The critical infrastructure experts upheld common cybersecurity standards as a key to resilient networks and private sector collaboration.
Leadership across three agencies at the forefront of defending the U.S.’s critical infrastructure from cyber attacks unanimously voiced support for more robust and uniform standards in cybersecurity strategy as assaults on digital networks continue to surge.
Testifying before the House Energy and Commerce subcommittee on Tuesday, federal experts discussed the current cyberattack landscape on critical infrastructures, and ongoing efforts to keep malicious actors at bay.
Puesh Kumar, director of the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response, said that collaborating with other public agencies and the private sector to establish uniformity in cybersecurity thresholds has been a critical step in bringing to life recent White House recommendations.
“We have to take a multifaceted approach to this because the threat is too great,” Kumar said. “Not only do we need to think of policies on a national level, but also standards. And so, ‘what are some of those policies we need to be implementing to stay ahead of the threat?’”
He added that Energy’s focus has been to require cybersecurity baselines in operational technologies, namely within the nation’s electrical grid, and the agency is coordinating with standards organizations and manufacturers to implement such baselines.
Brian Mazanec, the deputy director at HHS’s Office of Preparedness, said that industry partners are interested in developing minimum mandatory standards.
“Some of the resources we put out that provide guidance—voluntary standards, if you will—that they could adopt, but the National Cyber Strategy provides a framework for us to continue to explore, in a very thoughtful and evidence based way, how to develop minimum mandatory standards for the sector and if [they are] appropriate,” he said.
Mazanec acknowledged that developing sweeping mandatory standards is “complicated and challenging” for the diverse health care sector, but industry partners have expressed positive feedback on the consistent approach potential standards offer.
David Travers, the director of Water Infrastructure and Cyber Resilience Division within the Environmental Protection Agency, said the development of the National Cyber Strategy underscored how standards can help prevent duplicative efforts between agencies so that they “don't all go off in separate directions” when developing cybersecurity approaches and requirements.
He further explained that, in the U.S. water sector, many systems have not adopted cybersecurity best practices recommended by public and private organizations. To remedy this, Travers said the EPA leveraged a “distilled version” of standards authored by the National Institute of Standards and Technology to make them more accessible for a bevy of different water infrastructure organizations.
“We have also actually conducted assessments at utilities themselves, leveraging those standards,” Travers said. “And I will say on a final note that we have leveraged CISA’s cross-sector performance goals in developing our basic checklist of cybersecurity practices, again, to ensure consistency across the federal government.”