Federal agencies have stepped up efforts to boost intelligence sharing and build industry resilience amid a wave of increased cyberthreats against critical infrastructure providers.
A House hearing Tuesday, led by the Oversight and Investigations subcommittee of the Energy and Commerce Committee, examined recent efforts by the Department of Energy, Environmental Protection Agency and Department of Health and Human Services to address rising cyberthreats against the energy, water and healthcare industries.
The hearings come two months after the White House unveiled its long-anticipated national cybersecurity strategy, which includes a plan to boost the resilience of the nation’s 16 critical infrastructure sectors against rising threats from nation states and criminal ransomware groups.
“Given the immense gravity of the threats we face it is imperative that we employ a whole of government approach to risk management and mitigation,” Puesh Kumar, director, Office of Cybersecurity, Energy, Security and Emergency Response at the Department of Energy, told lawmakers at the hearing.
Each annual threat assessment from the U.S. intelligence community since 2019 have pointed to persistent and malicious threats against U.S. infrastructure, Kumar said. The intelligence reports warned that Russia and the People’s Republic of China each had the cyber capability to disrupt energy services in the U.S.
DOE helped coordinate efforts to recover from the 2021 ransomware attack against Colonial Pipeline, which disrupted fuel supplies to much of the southeast and east coast of the U.S. for almost a week.
DOE is piloting a program called the Energy Threat Analysis Center, Kumar confirmed during questioning from Rep. Diana DeGette, D-Colo.
The program at the National Renewable Energy Lab is designed to help coordinate threat information coming from private industry and the intelligence community.
“We’re not putting the pieces together to really understand what is the risk to our national security and what’s the larger trends that are happening in the sector,” Kumar said. “And we need to be doing that if we’re going to stay ahead of the threat we are facing.”
The program has already helped to take threats developed from the Russia-Ukraine conflict and convert those into cyber advisories that were sent out to the entire energy sector, Kumar testified. However, Congress will ultimately need to step in to fully stand up the program, and the current plan calls for a 2027 launch.
Hospitals under threat
Federal officials and security industry experts have expressed concerns about a sharp increase in attacks targeting hospitals and healthcare systems as the number of cyberattacks against the sector have doubled between 2016 and 2021, with ransomware emerging as a major method of attack.
A study published last week from the Journal of the American Medical Association showed a cyberattack against hospitals creates a blast radius on the surrounding area beyond the targeted institution, much like the impact of a conventional disaster, said Brian Mazanec, deputy director, Office of Preparedness, Administration for Strategic Preparedness and Response at HHS.
“Imagine the impact on patients as a hospital is forced to abruptly shift to paper records following a ransomware attack on its electronic health records system or loses its ability to conduct MRIs,” Mazanec testified. “Cyber safety is patient safety.”
Mazanec outlined numerous initiatives by HHS to coordinate interagency and public-private initiatives to ensure hospitals and healthcare organizations are prepared for potential attacks and better able to continue operations if they fall victim to a breach or extortion attempt.
HHS coordinates 15 government and 300 private sector partner organizations through the Healthcare Sector Coordinating Council Joint Cybersecurity Working Group, according to Mazanec.
In addition, Mazanec noted an effort to coordinate incident response planning where HHS worked with CISA to organize more than a dozen tabletop exercises to improve incident response.
Drink, rinse and respond
Federal authorities have placed a major focus on making sure drinking and wastewater systems were protected. One of the most high-profile cyber incidents in recent years was the alleged attempt to poison a water facility in Oldsmar, Florida. There was another incident in Kansas where a former employee pleaded guilty to tampering with a drinking water facility.
The FBI also issued warnings in 2021 regarding the risk of ransomware attacks targeting drinking and wastewater facilities.
The Environmental Protection Agency is the sector risk management agency for another key threat sector, the drinking water and wastewater industries.
The most significant risk to the water sector is the failure of many utilities to adopt best practices, according to David Travers, director, Water Infrastructure and Cyber Resilience Division of the EPA.
The U.S. has almost 150,000 public water systems that provide drinking water and 16,000 publicly owned treatment works for wastewater, however 97% of the public water systems are considered small, serving fewer than 10,000 people.
The Cybersecurity and Infrastructure Security Agency previously identified water as one of the key sectors that it would focus on, particularly in smaller communities that depend on under resourced public utilities that may not have their own IT infrastructure or expertise.