SUBSCRIBER+ EXCLUSIVE REPORTING - A Pennsylvania water treatment facility is infiltrated by hackers linked to Iran. Russian hackers breach more than a thousand home office routers to lay the groundwork for future cyberattacks. And hackers traced to China pierce communications networks, transportation systems and other computers in multiple states.
These aren’t nightmare scenarios from the world of cyber-fiction. They are examples of cyberattacks launched by adversaries of the U.S., looking to probe critical infrastructure for weaknesses that could let them sow chaos from half a world away. And cyber experts and companies involved in these sectors say the government isn’t doing nearly enough to deal with the dangers.
A big part of the problem is a lack of attention to what’s known as “Operational Technology” or “OT” - the specialized industrial equipment that powers the operations of energy grids, water systems, hospitals and factories. By contrast, “IT”, or Information Technology — including computers, smartphones, servers and the like — is well understood and generally well protected.
Cyber experts and company executives bemoan the lack of understanding of OT in Washington. They say, for example, that the way the government talks about the ease of applying software updates and setting up multi-factor authentication (MFA) — which adds an extra layer of login security on top of the traditional password — suggests that officials don’t understand why MFA and patching are so hard to implement on OT.
Now, these private-sector experts and executives are raising the alarm and trying to fix the problem.
“There is a never-ending list of interesting, real-world, practical problems when it comes to securing operational technology and industrial control systems,” Andrew Howell, a partner at the strategic communications firm Monument Advocacy, told The Cipher Brief. “It's a tremendously unappreciated space … and [it] only gets appreciated once something happens.”
Looking for a way to get ahead of the week in cyber and tech? Sign up for the Cyber Initiatives Group Sunday newsletter to quickly get up to speed on the biggest cyber and tech headlines and be ready for the week ahead. Sign up today.
Enter the OTCC
In the spring of 2021, President Joe Biden’s new administration launched a 100-day sprint to prod electric companies to improve their cybersecurity. In the months that followed, the White House launched similar efforts for pipelines, water utilities and chemical companies. But as the “sprints” continued, the companies that sell technology to monitor and protect industrial equipment from hackers concluded that Washington didn’t understand their industry very well.
“We looked around and realized that there weren't really any trade associations or other organizations that were focused on operational technology issues,” Howell said.
The five leading OT cybersecurity providers — Claroty, Forescout, Honeywell, Nozomi Networks and Tenable — decided to take matters into their own hands, forming a group that would educate policymakers, with the ultimate goal of crafting rules to promote more modern and secure OT systems. In April 2022, they launched the Operational Technology Cybersecurity Coalition (OTCC), linking the cybersecurity firms with major equipment manufacturers involved in the nation’s critical infrastructure. Howell took on the role of executive director.
The OTCC’s main goals: build more interoperable technology, to ensure that companies can use equipment from multiple vendors without compromising security; create long-lasting cybersecurity standards for OT; and fund government agencies to oversee these critical sectors’ cybersecurity postures.
“The group has an unmatched expertise and capacity for advising government and industry stakeholders on how to best secure the nation’s critical infrastructure,” Grant Geyer, chief product officer at Claroty, told The Cipher Brief.
Put simply, the OTCC would help ensure that the Iranians, Russians, Chinese — or anyone else — would be stopped at the gates of those water facilities, oil pipelines, and all the other infrastructure that helps keep the country running.
An oversight problem
The Biden administration’s strategy for protecting critical infrastructure from hackers depends heavily on “sector risk management agencies”(SRMAs) that oversee the physical and digital security of regulated industries. One of the OTCC’s top priorities is encouraging all these SRMAs to take their cybersecurity responsibilities seriously. That’s proving harder in some cases than in others.
The financial services and electric power industries have advanced cyber defenses and sophisticated regulators at the Treasury and Energy departments. The pipeline industry has improved its defenses since the 2021 Colonial Pipeline ransomware attack, which disrupted fuel supplies up and down the East Coast, and regulators at the Transportation Security Administration have improved their oversight as well. But experts say other vital sectors remain woefully vulnerable: water, food, agriculture, and health care.
The food and agriculture industries rely heavily on operational technology for everything from precision crop fertilization to real-time livestock monitoring. But the sector has barely begun to grapple with the risks posed by cyberattacks on these systems, and Howell said the U.S. Department of Agriculture’s cyber oversight “is still in a very fledgling state.”
Things aren’t much better in the water sector. The recent infiltration in Pennsylvania was only one of a recent spate of Iranian government cyberattacks on water facilities, all of which have highlighted the poor cyber defenses across the nation’s roughly 150,000 public water systems. The Environmental Protection Agency is supposed to set cyber standards for water facilities and provide free help with improving their defenses. But the water industry recently teamed up with Republican-led states to kill the EPA’s first stab at cyber regulation, and experts say the agency has nowhere near enough personnel to support tens of thousands of utilities.
The health-care sector is more familiar with the consequences of cyber threats, after years of ransomware attacks that have crippled several U.S. hospitals. But the Department of Health and Human Services is only now preparing to mandate cyber defenses for hospitals, and the operational technology in these facilities — from X-ray machines to building security systems — still lacks cyber rules. Howell called hospitals “probably one of the most interesting and complex environments of any critical infrastructure,” because of how IT, OT, and the internet of things are intertwined.
Coalition members differ on the right way for cyber regulations to balance public safety and operational flexibility in these key sectors, but Howell said the entire group agrees: to avoid future cyber-nightmares, many SRMAs need to step up their game.
Locked in, at their peril
One of the coalition’s biggest concerns is the proliferation of equipment that works only with other equipment made by the same manufacturer. In the trade, it’s known as “vendor lock-in.” And when it comes to cybersecurity, it’s dangerous.
Industrial facilities often rely on vast oceans of technology, and OT vendors have realized that they can guarantee hefty profits by forcing customers to buy their complete suite of products, rather than mixing and matching with gear from multiple vendors.
This “vendor lock-in” strategy isn’t just frustrating for customers. It can also degrade their cybersecurity posture. Infrastructure operators do still buy equipment from different vendors, but because individual vendors often follow a lock-in strategy, their products can’t always exchange information about active threats with other vendors’ devices. The resulting gaps in how devices “talk” to each other can create gray areas that provide footholds for hackers.
“OT systems are far more sensitive to disruption than most IT networks. That places a premium on plug-and-play or other ways of incorporating technology seamlessly,” Suzanne Spaulding, a former top DHS cyber official, told The Cipher Brief. “Being able to interoperate with existing technology is essential.”
To ensure that new industrial equipment works seamlessly with other gear no matter who makes it — that “plug-and-play” approach — the coalition is urging vendors to design their products based on an internationally recognized standard for OT cybersecurity known as IEC 62443. The idea is that by adhering to one standard, different vendors will make products that communicate, exchange information and otherwise operate seamlessly together — almost as if they were all from the same product suite.
As Howell put it, “a standards-based approach is the only one that will enable all of the innovation in this space to take place and allow companies to scale.”
Aging and blinded
Another glaring problem in the OT world: the stuff is old.
Experts note that because industrial equipment is designed to last so long and rely so little on software updates, it must be engineered to support a wide range of cybersecurity activities — engineering work that’s easier if it’s based on forward-thinking standards that the entire industry understands.
With 30-year-old industrial technology, Howell said, “you wind up seeing [a] tremendous … lack of sensors, lack of ability to gather and share information.” That weakness — built in from the start and extremely difficult to fix — blinds companies to hackers lurking in their midst, making it harder for them to spot an intrusion until it’s too late.
It’s too late for forward-looking standards to help with the decades-old equipment currently in the field. The OTCC members have argued that vendors must start adhering to international standards with the products they’re designing today, to reduce cyber blind spots for infrastructure operators in the future.
“In the OT space, it’s all about visibility,” said Brian Harrell, a former assistant director for infrastructure security at DHS’s Cybersecurity and Infrastructure Security Agency (CISA). “Fully understanding the environment, which assets are connected to the OT network, what unexpected traffic looks like, and which vulnerabilities to prioritize, is fundamental to strong industrial cybersecurity.”
Industrial equipment will never be as adaptable or cutting-edge as IT systems such as traditional computers and smartphones. The best that OT vendors can do is “build standards today that will last over the course of time,” Howell said.
Work in progress
The OTCC’s push for more attention to operational technology comes at a critical moment for U.S. national security. Foreign adversaries are stepping up their attempts to penetrate U.S. critical infrastructure, and the recent cyberattacks on water facilities and health-care providers have underscored the dangers.
But while there is now a consensus that critical infrastructure requires more digital security oversight, operational technology remains a blind spot for many policymakers.
That means the OTCC and its member companies have their work cut out for them.
As Howell put it, “There has not been a tremendous amount of appreciation for what operational technology is, what operational technology cybersecurity companies do, and how the operational technology industrial control system environment actually works.”
OTCC members are tight-lipped about assessing the coalition’s impact to date, but many of them praised the group for giving the OT cybersecurity industry a unified voice and offering a one-stop shop for politicians who want to learn more about this complicated technology.
“It is [making] a difference,” said Ali King, vice president of government affairs for Forescout, “as the collective technical expertise of our members creates a valuable resource for policymakers and regulators across the federal government.”
The project has also created a new collaborative spirit among competing businesses. Marty Edwards, deputy chief technology officer for OT and IoT (Internet of Things) at Tenable, said it has been “refreshing to be able to sit side by side with competitors and agree that the cybersecurity challenges we all face are bigger than any individual company.”
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.
