Today, I testified before the U.S. House of Representatives Subcommittee on Cybersecurity and Infrastructure Protection about operational technology (OT) in our nation’s water systems. I appreciate the continued focus by our policymakers and legislators on ICS/OT cybersecurity and was glad to share my perspective. Water utilities and other critical infrastructure organizations are on the front lines today, defending their systems against both state actors and criminal groups. They face growing threats with small and stagnant budgets, including threats to their OT networks and industrial control systems. These are the specialized computers and networks that interact with the physical world to do things like control the pumps or chemical levels at a water treatment facility.
You can find my full testimony here, and an on-demand video of the full hearing here.
My testimony focused on three key points:
- There are fundamental differences between OT and IT networks. The biggest difference is the mission or business purpose of the system. Generally, IT systems support how you manage the business. OT systems focus on the reason the business exists. OT security is also unique from IT security. Many standards, regulations, and best practices simply apply IT security controls to OT without considering whether or not they should be applied. This results in wasted resources and operational disruptions. OT security should instead focus on unique OT controls and adopt from IT practices only when it makes sense.
- The cyber threat landscape for OT has shifted irreversibly. The same digitalization, connectivity, and uniformity in OT that is enhancing efficiency and reliability for infrastructure owners and operators is also adding risk. More standardized infrastructure has brought efficiencies, but also opened the door for reusable, scalable capabilities, such as PIPEDREAM, that can be used across sectors to achieve disruptive or destructive effects. OT networks are also being targeted through successful, low-sophistication cyber attacks involving things like network accessibility from the internet, weak or default credentials, and targeting of remote service technologies and communications protocols. Ransomware operators are also increasingly attacking industrial organizations.
- Government and industry must work together to secure water sector operational technology. Agencies must provide clear and consistent direction to industry that identifies specific requirements owners and operators need to support; shares realistic threat scenarios; and provides opportunities to exercise capabilities. And water sector cybersecurity efforts need to be resourced to hire talent and purchase the equipment and technologies needed now. Dragos is committed to helping close the resource gap, too. The Dragos Community Defense Program gives US-based utilities with under 100 million dollars in annual revenue free access, forever, to our products and training to help these organizations build their OT cybersecurity programs.
I have so much optimism about what we all can do as a community to counter even the most sophisticated cyber threats. Let’s continue to work together so that we can address the underlying economic issues that hinder water and other small utilities in their important mission to help keep our communities safe.
Dragos Community Defense
Ready to put your insights into action?
Take the next steps and contact our team today.