Cybersecurity and Infrastructure Security Agency (CISA) Deputy Director Nitin Natarajan is urging critical infrastructure sectors to “elevate the discussion” of the growing risks of legacy operational technology (OT) systems.
At GDIT Emerge in Washington, D.C. today, Natarajan explained that unlike legacy IT systems, legacy OT systems present a unique challenge because they cannot as easily be replaced with newer generations of technology.
OT encompasses a wide variety of hardware and software systems that monitor and control physical processes, devices, and infrastructure in industries such as manufacturing, energy, transportation, and utilities.
“You can’t just take it out. You can’t just say we’re going to stop for a while. That operational need is a very different space than in the IT space,” Natarajan said.
Because these systems can’t be easily replaced, Natarajan emphasized that the Federal government must address growing workforce gaps to ensure a deeper understanding and secure management of these critical OT systems.
“There hasn’t been a proper transition of knowledge regarding how these systems were originally designed and installed,” Natarajan said.
He explained that while some level of security mechanisms were in place in many areas, “there is a legacy issue now, where we’ve seen little investment over the years.” The lack of workforce transition has made it especially challenging for smaller organizations, though larger ones face similar issues, Natarajan said.
Another challenge legacy OT systems face in the evolving threat landscape is the shift in adversaries’ tactics, as they increasingly focus on targeting cyber-poor, yet high-value environments, “such as K-12 schools and hospitals in the heartland,” which present rich opportunities for exploitation, the CISA official said.
“We’re seeing attacks against small, rural [areas], against people. If you look back over centuries of conventional warfare, we never attacked hospitals. We never attacked the Red Cross tent … But now, we’re seeing hospitals being attacked in the United States,” Natarajan said.
So, how does CISA and the Federal government at large help those target victims – it’s about engaging and partnering, he said.
“We’ve really tried to make it easier for organizations to engage not just with CISA, but directly with the federal government. CISA is the answer to some solutions, the FBI to others. It’s important to approach these challenges with input from both the public and private sectors. As organizations engage with partners and tackle financial and operational challenges, we must ensure open dialogue, not just here in DC, but across the nation. Strengthening our relationships with global partners is critical to this effort,” Natarajan said.
