The National Security Telecommunications Advisory Committee (NSTAC) voted on August 23 to approve a report recommending that the Cybersecurity and Infrastructure Security Agency (CISA) issue an order requiring all Federal civilian agencies to catalog all of their operational technology (OT) devices and systems as one of many steps to improve OT cybersecurity in government and the private sector.
NSTAC – a group of private sector experts that advises the White House on telecommunications issues that affect national security and emergency preparedness – made those recommendations in a new report unveiled this week.
The report responds to the White House’s request in May 2021 that the committee study the subject of “enhancing internet resilience in 2021 and beyond.”
As part of that work, the committee was directed to study three cybersecurity issues foundational to U.S. national security and emergency preparedness – 1) software assurance in the commercial information and communications technology supply chain; 2) zero trust and trusted identity management; and 3) the convergence of information technology and operational technology. The committee’s work will eventually produce an overarching report covering all three areas.
The report concludes that the convergence of OT and IT systems is “poorly understood,” as are the related security implications of that convergence. “There needs to be a stronger understanding of the relationship between cybersecurity for converging OT systems and organizational mission and risk, especially as OT systems often operate an organization’s ‘crown jewels,’” the report says.
NSTAC found that the technology to implement “basic cybersecurity fundamentals” for OT systems already exists in the commercial market, but that the workforce necessary to take on the task of security improvements for critical infrastructure is in short supply.
“The biggest gap is that end users, including federal government owners and operators, have not prioritized resources to address the cybersecurity of these systems and networks at the appropriate levels,” the report says, adding that “government agency heads and business leaders face extremely difficult budgeting decisions” for cybersecurity in general.
The NSTAC report urges CISA to issue a binding operational directive (BOD) to all Federal civilian agencies to “maintain a real-time, continuous inventory of all OT devices, software, systems, and assets within their area of responsibility, including an understanding of any interconnectivity to other systems.”
That exercise should be updated annually in connection with agency budget processes, to prioritize cybersecurity budgets to better protect agencies’ “most consequential” OT assets, the report says.
“Once federal agencies clearly understand the vast and interconnected nature of their OT devices and infrastructure, they can then make risk-informed decisions about how to prioritize their cybersecurity budgets,” the report says. Once the inventory effort is in place, the White House should require periodic reports from CISA and other agencies “to ensure progress is being made,” the report says.
NSTAC said the proposed BOD from CISA should function in the same way as section 1505 of the Fiscal Year 2022 National Defense Authorization Act works to require a similar effort from the Defense Department (DoD).
The report also recommends that CISA develop procurement language to ensure that all Federal civilian government OT and related procurements include cybersecurity provisions, and work with the General Services Administration (GSA) to require those provisions in contracting vehicles.
That procurement language, the report says, should “incentivize the inclusion of risk-informed cybersecurity capabilities, including for supply chain risk management; this guidance should also help organizations understand best practices for bolt-on security for legacy OT devices that are difficult or expensive to replace.”
“There should also be a mechanism for both private sector consumers of the procurement guidance and public sector agencies, which must follow the new requirements, to provide feedback and lessons learned to aid the community,” the report says.
Threat Data Sharing
NSTAC further recommended that CISA, the White House National Security Council, and the National Cybersecurity Director take steps to share OT-related threat data.
Those agencies and offices, the report says, “should prioritize the development and implementation of interoperable, technology-neutral, vendor agnostic information sharing mechanisms to enable the real-time sharing of sensitive collective-defense information between authorized stakeholders involved with securing U.S. critical infrastructure.”
“This should include breaking down the artificial barriers for sharing controlled unclassified information, both within” the Federal government and between the government and cross-sector stakeholders, it says.
The NSTAC report features 12 other recommendations to improve OT security, including:
- Articulating Federal roles, responsibilities, authorities, and accountabilities;
- Streamlining stakeholder communications with Federal government cyber defenders;
- Cataloging and further developing physical and virtual OT security test beds;
- Extending existing Federal zero trust guidance into OT where applicable;
- Ensuring OT cybersecurity projects are funded in Infrastructure Investment and Jobs Act implementation;
- Expanding CISA services into OT specifically for state, local, and tribal critical infrastructure;
- Identifying opportunities to streamline OT cybersecurity regulation for regulated sectors;
- Designating a lead cross-sector OT cybersecurity partnership effort;
- Cataloging and assessing the efficacy of OT workforce development efforts; and
- Ensuring that international efforts in cybersecurity include OT.
In presenting its key findings, NSTAC offered a range of conclusions on the convergence of IT and OT security, including:
- The security issues are not new;
- The United States “has the technology and the knowledge to secure these systems but has not prioritized the resources required to implement solutions”;
- The outcomes of successful attacks on OT include the potential to harm human safety, damage physical equipment, and take industrial process OT equipment offline for extended periods;
- Prioritizing and applying best practices, recommendations, and standards more broadly, and more quickly and comprehensively – would strengthen security and “achieve strategic outcomes”;
- Many organizations don’t have visibility into their complete OT environments, including IT/OT interconnections and supply chain dependencies, and lack direction from the government on threat levels they need to protect against; and
- Some legacy OT equipment was not designed for internet connectivity and may not easily be replaced, “making it increasingly challenging to secure in converged environments.”