NSTAC Report Urges More Focus on Critical Infrastructure Security
A new report by the President’s National Security Telecommunications Advisory Committee (NSTAC) says the Cybersecurity and Infrastructure Security Agency should require all federal agencies to maintain real-time inventories of all operational technology (OT) devices, software systems and other assets they use. NSTAC approved the recommendation as part of a report on “Information Technology and Operational Technology Convergence” during a meeting by telephone Tuesday. DOD already is required to maintain a similar inventory.
“As information and communications technologies become ever more critical to our daily lives, how we set security requirements, prove compliance with those requirements and communicate that proof to users and regulators is of great concern,” said NSTAC Vice Chair Scott Charney, Microsoft vice president-security policy. The process “has not worked well and can be improved,” he said.
The threat is growing, said Jack Huffard, co-founder of cybersecurity company Tenable and chair of the IT/OT Convergence Subcommittee. Huffard cited an incident last year in which a hacker broke into a water treatment plant in Oldsmar, Florida, and tried to poison the water supply of an entire city, and the Colonial Pipeline ransomware attack, which disrupted fuel supply to 45% of the Eastern U.S.
Russia’s invasion of Ukraine raised the level of threat to critical infrastructure in countries that support Ukraine, including the U.S., Huffard said. The convergence of OT and IT systems has been underway for decades but creates “clear and present cyber exposure challenges that require attention,” he said: “We have the technology and knowledge to secure these systems, but we have not prioritized the resources required.”
“An up-to-date inventory should be required as part of each department or agency’s annual budget process,” the NSTAC report said: “Once federal agencies clearly understand the vast and interconnected nature of their OT devices and infrastructure, they can then make risk-informed decisions about how to prioritize their cybersecurity budgets to best protect the most consequential of those assets.”
The report urges CISA to “develop guidance on procurement language for OT products and services, and for products and services that support converged IT/OT environments, to incentivize the inclusion of risk-informed cybersecurity capabilities, including for supply chain risk management.” This guidance “should also help organizations understand best practices for bolt-on security for legacy OT devices that are difficult or expensive to replace.”
The National Security Council, CISA and the Office of the National Cybersecurity Director should work together to “prioritize the development and implementation of interoperable, technology-neutral, vendor agnostic information sharing mechanisms to enable the real time sharing of sensitive collective-defense information between authorized stakeholders involved with securing U.S. critical infrastructure,” the paper says: “This should include breaking down the artificial barriers for sharing controlled unclassified information, both within the [U.S. government] and between the USG and other key, cross-sector stakeholders.”
The report notes the difficulty of convergence, since many OT systems are decades old. “It is difficult to maintain the security of these OT environments over time via a traditional IT approach (such as patching), and in some cases the acceptable timeline to resolve issues is much different,” the report said.
CISA welcomes the recommendations, said Trent Frazier, deputy assistant director-stakeholder engagement. “The threat landscape to our nation’s cybersecurity continues to evolve and expand,” he said. “We know that within the federal government, and certainly within CISA, that our approach to cybersecurity must continue to evolve as well,” he said.
NSTAC reports like the one on OT/IT convergence are valuable to the government, said Kemba Walden, principal deputy national cyber director-Office of the National Cyber Director. “Ensuring the security of our nation’s information infrastructure will always be a paramount goal and these studies are timely and are addressing key issues of concern,” she said. The government and industry must work together, she said: “We expect unity of effort and unity of purpose in our work together,” she said.