User Access Controls, 5. Safeguarding
from Unauthorized Physical Access, 6. Installing Independent Cyber-
Physical Safety Systems, 7. Embracing Vulnerability Management, 8.
Creating a Cybersecurity Culture, 9. Developing and Enforce
Cybersecurity Policies and Procedures, 10. Implementing Threat
Detection and Monitoring, 11. Planning for Incidents, Emergencies, and
Disasters, 12. Tackling Insider Threats, 13. Securing the Supply Chain,
14. Addressing All Smart Devices, 15. Participating in Information
Sharing and Collaboration Communities.
---------------------------------------------------------------------------
Another key resource available to the sector is CISA's
vulnerability scanning tool, a free service that allows utilities and
other industrial control system operators to scan their networks for
known vulnerabilities, weak configurations, and suboptimal security
practices.\6\ The National Institute of Standards and Technology (NIST)
offers a cybersecurity framework featuring an inventory of existing
standards, guidelines, and practices for water systems and other
network-connected organizations to manage and reduce cybersecurity
risk.\7\
---------------------------------------------------------------------------
\6\ https://www.cisa.gov/resources-tools/services/cisa-
vulnerability-scanning.
\7\ https://www.nist.gov/cyberframework.
---------------------------------------------------------------------------
Last month EPA, CISA, the FBI, and other Federal partners
collaborated with water sector stakeholders to release the Incident
Response Guide for the Water and Wastewater Systems (WWS) Sector.\8\
The document provides information about Federal support available to
water and wastewater systems throughout the incident response process
and features a range of measures that drinking water and wastewater
systems may choose to adopt to improve their cyber posture.
---------------------------------------------------------------------------
\8\ https://www.cisa.gov/resources-tools/resources/water-and-
wastewater-sector-incident-response-guide-O.
---------------------------------------------------------------------------
Through these and other resources, water system owners and
operators have a range of opportunities to identify cybersecurity
strategies that can strengthen the defenses of their information
technology and operational control systems. Unfortunately, too many of
the nation's 50,000 community water systems lack the appropriate
personnel to make sense of these tools or the funding to put them into
action.
In AMWA's testimony last month before the Environment,
Manufacturing, and Critical Materials Subcommittee the association
offered to work with Congress to explore ways to encourage all the
nation's community water systems to adopt appropriate cybersecurity
best practices through a tiered, risk-based program led by water sector
experts, and overseen by EPA in its capacity as the Water and
Wastewater Sector's Sector Risk Management Agency. We also urged the
panel to avoid prescriptive, one-size-fits-all Federal mandates that
may not lead to workable outcomes for many of the nation's thousands of
community water systems.
As these discussions continue, we would welcome the opportunity to
work with you to explore how CISA may be able to support these efforts
to connect water sector stakeholders with appropriate cyber resources.
conclusion
Thank you for the opportunity to submit this statement for the
record of today's hearing, and we look forward to working with you to
increase the cyber preparedness and resilience of the nation's water
systems.
Sincerely,
Tom Dobbins,
Chief Executive Officer.
Mr. Swalwell. Yield back.
Chairman Garbarino. Thank you for the valuable testimony
and the Members for their questions today.
Members of the subcommittee may have some additional
questions for witnesses, and we would ask the witnesses to
respond to these in writing. Pursuant to committee rule VII(D)
the hearing record will be held open for 10 days without
objection.
The subcommittee stands adjourned.
[Whereupon, at 11:35 a.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions From Chairman Andrew Garbarino for Robert M. Lee
Question 1a. From your perspective, what more can CISA do to lead
the way on OT security as the Sector Risk Management Agency (SRMA) for
8 critical infrastructure sectors?
Answer. I testified that when Government partners closely with the
private sector and uses their expertise, we achieve better outcomes.
CISA has an important role in bringing together industry and Government
experts to help all sectors, including those 8 for which they are the
SRMA, to identify and address risks to OT security. The establishment
of the Joint Cyber Defense Collaborative (JCDC) as a center to work
directly with industry to prioritize and address cross-sector,
strategic threats to our critical infrastructure was an important first
step.
We also know that adversaries are targeting not just IT systems of
our Nation's critical infrastructure, but also industrial control
systems (ICS) and operational technology (OT), or the specialized
networks that interact with the physical environment, such as a control
system that opens a circuit breaker on an electric substation or a gas
turbine control system that generates electricity. They are what makes
critical infrastructure critical. So, it was important that the CISA
also stood up an OT-specific group within the JCDC to address ICS/OT
threats because these networks are distinct from IT networks and
require a different approach to protecting them, including different
controls. Analyzing threats to ICS/OT and developing mitigations also
requires a unique set of subject-matter experts that have experience
operating in those environments. This makes it even more essential for
CISA and other agencies to collaborate with industry, because many of
those experts operate critical infrastructure, or come from
cybersecurity vendors or original equipment manufacturers (OEMs).
However, CISA, the JCDC and its OT group must continue to evolve. The
structures are in place; now they need to mature in how they deliver
value and information back to industry.
To be most effective, CISA must operate at the strategic level
providing focused and strategic guidance to industry based on the
scenarios and threats that are most likely, or most important.
Organizations can't protect against everything, or invest in every
possible control. Especially in ICS/OT environments, CISA must identify
priorities and define what threats and scenarios organizations need to
protect against. They must also share with industry why these are
threats or scenarios are prioritized. Then, industry owners/operators
can work with their vendors and suppliers to determine how to best
implement in their environments.
Question 1b. What more can CISA do to support the prioritization of
OT security at SRMAs like the Department of Energy (DOE) and
Environmental Protection Agency (EPA)?
Answer. I testified that critical infrastructure owners and
operators would be best served by a unified voice from government on
priorities. CISA can work with other SRMAs, such as DOE and EPA, to
deliver priorities and requirements to industry and a streamlined and
unified way. Similar to the Fact Sheet on Top Cyber Actions for
Securing Water Systems and the Incident Response Guide that CISA, DOE
and the FBI released last month, multi-seal, coordinated documents help
to streamline the way operators receive information. They can spend
their time on mitigations and addressing risk, rather than sifting
through multiple guidance documents and trying to determine priorities.
It is also absolutely essential that these documents are informed by
industry and not developed in a Government vacuum. Especially when it
comes to ICS/OT, much of the subject-matter expertise lies within the
sector owners and operators and the vendors who partner with them.
An additional way that CISA can partner with agencies like DOE and
EPA is on sector-specific exercises. Once organizations have incident
response plans in place, it is important to test them under blue sky
conditions, alongside Government and industry partners. CISA should be
a participant in well-established sector-specific exercises, such as
GridEx, to test how to better streamline Government interactions with
operators during an incident. They can also work with agencies, such as
EPA, to develop exercise capacity for the sector. Exercise design
should include targeting of and impact to OT systems.
Question 2a. How is information shared between the organizations
and Federal agencies that monitor threats, and water and wastewater
utility providers?
Answer. Currently, cyber threat information for the water and
wastewater sector is shared through a variety of ways. Water and
wastewater providers provide information to a number of different
agencies, including their FBI field office, EPA, CISA, and others.
Organizations may also reach out to or seek information via the Water
Information and Analysis Center (ISAC) and trade associations, as well
as vendors, including as Dragos. Many water and wastewater providers
are simply too small to have staff proactively engage with any of these
organizations on a regular basis. This is an area where EPA and CISA
regional programs can help fill a gap.
Question 2b. Is this information meeting the sector's needs to
respond to threats?
Answer. Particularly when it comes to ICS/OT, it is not a matter of
how much information is available, but instead ensuring that
organizations have access to prioritized threat information, with
recommended actions and mitigation measures. CISA can help by making
sure this information is prioritized and actionable. For example,
Dragos analyzes vulnerability advisories associated with ICS/OT
environments and prioritizes them. In 2023, Dragos analyzed 531
advisories and found that 74 percent of vulnerabilities had no
mitigation when they were announced. Nineteen percent had no patch and
no mitigation. Dragos provided missing mitigation advice for 49 percent
of the advisories analyzed.\1\
---------------------------------------------------------------------------
\1\ Dragos 2023 ICS/OT Year in Review.
---------------------------------------------------------------------------
Question 2c. What processes are in place to ensure this information
can be shared with others, when appropriate? What can be done to
improve this flow of information?
Answer. CISA, along with other SRMAs and ISACs, have established
processes in place to ensure that information can be shared with
others, when appropriate. The need now is to make sure that the
information actually can be used by critical infrastructure
organizations to decrease risk and address threats and vulnerabilities.
CISA needs to be able to hire the technical expertise to contextualize
data from multiple sources to provide threat analysis and actionable
information to other Government partners, such as the SRMAs, and also
back out to industry. This will be especially important as they
implement the requirements in the Cyber Incident Reporting for Critical
Infrastructure Act of 2022 (CIRCIA). They need to be able to take in
all of the information reported, analyze it, and turn it back around to
industry with actionable insights and guidance.
Finally, those sharing information need to know that their
information is protected when they share with CISA or other Government
agencies. For example, Dragos' Neighborhood Keeper solution shares
threat intelligence at machine-speed across industries and geographic
regions. It can detect supply chain risks, vulnerabilities, and cyber
threats that need to be identified and remediated. It also ensures the
identities of participants are technologically irreversible from the
data to allow anonymous and secure sharing, including with Government
partners.
Questions From Chairman Andrew Garbarino for Charles Clancy
Question 1. How is information shared between the organizations and
Federal agencies that monitor threats and water and wastewater
utilities? Is this threat information meeting the sector's needs?
Answer. Response was not received at the time of publication.
Question 2. How do utilities share information about attacks they
experience with the appropriate Federal agencies and organizations so
that information can be shared with others? What can be done to improve
this flow of information?
Answer. Response was not received at the time of publication.
Questions From Chairman Andrew Garbarino for Kevin M. Morley
Question 1. In the first month of 2024, CISA released over 20
Industrial Control Systems (ICS) Advisories, alerting owners and
operators of mitigations for ICS vulnerabilities. The prevalence of
vulnerabilities within OT systems highlights how cyber risks threaten
the operation of U.S. critical infrastructure. Other than issuing
advisories and guidance, how can CISA encourage owners and operators to
build resilience into critical systems?
Answer. CISA's effort to identify vulnerabilities is an exceptional
value, however there are opportunities to improve uptake in the field.
Collaboration with the owner/operators that are directly impacted by
the vulnerability is essential to ensure that the message is properly
contextualized for the target audience. There are few points that I
would like to make that influence engagement on the information
developed by CISA and provide opportunities for improvement.
Value.--The immediate notice of product-specific
vulnerabilities provides a very tactical level of information
that is foundational to supporting mitigation. This is
essential to provide a clear articulation of the vulnerability
for specific products that are often used across multiple
critical infrastructure sectors.
Unconscious competence.--The product-specific nature of many
advisories means they are written at highly technical level.
This is necessary, but as a result they typically assume a
fairly high-level cybersecurity competency. This means that the
information is only accessible to a very specialized community
of interest that possess the skills needed to action the
information provided.
Volume and relevance.--Unfortunately because security was
often not a priority design consideration until the past
several decades or so, software vulnerabilities are constantly
being discovered. As a result, the sheer volume of notices and
advisories generated by CISA--through no fault of its own--can
be overwhelming. This volume becomes noise, especially for
entities that do not have sufficient in-house capacity to
monitor and assess the relevance to their operations.
Determining relevance is difficult absent an additional level
of screening that could more effectively signal the level of
priority for sector-specific applications that could be
impacted by the identified vulnerability. The latter can be
difficult; however the vendor/manufacture community should work
more closely with CISA to rate the relevance and risk of
various vulnerability alerts.
Recommended Action.--Bridging the knowledge transfer gap is the
challenge that requires a different level of collaborative engagement
with critical infrastructure owner/operators, product and technology
providers, and system integrators. Understanding where and how a
specific product is used is essential to properly contextualizing the
relevance of an advisory to various critical infrastructure sectors.
The absence of this information places the burden of discovery on the
end-user of the product that may or may not have in-depth understanding
of all the components that support their operations. Again, given the
frequency that CISA issues these notices the end-user community suffers
from information overload absent a clear mechanism to signal relevance.
A simple comparison would be the recall notices issued by the National
Highway Traffic Safety Administration. If an NHTSA notice only stated
that XYZ part was defective and omitted information about the specific
class of vehicles that used the part the burden would be on all vehicle
owners to determine the relevance. This would miss the safety objective
of the NHTSA recall notice. CISA needs to work with the stakeholder
community to provide a signal on the relevance to support the risk
management objective of the advisories. Collectively we need to make it
easier for the end-user to act on the mitigation guidance provided by
CISA by signally relevance.
Question 2. It is important to prioritize security as critical
infrastructure owners and operators adapt to the convergence of IT and
OT systems. As IT systems continue to modernize, what more can the
Federal Government do to ensure the private sector can maintain the
security of legacy OT systems that are dependent on legacy IT systems?
Answer. The water sector lacks a dedicated funding program that is
targeted on supporting the replacement of legacy systems that have
inherent cybersecurity vulnerabilities. Currently authorized funding
programs managed by the U.S. Environmental Protection Agency, as well
as USDA, can be used for cybersecurity projects but must compete with a
wide array of needs. The absence of a funding specifically to
addressing cybersecurity and transformation of legacy systems means the
digital divide will continue to widen as cyber adversaries expand their
capabilities.
The State and Local Cybersecurity Grant Program (SLCGP) managed by
CISA is in the early stages of deployment. While the cybersecurity
needs of drinking water and wastewater appear to be eligible, it
remains to be seen if any funding is awarded by States administering
the program to the water sector. While CISA has States that
cybersecurity in the water sector is a high priority, the guidance
provided for SLCGP implementation provided no such prioritization
criteria to inform funding allocations by the State programs.
Therefore, the effectiveness of this program in addressing some of the
cybersecurity needs of water utilities is currently unknown.
A key challenge for the most disadvantaged systems is their
capacity to actually develop and submit a funding request to any of the
available programs. Technical assistance to support applications is a
key factor in overcoming the digital divide will continue to grow as
utilities with legacy systems face competing priorities to satisfy new
regulatory obligations on drinking water and wastewater operations that
strain budgets that are 100 percent dependent on ratepayers.
Finally, providing clearly-defined eligible criteria for
cybersecurity activities is necessary to provide certainty on the
viability of existing funding programs or those developed in the future
to support implementation of various cybersecurity controls. Currently
there is a degree of uncertainty that may inhibit the effective
application of funding program to support cybersecurity objectives.
EPA, USDA, and CISA should establish a workgroup with water utilities
to examine a series of prospective cybersecurity projects necessary to
properly address legacy systems, identify constraints with funding
program eligibility and what authorities may need to be changed to
support more effective application of the funds relative to water
utility needs and overall cybersecurity risk management objectives.
Recommended Action.--Establish dedicated funding to prioritize
replacement of legacy systems. This includes appropriating the funding
authorized in America's Water Infrastructure Act of 2018 that was
intended to support the risk and resilience management efforts of
drinking water systems.
Question 3. How is information shared between the organizations and
Federal agencies that monitor threats, and water and wastewater utility
providers? Is this information meeting the sector's needs to respond to
threats? What processes are in place to ensure this information can be
shared with others, when appropriate? What can be done to improve this
flow of information?
Answer. Improved functionality and collaboration between Federal
partners, water sector subject-matter experts via the WaterISAC is
essential to assess the applicability and relevance of cyber threat
information to water-sector stakeholders, including clarity on actions
to be taken. EPA and CISA should partner with the sector to expand
awareness of and access to these resources.
We recommend that CISA and EPA, as the Sector Risk Management
Agency (SRMA), work with partners like the WaterISAC and the Water
Sector Coordinating Council to properly contextualize threat
information prior to its release.
Recommended Action.--Establish a standard operating procedure for
the inclusion of subject-matter experts from the water sector community
(owner/operators, service providers, product developers) into the
review and development of threat alerts and advisories to ensure that
the information transmitted to the sector is concise, actionable, and
properly contextualized.
Questions From Chairman Andrew Garbarino for Marty Edwards
Question 1. Does the United States need a uniform security standard
that applies to water and wastewater utilities?
Answer. Response was not received at the time of publication.
Question 2. If so, what oversight mechanisms can be used to ensure
those standards are met?
Answer. Response was not received at the time of publication.
[all]