Since the establishment of the Cybersecurity and Infrastructure Security Agency in 2018, the federal government has continued to invest in our nation’s cybersecurity through a series of strategic initiatives, legislative measures, and partnerships with the private sector.

We now have an Office of the National Cyber Director, the Executive Order on Improving the Nation’s Cybersecurity (E.O. 14028), cyber incident reporting requirements, and major funding initiatives for state and local governments to improve their cyber posture, to name a few.

Even still, fast forward to today and there is an immediate need for government to prioritize continued investment in our national cyber posture, particularly when it comes to critical infrastructure and operational technology, or OT, systems, which underpin some of our nation’s most valuable assets.

Threats against our nation’s critical infrastructure and OT environments, like hospitals, schools, businesses, and water utility plants, are happening at alarming rates. Foreign adversaries like China and Russia, and technologies like machine learning and artificial intelligence, are playing a greater role in advancing the threat landscape. Countering these evolving threats demands a nimbler, more coordinated approach between the U.S. government and the private sector.

To sustain the momentum in safeguarding our critical infrastructure and OT assets, it is imperative that industry and government work together to prioritize the following:

IT/OT convergence

Since the late 1960s, OT has been considered “safe” from attacks because most OT devices were connected on internal networks. With the more recent convergence with IT, these devices are now, in many cases, exposed to the internet, and as a result are vulnerable to the threat of cyberattacks. This includes Programmable Logic Controllers, devices that control the operations of industrial control systems, critical infrastructure, and similar OT systems.

These devices are now directly connected to the internet, leaving them vulnerable to exploitation and making the task of securing OT systems increasingly challenging. Exacerbating this issue is the siloed nature of cybersecurity and the near impossibility of cybersecurity leaders to have full visibility of the exposure with the current tools at their disposal.

To address these challenges, the President’s National Security Telecommunications Advisory Committee (NSTAC) report to the President on Information Technology and Operational Technology (IT/OT) Convergence makes three key recommendations for the federal government to help relevant stakeholder communities execute a secure convergence of IT and OT cybersecurity: Require an inventory of U.S. government OT systems; Develop enhanced OT-specific cybersecurity procurement language and ensuring procurement includes cybersecurity provisions; and Standardize and enable real-time interoperable information sharing

For these initiatives to work, businesses and organizations must shift to adopting a secure-by-design approach to security. Transitioning from a “bolted on” to a “built-in” security model will save organizations valuable time and resources to rebound from cyber incidents.

Public-Private Partnerships

The federal government should continue to promote public-private sector collaboration to address cyber threats, as these partnerships are vital to building resilient and robust converged IT/OT environments. Collaboration and information sharing amongst stakeholders fosters transparency and enables synchronized joint efforts to implement proactive security measures and combat cyber threats.

CISA’s Joint Cyber Defense Collaborative, or JCDC, showcases the effectiveness of public-private partnerships. The JCDC facilitates rapid information sharing amongst government and private sector partners, even amid critical events, like the Russian invasion of Ukraine and the Log4j vulnerability. As the cyber threat landscape rapidly advances, coordination between the public and private sectors are essential to ensure collective and unified measures are in place to protect critical infrastructure and OT systems.

CISA, the federal agency responsible for defending against today’s rapidly evolving cyber threats, was designed for collaboration and partnership. Its ability to be a resource and partner with state and local government and the private sector is dependent on continued support from government leaders. However, budget cuts proposed by Congress “would weaken the agency’s important network defense efforts and critical infrastructure coordinator responsibilities,” according to a recent letter to the Senate and House Appropriations Committees, sent by a bipartisan cross-section of more than 50 industry leaders, including former government officials.

As the agency matures, Congress will play a paramount role in maximizing CISA’s potential. To optimize effectiveness, Congress should prioritize collaboration with agency officials when developing targeted legislation and appropriating necessary funding to advance CISA’s mission to protect the nation’s critical infrastructure.

CISA’s cross-sector cybersecurity performance goals provide a voluntary cybersecurity baseline for critical infrastructure, aligning with the National Institute of Standards and Technology’s Cybersecurity Framework functions. The CPGs integrate IT and OT practices, emphasizing the need for a designated role overseeing OT cybersecurity to enhance team collaboration and incident response. While a significant advancement, further efforts are imperative, especially for securing OT systems critical to the water, energy, and transportation sectors.

Amidst increased geopolitical threats and persistent challenges to our critical infrastructure and OT systems, robust collaboration with the federal government and private sector is consequential. Through unified efforts, we can confront today’s cyber threats while fortifying our defenses against those of tomorrow.

Marty Edwards is Deputy Chief Technology Officer for OT/IoT of Tenable

Share:
In Other News
Load More