Given the willingness of cybercriminals and adversaries of the United States to increasingly impact the physical world through cyber attacks, we’ve reached a pivotal moment when merely acknowledging the risks introduced by IT and operational technology (OT) convergence is not enough. Real security decisions must be made about converged networks in order to blunt threats from the virtual world that can impact physical processes in critical infrastructure sectors.
To that end, Claroty was honored to participate as a member of the the President’s National Security Telecommunications Advisory Committee (NSTAC) Subcommittee on IT-OT Convergence, lending its insight to the development of a report intent on improving the security of cyber-physical systems, mitigate risk to national security, economic security, and public safety.
The “NSTAC Report to the President: Information Technology and Operational Technology Convergence” has been published. The final report identifies crucial gaps impeding broad cybersecurity implementation across critical infrastructure, putting the onus not on technology, but on a failure to prioritize resources necessary to adequately protect these systems, with an eye on making practical recommendations that the President and Executive Branch can implement without legislative action.
“The technology to implement basic cybersecurity fundamentals to secure these systems exists in the commercial market. The talent to understand how to secure the systems also exists, albeit not at the necessary scale, to implement the security requirements broadly for critical infrastructure,” the report says.
Asset owners in industries such as water and wastewater have made it clear in the past 24 months that utilities struggle to identify all IT and OT assets, and placed the need for security training and federal loans and grants on a par with technology assistance. The NSTAC subcommittee report identifies similar gaps and warns government agency decision makers that they face difficult budgeting decisions.
OT prioritizes safety and reliability, which at times may be at odds with the priorities of IT cybersecurity policies and procedures that focus on confidentiality, integrity, and availability. Converged OT and IT systems are rapidly becoming the norm within business (some reports say 80% of critical infrastructure is privately owned within the United States), and leaders are going to have to build resilient systems that can stand up to compromises, be it from ransomware actors as in the Colonial Pipeline incident, or from state actors targeting utilities and other critical infrastructure worldwide.
“These risks heighten the importance of thoughtfully and effectively managing IT/OT convergence. Government and industry must navigate through this OT risk landscape to deliver the essential products and services that support societal well-being and fuel the economy,” the report points out.
The takeaway from the NSTAC report features 15 recommendations, three of which it will immediately urge the Biden administration to implement with relatively low risk. Let’s look at the three in more detail:
The report recommends that the Cybersecurity and Infrastructure Security Agency (CISA) issue a Binding Operational Directive (BOD) that requires civilian branches and agencies to maintain a real-time continuous inventory of OT devices and how they bridge other enterprise IT systems, for example. The BOD would require the inventory to be part of annual budget processes with the aim ultimately to be a deeper understanding of new connections forged by converged networks. It would also require annual reports from CISA to ensure progress.
Asset owners cannot protect what they cannot see; visibility into connected assets enables better vulnerability management and patch prioritization, and sheds light on risky exposures for systems once shielded by air gaps. Since the release of the draft of the subcommittee report, CISA released Binding Operational Directive 23-01, which among other actions compels FCEBs agencies by April 23, 2023 to (1) conduct an asset inventory of IT and OT networks every seven days, and (2) enumerate vulnerabilities on these assets—actions both aligned with this first recommendation
CISA will be asked to develop guidance on procurement language for OT products and products and services that support converged environments. The aim is to make risk-informed procurement decisions, understand how to better lock down legacy OT devices, and improve supply chain risk management. CISA would also work with the General Services Administration to require risk-informed cybersecurity capabilities in federal procurement processes.
The mandate here is for CISA, the Office of the National Cybersecurity Director, and the National Security Council to develop vendor-neutral information sharing vehicles in order to ensure stakeholders across critical infrastructure sectors are informed of new and unclassified threat information.
The remaining recommendations, the committee said, will require additional interagency collaboration to flesh out, but expect recommendations to center on such topics as the development of physical and virtual OT test beds, guidance on zero-trust architectures for OT, funding for OT cybersecurity projects across state, local, tribal and territorial governments, analysis of OT cybersecurity workforce efforts, streamlining of OT cybersecurity regulations, and ensuring that international cybersecurity collaborations include OT.
Convergence is forcing organizations to understand that every critical infrastructure operator must understand and manage additional risk in new ways. The NSTAC final report is a step forward for the development of concrete steps toward lessening potential disruptions to the safety and reliability of OT processes, which are vital to public safety and economic stability.