When shipping container company Maersk fell victim to a cyber attack in 2017, it cost the company around $300 million, disrupted operations for two weeks and briefly shut down the largest cargo terminal at the Port of Los Angeles. While not the only attack on operational technology (OT) over the past 10 years, it may have served as a wakeup call to federal agencies whose dependence on OT has become increasingly vulnerable as infrastructure evolved into more internet-based systems. In the years since the Maersk attack, agencies have taken notice, and put in place standards and processes to help keep the private sector secure.
At a recent meeting of the House Committee on Homeland Security, experts in OT admitted that vulnerabilities still exist, and there is not yet a firm timeline for solving the problems. The OT, which includes the control systems for industrial equipment and covers vast numbers of operating systems including dams, ports, fire control systems and building management systems, holds unique challenges for cybersecurity. Unlike creating cyber defense for the constantly modernizing world of information technology, OT frequently depends on aging infrastructure.
“The risk we have as a country in securing our OT control systems is extraordinary,” Eric Goldstein, executive assistant director for cybersecurity at the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, said at the hearing.
Goldstein said CISA started the joint cybersecurity defense collaborative industrial control systems (JCDC-ICS) group last April with the task of addressing OT concerns. Group members include manufacturers, integrators, security providers, owner-operators and device manufacturers.
“This group right now is working on a cyber defense plan focused on enhancing the efficiency, effectiveness and speed of sharing threat and vulnerability information across this broad ecosystem,” he said.
Although CISA already had a joint cybersecurity defense collaborative working group, adding vendors from the industrial controls sector brought in a level of expertise necessary for OT. Those private sector partners included GE, Honeywell, Nozomi Networks, Schneider Electric, Schweitzer Engineering Laboratories and Siemens, CISA stated in its April release.
In conjunction with CISA’s efforts to broaden support for OT cybersecurity, the National Institute of Standards and Technology, released its first public draft of itsGuide to Operational Technology (OT) Security. The guide looks at OT threats and vulnerabilities and it updates recommended security practices and risk management.
At the committee hearing, Vergle Gipson, a senior advisor for the Department of Energy’s Cybercore Integration Center at the Idaho National Laboratory, said OT can be harder to protect from attacks than IT because of how they are developed.
“Most IT is designed to be upgraded or replaced every three to five years. Software and firmware is frequently updated, and patches are routinely installed. On the other hand, operational technology is designed to last for decades, and is typically only updated if a noticeable failure occurs,” he said.
Even within the various sectors of operational technology, Gipson said there are differences in how much progress has been made toward security. The energy sector has taken steps toward improved security, especially nuclear safety.
“Modern nuclear reactors are incredibly safe,” Gipson said.
At the other end of the spectrum, water systems need to be made safer, he said.
CISA identified 16 critical infrastructure sectors that they consider vital to national interests and vulnerable to attacks. The defense of each sector is assigned to a specific agency, with DHS covering eight sectors including nuclear reactors, transportation, government facilities, dams and critical manufacturing. The Department of Defense bears responsibility for the defense industrial base sector, while the Environmental Protection Agency and Health and Human Services are designated as the sector risk management agencies for other sectors.
Goldstein said CISA plans to release performance goals starting in October that will address individual risks of the various sectors. The goals will be released in groups rather than all at once. This takes into account the elevated risk exposure of certain sectors.
“Certainly sectors like the dam sector, like critical manufacturing, given its diversity, and even emergency services are sectors where we know that adversaries have expressed interest,” Goldstein said.