Essential sectors like water and energy must be safeguarded against cyberattacks, but defending critical infrastructure requires caution, so that the security doesn’t inadvertently cause its own disruptions.
As critical infrastructure sectors increasingly add network connectivity to their operational technologies (OT), cyber attackers have taken notice. Attackers have increasingly looked to breach these systems for a variety of reasons, including extortion, espionage, sending a message and, potentially, disruption.
Protecting critical infrastructure operational technology requires a careful touch. Defenders must ensure that the security changes they deploy do not disrupt availability and smooth functioning, said Anthony DiPietro, technical director of the National Security Agency’s defense critical infrastructure division, during a recent FedInsider webinar. If a mishap causes a router to go down, the system can usually fail over to another router or data center, but disrupting equipment that manages chemical processes might cause an explosion, he warned.
It’s also important to observe systems to see what normality looks like for them, which then allows defenders to monitor for abnormal activities that could reveal an adversary on the system, said DiPietro. But defenders also must be careful that security activities do not disrupt operations, doing things like introducing sensor latencies.
“What we also have to consider is sensor latency. … If we add any latency to an OT infrastructure, we can throw off timing,” DiPietro said. “We throw off timing, we mess up the process. We mess up that process, a safety issue could be incurred.”
Nushat Thomas is the cybersecurity branch chief in the Environmental Protection Agency’s (EPA) Water Infrastructure and Cyber Resilience Division. During the webinar, Thomas advised water utilities to avoid automatic software updates, as these could possibly interrupt OT processes. Instead, utilities should conduct regularly scheduled manual updates. In the water sector, cybersecurity measures are often voluntary.
“The vast majority of what we are asking systems to do is to ensure that they are driving down their risk in their specific systems,” Thomas said. “There’s not a lot of requirements for them to do that.”
The EPA’s current authorities let it require that some drinking water systems develop and update risk assessments and emergency response plans. But this requirement only covers community water systems that serve more than 3,300 people, leaving out wastewater systems and smaller drinking water systems.
Meanwhile, the EPA encourages water systems to take voluntary cyber measures, and it offers various resources to help them do so. Those can include risk assessment services, tabletop exercises, incident action checklists and more.
The Cybersecurity and Infrastructure Security Agency (CISA) is another source of technical assistance. It aims to help critical infrastructure owners and operators manage cyber risks to operational technology. However, a March Government Accountability Office (GAO) report found some shortcomings. One issue: CISA lacked enough staff with the right skills to respond to significant incidents hitting different locations at the same time.
Dave Hinchman, director of the GAO’s Information Technology and Cybersecurity team, said during the webinar that CISA has since taken steps to address this, including “looking at hiring some very specific subject matter experts” to fill gaps, along with better defining the relevant job role.