Critical Infrastructure Attacks Push Agencies to Secure OT

Federal agencies are sharpening their focus on securing operational technology (OT) and internet of things (IoT) devices as cyber threats grow more sophisticated.

The Environmental Protection Agency (EPA) released a joint advisory earlier this month warning organizations of urgent, ongoing cyber threats from Iranian-affiliated actors targeting OT and IoT devices. EPA CIO Carter Farmer said at GovCIO Media & Research’s CyberScape: The Federal Cybersecurity Summit Thursday that the evolving threat landscape is pushing agencies to strengthen their ability to prevent, mitigate and recover from cyberattacks.

“Prevention is probably the thing we do best in the federal government … and recovery is something we really need to put a lot of money and effort behind due to the changing landscape,” said Farmer.

Improving Visability

The Navy is shifting from a traditional risk management framework to a continuous cybersecurity model to bolster its security posture amid rising OT threats. Shery Thomas, enterprise IT officer at Navy Installation Command, said the Navy is deploying a cybersecurity enclave — an overarching architecture across IT, OT and IoT systems — to improve visibility and accelerate response.

“Navy installations and multiple other organizations have a responsibility to secure elevators, water, wastewater, gas, electric pipelines, telecommunications,” said Thomas. “And we are all assuming it’s all going to work, but I need to know what the heck is going on in all of these systems and networks. I don’t want the adversary to know what I don’t.”

Farmer said the EPA is also prioritizing asset management to ensure consistent security across all connected devices, noting that visibility remains a persistent challenge across government.

“You have all kinds of pieces of the government that are moving in different directions at the same time, so you can’t really secure what you don’t know about. You can’t protect it,” said Farmer. “That makes it very difficult to understand the actual attack surface — what it really is, what’s connected to what and how we secure them.

Guiding Principles

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) is working to make those prevention efforts more accessible, particularly for critical infrastructure operators in operational environments.

NCCoE Director Cherilyn Pascoe said the center is focused on demonstrating how agencies can integrate cybersecurity into OT environments without disrupting operations.

“Visibility is very difficult. You’re dealing with legacy systems, distributed environments. Our hope is to demonstrate how to leverage existing standards and frameworks, to be able to enhance accessibility,” said Pascoe.

Pascoe said NCCoE plans to launch a consortium with industry and other agencies to translate standards into practice and advance operational cybersecurity efforts. She added these collective efforts help establish a standard language for everyone to understand what is or isn’t working to secure critical infrastructure.

“We’re only able to address these things by working together … and as you guys start to identify challenges, it’s always helpful to bring those back to us so we can improve standards, our and continue to advance our cyber security journeys,” said Pascoe.