ICS Security Requires Private-Public Sector Synergy
U.S. government officials are calling for better collaboration with private-sector companies when it comes to stomping out the core security issues that afflict critical infrastructure, which run the gambit from poor visibility into networks to a dearth of resources.
Rep. James Langevin (D-R.I.), chairman for the House Armed Services Subcommittee on Intelligence and Emerging Threats and Capabilities, which handles issues related to cybersecurity, said that tightened partnerships between the public and private sector will help the government understand the inherent security challenges that beset critical infrastructure companies and put real-time threat intelligence into better context.
“At the top of the agenda is creating a joint collaborative environment between the government and the private critical infrastructure sector, so that the left hand knows what the right hand is doing,” he said on Tuesday at Hack the Capitol 4.0, which brings together policymakers and technology experts to discuss underlying critical infrastructure security challenges.
The security of industrial control systems (ICS), utilized to operate or automate critical infrastructure, has long caused concerns – however, these worries have come to a head on the heels of several incidents, including an attacker accessing a Florida town’s water treatment system and attempting to raise the level of sodium hydroxide in the water to a dangerously high level; as well as several ransomware groups targeting industrial companies, including an attack last year on a U.S.-based natural gas facility that shut down operations for two days.
While ICS environments long existed in an isolated state, they are becoming increasingly connected to the network, opening an array of potential security holes – including exposure on the internet, weak network segregation and a lack of basic security controls like authentication. At the same time, the level of sophistication necessary for targeting ICS networks is decreasing. It’s not only nation state-level actors targeting critical infrastructure anymore, as seen when a 22-year-old man allegedly attempted to access a Kansas public water system’s computers in order to tamper with its disinfectant levels in 2019.
“The track record is clear – there will still be rogue actors and nation states in the mix,” said Chris Inglis, the former deputy director of the National Security Agency (NSA), who has been nominated by the Biden administration to serve as the first National Cyber Director. “We don’t operate in a vacuum in this. Cybercriminals will come at us – we don’t have the luxury of asking them to freeze in place.”