WASHINGTON, D.C. — This week, House Committee on Homeland Security Chairman Andrew Garbarino (R-NY) held a Subcommittee on Cybersecurity and Infrastructure Protection hearing to examine the evolution of threats to critical infrastructure following the discovery of Stuxnet 15 years ago. 

Witnesses highlighted the importance of reauthorizing the Cybersecurity Information Sharing Act (CISA) of 2015 and the State and Local Cybersecurity Grant Program (SLCGP); the need to defend operational technology (OT) found in critical infrastructure; the significance of private-public sector partnerships and unified federal guidance on cyber defense strategies; and the need to refocus the Cybersecurity and Infrastructure Security Agency (CISA) to its core mission of federal civilian network defense and protecting our nation’s critical infrastructure.

Witness testimony was provided by Tatyana Bolton, executive director of Operational Technology Cyber Coalition (OTCC); Kim Zetter, author of “Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon” and adjunct professor at Georgetown University; Robert M. Lee, CEO and co-founder of Dragos; and Dr. Nate Gleason, program leader at Lawrence Livermore National Laboratory.

In her opening statement, Zetter explained how Stuxnet changed the cyber landscape:
 
“It was 15 years ago that Stuxnet was discovered on systems in Iran, but despite the passage of time, its impact is still felt today. Stuxnet was a digital weapon designed to sabotage Iran’s nuclear program by targeting industrial control systems at its uranium enrichment plant at Natanz… Stuxnet was a first of its kind attack, the first known case of malicious code designed to leap from the digital world to the physical realm to cause disruption and destruction, not of the computers it infected, but of equipment and processes these computers controlled, in this case the centrifuges at Natanz. The same techniques Stuxnet used can be used against critical infrastructure in the U.S. to disrupt services the public government and military rely on or to damage equipment that can also cause death––either directly by causing passenger trains to collide or indirectly by preventing patients from being treated at hospitals because the electricity is out.”

In his opening statement, Lee outlined how to combat cyber threats like Stuxnet: 
 
“Increasingly, homogenous machinery and technical systems have increased the OT attack surface and raised the potential consequences of a large-scale attack. But defense is doable. One example, Littleton Electric in Massachusetts used a federal grant to install our technology on the work after FBI intel indicated to them that they were being targeted by Volt Typhoon. We detected isolated and mitigated attack with their partnership. They were able to do this because they had visibility in OT networks partnership… First we must stop treating OT like IT. These systems have different risks and require different defense strategies… Second, make public-private partnerships count… Third, we must streamline federal guidance. Right now, too many agencies are sending too many messages, many of which are overlapping and often contradictory to our industry.”

Chairman Garbarino asked about CISA’s role in cybersecurity:

“How would you assess CISA’s effectiveness as a partner when it comes to cybersecurity?”

Zetter answered: 

“CISA, in the past, had––I would say in the last decade really––a lot of expertise that they were able to give to critical infrastructure, either to go out to the field and do critical assessments of the networks, give them risk assessments about what they need is to do, and then also, they had flyaway teams that when a system was compromised, that they would be able to go out and assist directly in doing some kind of remediation. So, I think that the impact of CISA has been really great, but of course they’re limited in their resources and who they can operate, who they can give assistance to.”

Lee answered:

“About 95 percent of all cyber spending goes to enterprise IT, about five percent to OT. That is where your national security is, your environments, your local communities, and all of your ability to generate revenue. You look at sort of the visibility in this country. You actually want to monitor your OT infrastructure to figure out––is China already there? I would say probably about ten percent of the infrastructure around the country is being monitored. So, when we’re having big discussions about what comes next, I would just highlight that we’re not even really being serious about what we know today.”

Bolton answered: 

“I think CISA can certainly grow in its effectiveness, and I think we will see that under Sean Plankey. I think things like automated information sharing, the Einstein program, CyberSentry—I think there’s a number of places there where we can modernize some of that legacy infrastructure. They’re operating not necessarily with the most updated sensors, and I understand that it is expensive to upgrade the systems. But if we want CISA to be acting as the frontline defense for cybersecurity and as an expert, they need to have up-to-date systems.”

Dr. Gleason answered: 

“I would say some of our best and most effective work with CISA has been when they’ve worked in partnership with some of the other federal departments with stake in this space, in particular with the Department of Energy––looking at threats to the energy secto––and the Department of Defense, looking at defense critical infrastructure. Just to echo on some earlier comments, I think CISA also works best when they do work that is appropriate to the government to do and not trying to do what the private sector is already taking care of. The government has specific advantages in our access to the intelligence community and the ability to do things that the private sector is not or shouldn’t be doing.”

Rep. Morgan Luttrell (R-TX) asked about cyber hygiene best practices as threats rapidly evolve, to which Bolton answered: 

“Most sectors have not done an OT asset inventory, so they don’t even know what they have…I’ll give you an example: There was an incident response team that went out to a pipeline. This was several years ago. They asked them how many open ports they have. They said, well, just these that you see in this room here, and that was all their IT systems. By doing investigations through the internet billing that that pipeline had, they found they had over 10,000 open, unprotected ports. And so, you need to be able to, at least on some kind of spreadsheet, be able to tell what you have in order to be able to start fixing it. And that includes things like putting in multi-factor authentication where it’s possible, doing supply chain security, [and] as you said, building defense in depth and building resilience.”

Lee answered: 

“We very much know what to do… We have the technologies that exist, we have the people trained, but there is a lot of overlapping guidance––and it’s paralyzing the private sector.”

Subcommittee on Transportation and Maritime Security Chairman Gimenez (R-FL)asked about offensive strategies that can be used in the cyberspace: 

“Part of the Department of Defense is the Department of Offense. ‘We’re here to defend the homeland, and we’re going to play defense.’ Well, you’re inviting attacks because there’s no counter punch. What’s our offensive capability?”

Lee answered:

“We have to be very serious on defense because we will see things back. Even if one agency in the government authorizes something at us and we are doing something that we view to be retaliatory, other agencies in that same government may not be aware of it unless we’re able to call it. And then all of a sudden, you have a very escalatory situation… When our adversaries make it very clear that they want to hurt us and hurt our families, I think we have to be very serious about showing them that we can do the same.”

Chairman Gimenezthen highlighted the threats we face from the Chinese Communist Party (CCP) in the cyberspace:

“We cannot decouple fast enough from China. Things that may be innocuous, cameras… There’s nothing innocuous about them. They are malicious. They are relentless in their attacks on us… Then they report back to China, and they can also integrate themselves into the IT system that becomes an OT problem maybe. We had issues where I used to be the mayor of Miami-Dade County, with cameras at our port system that was reporting back to China––we don’t know what it was reporting.”

Rep. Andy Ogles (R-TN) asked whether small and mid-sized utilities are prepared to defend against cyberattacks: 
 
“We need to prepare this country for that next battle, and it’s going to be on our computers––it’s going to be across our networks. I would argue it’s going to be in our local and rural communities, that they’re going to get hit first, because then they can swiss cheese our electrical grids and our water systems, and our water treatment plants, etc. That’s what keeps me up at night.”

Zetter answered:
 
“I think you’re absolutely right in terms of the small utilities and cooperatives like that. They don’t have the money, they don’t have the resources, they don’t have the expertise on staff. They don’t even hire security people. But I want to also say that we sort of anticipate that the large organizations would be more secure. If you look at what happened to Colonial Pipeline in 2021, we see that this was really a major organization, critical infrastructure, supplying a lot of gasoline to the East Coast. And yet, Colonial Pipeline, at the time it was attacked, did not have a CISO on staff. They also had a legacy system that the attackers got in with a VPN account they were no longer using but hadn’t bothered to disable [it.] And that came in through a password that potentially was leaked on the internet.”
 
“One other point about that was the attackers, we think, only got into the IT network––[they] didn’t actually make it to the OT network. But Colonial Pipeline shut down the pipeline because they feared that the attackers would get into the OT network and encrypt and lock it. But when the CEO of Colonial Pipeline testified to Congress, he testified that they had very secure, highly segmented OT and IT networks. But if they were that confident that the networks were segmented, then they wouldn’t have had to shut down the pipeline as a precaution. So, I just want to say that yes, those smaller entities are a big issue and a prime concern, but also the larger entities are having the same problem and not keeping up.”

###