Operational technology systems in the U.S. are more vulnerable to malicious cyberattacks than information technology, Vergle Gipson, senior advisor at Idaho National Laboratory, said in testimony Thursday before the House Subcommittee on Cybersecurity, Infrastructure Protection and Innovation. However, key changes in design, training and enhanced testing can help make these systems more resilient in the face of additional threats.
Most industrial control systems currently in use were designed more than two decades ago, before there was a clear understanding of how to build cyber resilience into those systems, according to Gipson. While IT systems have been more actively managed, with firmware and patches frequently upgraded, OT systems are usually not upgraded or replaced until significant failures.
The U.S. should stand up a Center of Excellence to develop additional information sharing, expand cyber-physical testing to help develop additional mitigation strategies and focus additional research on Cyber Informed Engineering, which would embed more cyber resilience into the design phase of future industrial systems.
Malicious activity has become a much greater focus in recent years due to the ability of sophisticated actors to disrupt critical infrastructure sites, most notably in the 2021 ransomware attacks on Colonial Pipeline and meat supplier JBS USA.
The lack of resilience embedded in much of the nation’s existing infrastructure sites makes this the perfect time to begin to rethink how the U.S. develops and maintains key facilities, according to officials.
“This is a big opportunity for us in the U.S.,” Gipson said. “A lot of the existing infrastructure simply isn’t securable from a cyber viewpoint. So as we are upgrading and replacing infrastructure it’s the perfect time to make that infrastructure cybersecure and defendable.”
The Biden administration has made considerable effort to focus on protecting critical infrastructure sites, including energy producers, utilities, water systems, transportation and other key facilities to ensure neither nation-state or criminal actors can disrupt operations.
The Cybersecurity and Infrastructure Security Agency in April expanded the Joint Cyber Defense Collaborative to focus on unified efforts to better protect critical infrastructure against potential threats, according to Eric Goldstein, executive assistant director for cybersecurity at CISA.
CISA has also taken steps to provide more direct outreach to under-resourced and sensitive ICS facilities that may not have the capabilities to do sophisticated testing and mitigation to stop a sophisticated attack.