OT-IT Integration Raises Risk for Water Providers, Experts SayWitnesses at Hearing Also Discuss Role of Government in Security Incident Response
At a congressional hearing Tuesday, "Mobilizing Our Cyber Defenses: Securing Critical Infrastructure Against Russian Cyber Threats," a water trade association urged the federal government to follow the lead of the electric sector and institute minimum cybersecurity standards for water systems.
The amount of risk water providers face has increased dramatically in recent years as they connect their legacy machines to the internet and IT systems, Kevin Morley, manager of federal relations for the American Water Works Association, said at the hearing. Remote pieces of equipment are going onto the internet via cellular connections to get real-time telemetry and streamline troubleshooting, Tenable CEO Amit Yoran said.
"There’s a perception that there's operational technology and information technology and that, in a perfect world, the OT systems are isolated from the internet-facing IT systems," Adam Meyers, CrowdStrike’s senior vice president for intelligence, said at the hearing. "The reality is that's not always the case."
Meyers, Morley, Yoran and Financial Services ISAC CEO Steve Silberstein testified Tuesday before the U.S. House of Representatives Homeland Security Committee on securing critical infrastructure against Russian cyberthreats. The hearing comes about six weeks after Russia’s invasion of Ukraine and 14 months after hackers got into an Oldsmar, Florida, water treatment plant and changed the lye levels in the drinking water.
Morley told legislators the water sector needs a new approach to security that both recognizes the technical and financial challenges in the industry while still setting risk- and performance-based cybersecurity standards. An entity similar to the North American Electric Reliability Corp. could lead the development of the requirements and perform third-party conformity assessments, he said (see: CISA, EPA Issue 100-Day Cyber Plan for Water Utilities).
"CISA’s cyber hygiene program provides some of the most immediate risk reduction benefits to users," Morley said. “We recommend that EPA, CISA and sector organizations coordinate on a unified outreach campaign to increase deployment of this program to water systems, especially small and medium utilities.”
Are Connections Worth the Risk?
At the same time, Meyers said, water and other utility providers are establishing cellular connections for remote telemetry collection so that, for instance, pipeline metering and billing information can be connected. While in theory OT could or should be completely isolated from IT, Meyers said the two are increasingly connected in critical infrastructure environments.
"I think it's dangerous to mandate or regulate that they remain physically separate," Yoran said. "There's business reasons and efficiency reasons that you might want to connect those to be able to predict when parts are going to fail or when outages are going to occur … It makes sense to remind those operators that they're responsible for the cybersecurity risk when they're connecting those systems."
Rep. Carlos Gimenez, R-Fla., disagreed with Meyers and Yoran, saying that it should be possible to have all that predictability inside a closed system that's not connected to the outside world. Gimenez says the separation is not necessary for every system but that he advocates for this approach when dealing with critical infrastructure such as water and electricity, where a hack could endanger the survival of citizens.
"I do think that it's maybe worth the inconvenience to the business side of it that, 'Hey, maybe these things should be a little bit separated,'" Gimenez said. “As good as you guys think you may be, somebody is going to figure out a way around you.”
Should Homeland Security Take the Lead?
Witnesses disagreed, however, on the role specific government departments or agencies should play in responding to a security incident. Morley said the Environmental Protection Agency should be the lead agency if a water provider experiences a cyberattack since the EPA has a more direct understanding of the critical elements of water utility operations than the Cybersecurity and Infrastructure Security Agency, which may lack the industry-specific knowledge.
Conversely, Yoran said it's critical that Homeland Security take the lead when a security incident occurs and pull in other agencies as appropriate. The private sector is already connected to CISA's Joint Cyber Defense Collaborative and forcing security vendors such as CrowdStrike or Tenable to connect with 16 different U.S. government agencies following a breach would be "extremely inefficient," Yoran said.
"The committee raised concerns with the White House's decision to place the Department of Energy as the lead response agency to the Colonial Pipeline ransomware attack last year," said Rep. Mariannette Miller-Meeks, R-Iowa. "We have policies, procedures and statutes for a reason, and they should be followed. We simply can't afford similar missteps should something like this happen again."
Control over water systems is spread across thousands of different entities, including small towns and villages that might have severe budget limitations when it comes to competing against banks and insurance companies for top cybersecurity talent, Mark Rasch, chief legal officer at cybersecurity consultancy Unit 221B tells Information Security Media Group. Rasch previously created the U.S. Department of Justice Computer Crime Unit.
The threats water systems face have changed dramatically over the past half-decade, from terrorist groups physically contaminating the water systems - which requires defenses such as cameras, fences, and motion-detection sensors - to cyberthreats such as ransomware attacks and preventing the processing of payment, Rasch tells ISMG.
He also says the onset of COVID-19 prompted many water authorities to pursue remote monitoring, which introduced new risks tied to authentication, access control and DDoS attacks. Rasch says he would like to see the federal government provide water systems with tools and technologies for free and offer more money to agencies that fail a security audit instead of punishing them with funding cuts.
"The problem is we don't know how to define the target or threat because it's constantly changing," Rasch says. "Because of the decentralized nature of water authorities, they don’t have many resources."