WASHINGTON, D.C.— Today, House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andrew Garbarino (R-NY) delivered the following opening statement in a hearing to address threats to operational technology (OT) across sectors, including the water sector, and to discuss the Cybersecurity and Infrastructure Security Agency’s (CISA) role in securing OT.

Watch Chairman Garbarino’s opening statement in a hearing entitled “Securing Operational Technology: A Deep Dive into the Water Sector.”

As prepared for delivery:

Thank you to our witnesses for being here today to discuss the importance of securing operational technology, or OT. OT systems are responsible for controlling the reliable delivery of lifeline functions across the United States, including clean water and electricity. It is a national imperative to secure the foundational technology and infrastructure that underpins our Nation’s most critical functions.

During my tenure on this Committee, we have made great strides to focus CISA’s efforts on securing OT. But given recent incidents we must revisit this topic to consider how Congress may further refine and strengthen CISA’s support to critical infrastructure owners and operators.

In late 2023, we saw the latest nefarious cyber activity against OT devices in multiple sectors, including water and wastewater systems, by Iranian-affiliated cyber actors. This malicious activity against Israeli programmable logic controllers, or PLCs, is unacceptable. I was glad to see the Treasury Department announce sanctions for six Iranian government officials late last week—this is the first step to holding these bad actors fully accountable.

Unfortunately, this exploitation was not isolated to one sector, underscoring the risks associated with critical infrastructure interdependencies. Owners and operators across all sectors must raise the level of security for OT systems. Important first steps include following CISA’s guidance to change default passwords and disconnect OT systems from the internet.

But in my conversations with owners and operators across sectors I learned that sometimes basic cyber hygiene principles for information technology, or IT, systems may not translate to OT systems. Many OT systems rely on legacy equipment that owners and operators may not have the capacity to secure in the same way as traditional IT.

Given this, CISA must update traditional IT guidance to reflect the realities of OT systems. I look forward to hearing from our private sector experts today on how this translation could be most impactful.

As the Sector Risk Management Agency, or SRMA, for eight of the 16 critical infrastructure sectors, CISA should lead by example and prioritize OT personnel and resources internally. I look forward to working with the six other Committees of jurisdiction to ensure the remaining SRMAs also prioritize OT personnel and resources.

As we discuss roles and responsibilities today, I would like to highlight CISA’s success as a partner with industry rather than a regulator. I hope my colleagues will join me in continuing to empower CISA as a SRMA and also as the national coordinator for critical infrastructure security and resilience.

I look forward to our witnesses’ testimony and to developing productive solutions to strengthening our nation’s baseline security for the OT that underpins all aspects of American life. 

###