U.S. critical infrastructure is in for a reckoning if digital defenders don’t begin prioritizing the cybersecurity of operational technology systems that allow critical services like dams, electric grids and trains to safely function, witnesses told a House panel on Tuesday.
Operational technology controls the physical equipment of infrastructure, including pipes, switches, tracks and gates. Those differ from information technology systems, which manage data and communications and are frequently internet-connected. But OT and IT systems often cross paths, opening up vulnerable networks to intrusions and physical sabotage.
For years, IT systems have taken much of the priority of network defenders, witnesses said during a House Homeland Security Committee hearing focused on lessons learned from the 15th anniversary of the Stuxnet computer worm’s discovery.
“Despite the elevated risks associated with attacks on OT systems, this area of cybersecurity remains significantly underprioritized and underfunded,” Tatyana Bolton, the executive director of the Operational Technology Cyber Coalition, said in her opening remarks.
“Let me be blunt: We are not prepared for a major attack on our critical infrastructure,” Robert M. Lee, CEO of industrial cybersecurity firm Dragos, also said in his opening statement.
The OT hearing was paired with lessons learned from Stuxnet, a computer worm that is widely deemed to be the first known cyber weapon to cause physical destruction.
“Stuxnet revealed the significant impact that offensive cyber tools can have on critical infrastructure. Stuxnet also demonstrated the importance of securing operational technology,” said Rep. Andrew Garbarino, R-N.Y., who chairs the panel’s cyber subcommittee and was elected to be chairman of the full committee late Monday.
“By exploiting key vulnerabilities in industrial control systems, Stuxnet proved that cybersecurity is not only an IT issue,” he added in a prepared statement. “Cybersecurity threats can affect critical infrastructure we depend on daily, from water treatment to energy facilities.”
The hearing follows the Trump administration’s recent funding and workforce cuts to the Cybersecurity and Infrastructure Security Agency, a move that one witness said has impacted his national lab’s ability to actively assess threats hiding on critical infrastructure.
Lawrence Livermore National Laboratory’s contract with CISA expired Sunday, said Nate Gleason, the lab’s cyber and infrastructure resilience program leader.
“National laboratories are not legally able to operate without being funded by a government agency,” he said, adding that, “our threat hunters stopped monitoring networks” over the weekend.
“So theoretically, we have deployed sensors on critical infrastructure and there could be a malicious attack occurring right now that you are not legally able to see until the program is refunded?” cyber subcommittee ranking member Rep. Eric Swalwell. D-Calif., asked Gleason.
“That is correct. Lawrence Livermore analysts are not able to monitor that data right now,” he replied.
Gleason later added that the lab’s contract with CISA to support its National Infrastructure Simulation and Analysis Center expired in March. The center uses analytical toolsets to build cyber and physical risk profiles of critical infrastructure platforms.
The hearing comes around two months before the lapse of the 2015 Cybersecurity Information Sharing Act, a foundational cyber threat information-sharing law. There was wide consensus among witnesses that the law, which permits industry to voluntarily share information about hacking threats with the government with liability safeguards, must be cleanly reauthorized.
If it expires, 80% to 90% of threat information will be cut off from the federal government, Bolton stressed.
Also present was Kim Zetter, a renowned cybersecurity journalist who authored arguably the most authoritative book on Stuxnet, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon.
“I make a distinction between those who have the will and those who have the ability. Those who have the ability haven’t until now really had the will to go after U.S. critical infrastructure. And those who have had the will — perhaps maybe terrorist groups, others — haven’t necessarily had the ability,” she said. “It doesn’t take much to marry those two together.”
