The White House effort to secure industrial control systems from cyberattack requires nothing of the private sector.
About 90 participants in a White House pilot to improve the resilience of systems that control physical processes at electric utilities and other industrial control systems are now outfitted with sensors feeding information on potential cybersecurity threats to the government, according to a core contractor facilitating the initiative.
Administration officials have cited a patchwork of regulatory authority in establishing a program last April that funds and is completely voluntary for private-sector owners and operators controlling the vast majority of U.S. critical infrastructure.
In a recent announcement expanding the effort from the electricity sector to the water sector, senior administration officials told reporters more than 150 electric utilities and “multiple critical natural gas pipelines have deployed, or are in the process of deploying, additional cybersecurity technologies” due to the initiative.
Among those cybersecurity technologies, the sensors are particularly important for gaining visibility into an environment that is dominated by legacy “operational technology” that is increasingly connected to the internet for greater efficiency—and with the pandemic—to allow remote functionality. They allow information to be anonymously shared and analyzed through a central portal, potentially nullifying a tired debate in cybersecurity policy while improving on the quality of the information collected, according to participating government officials and the head of the contracting firm that won a Department of Energy grant to research and develop the technology.
During a webinar, industrial controls systems specialist Dragos hosted Monday with officials from DOE, the Cybersecurity and Infrastructure Security Agency, the National Security Agency and a representative from the private sector, CEO Rob Lee shared some details on the terms of the initiative.
“It's all a voluntary effort, we're not telling you to pick and choose anything specific … we're just saying 'hey, you should do something in OT.’ It should understand ICS protocols, you should have some visibility into your environments, you have the ability to detect threats, you should be able to share information with the government. Pick whatever you want, you can do nothing. But we'd like it if you were able to do something and tell us about it. And for some of you, you're already doing things. Tell us about that. So we can relate to our federal partners what's going on and give them opportunities to coordinate and work with us.”
There are more than 3,000 electric utilities across the country. But officials said the department wanted to start with those most critical based on the population sizes they serve. Lee said about 155 companies agreed to do something. He added that of the 90 or so that had sensors installed, about 70 of them had done so through Dragos’ Neighborhood Keeper offering.
He said the technology enables the sharing of actionable information while hiding elements like IP addresses that can sometimes be problematic to share. Mark Bristow, CISA’s branch chief for defense cyber coordination and Morgan Adamski, chief of the NSA’s Cybersecurity Collaboration Center, both touted new abilities to share useful information in real-time through the initiative.
Kate Marks, deputy assistant secretary for DOE’s Cybersecurity, Energy Security, and Emergency Response office said the department is focused now on communicating with state public utility commissions as they will be approving requests for participation in the program and for grants flowing from the bipartisan infrastructure package enacted in November.