Advisory Board Sends Critical Infrastructure Cyber Recommendations to the White House

Members on the National Security Telecommunications Advisory Committee voted on Tuesday to send a new information technology impact report to President Joe Biden and reiterated its mission commitments to security compliance and fortified critical infrastructure.

The report, which focuses on the security risks involved in the convergence of operational technology and information technology across digital systems, was ultimately approved unanimously to head to the executive branch.

“As information and communications technologies become ever more critical to our daily lives, how we set security requirements, through compliance with those requirements, and communicate that proof to users and regulators, is of great concern,” NSTAC Vice Chair Scott Charney said during a press call on Tuesday.

ITOT systems are becoming more commonplace as connection to the internet expands. Formerly independent operations, such as water treatment processes and electrical grid operations, are now able to connect with IT devices like routers and servers. This increased connectivity facilitates daily business for some industries, but creates more room for disruptive cyberattacks throughout an organization.

Jack Huffard, NSTAC member and chair of the Information Technology and Operational Technology subcommittee within the advisory group, spearheaded the study that focused on ITOT convergence networks and their potential system vulnerabilities, as well as mitigation advice. 

Huffard said the report looked to stakeholders in the private and public sectors, including cybersecurity and cloud vendors, as well as federal policymakers to gauge the threat landscape within ITOT interoperable systems.

Ultimately, the report found that many organizations in critical industries lack sufficient visibility into their OT environments as well as in their supply chain networks. 

“The convergence of IT and OT systems is not a new issue,” Huffard said. “It has been happening for decades. The convergence of IT and OT has created clear and present cyber exposure challenges [that] require attention. We have the technology and knowledge to secure these systems. But we have not prioritized the resources required to implement appropriate solutions.”

The group included in the report 15 recommendations to help fortify ITOT digital networks. Three of these recommendations, however, were singled out by Huffard as being critically important. One recommends having the Cybersecurity and Infrastructure Security Agency issue a directive requiring executive civilian branch agencies to take inventory and interconnectivity of their internet of things, or IOT, devices to improve IT and cybersecurity needs. 

The final two recommendations mandate CISA to update guidance in procurement language to require risk-informed cybersecurity capabilities for products contracted to support ITOT converged environments, and ask that CISA further work with the National Security Council and the Office of the National Cybersecurity Director to develop information and data sharing mechanisms that facilitate the protection of the country’s critical infrastructure from ransomware hackers. 

“These three recommendations, coupled with the other important recommendations in the report, can greatly improve our nation's critical infrastructure cybersecurity posture,” Huffard said. 

Improving U.S. networks’ cybersecurity is a pillar in the Biden administration’s broader plan to improve infrastructure. His executive order on the matter spurred federal agencies into investigating gaps in digital security in order to improve the nation’s digital security.

The NSTAC, which was formed in 1982, has most recently issued other overview reports on 5G broadband network security and focuses on advocating on federal technological investment through a information and communications technology lens.  

Prior to the most recent report on ITOT security, the NSTAC published other cybersecurity reviews for zero trust architecture and supply chain software as part of its multi-phase investigations within the overarching “Enhancing Internet Resilience in 2021 and Beyond” initiative at NSTAC.