Industry cybersecurity leaders detailed extensive efforts and challenges amid potential Russian threats to U.S. critical infrastructure at a House Homeland Security hearing today, with water and financial sector officials and security company executives updating lawmakers on their work.
The hearing, “Mobilizing Our Cyber Defenses: Securing Critical Infrastructure Against Russian Cyber Threats,” featured Adam Meyers of CrowdStrike, Steve Silberstein of the Financial Services Information Sharing and Analysis Center, Kevin Morley of the American Water Works Association, and Amit Yoran of Tenable.
Silberstein pointed to the financial sector’s collaboration within the industry and with government, particularly over the past hundred days, and noted in prepared testimony, “It might surprise the Committee to learn that a highly competitive industry like financial services can be very collaborative when it comes to cybersecurity. Our thousands of member financial institutions report cyber activity daily on FS-ISAC’s secure platform. In turn, our global intelligence team reviews, processes, and analyzes the intelligence and provides members with alerts, updates, and briefings.”
Meyers, senior vice president for intelligence at CrowdStrike, detailed cyber activity related to the Ukraine conflict, including nation-state actions, the impact of the war on “eCrime,” and hacktivism. He also flagged CISA’s Joint Cyber Defense Collaborative as an effective tool for collaboration and information sharing.
“The establishment of JCDC in particular, where CrowdStrike participates as a plankholder organization, has helped strengthen cybersecurity and IT industry and government collaboration and information sharing,” Meyers said. “Parallel efforts by nongovernmental organizations as well as other agencies with different authorities and mandates also help the community. Many of these have formed organically over the years, and in my assessment, contribute to a healthy ecosystem.”
Tenable CEO Amit Yoran testified that “certain critical infrastructure sectors better understand strategic risk assessments and cyber risk management as a discipline. Generally speaking, the cybersecurity practices in these markets and industries have been more highly regulated than others.”
Yoran discussed issues in different industries and cited the financial sector’s “strong cyber risk management processes and practices.” He said the electricity sector “has improved cyber resiliency” in part due to regulation.
He said, “There are also vast disparities in the amount of funding available to critical infrastructure providers. Many systems run by municipalities, such as water and wastewater, do not have the same funding or cybersecurity expertise to combat the evolving threats.”
Yoran pointed to “insightful guidance” on best practices from CISA but called for establishing “baseline cybersecurity standards of care for critical infrastructure that align with international standards and the National Institutes of Standards and Technology Cybersecurity Framework, based on effective cyber hygiene practices.”
Water sector highlights progress
Kevin Morley, federal relations manager for the American Water Works Association, testified that “AWWA strongly values collaboration and information sharing with our federal partners to address the dynamic nature of the cyber threats facing our critical infrastructure systems. Recent federal recommendations on how to mitigate Russian cyber threats have been invaluable.”
He said, “The current situation illustrates both the necessity and strength of continuous two-way engagement to jointly manage the cyber threats facing critical infrastructure systems, including drinking water and wastewater systems,” and cited three key areas for collaboration: “Actionable Threat Intelligence; Vulnerability Mitigation and Technical Assistance; [and] Partnership and a Path Forward.”
Morley said, “The new Shields Up campaign deployed by CISA has been very well received and represents a welcome reorganization of the information 3 disseminated to assist and guide critical infrastructure sectors. … Shields Up has provided a unified platform to share this information in a format that allows sector organizations, such as AWWA, to effectively amplify the recommendations developed by CISA and our federal partners for cybersecurity risk management.”
But Morley added, “In many cases, advisories and alerts are quite technical, and they may be difficult to implement by entities without in-house cyber security experts. It should be recognized that many systems are divisions of municipal government and certain systems are not directly managed by the water utility. Integrating sector subject matter experts into the review and development of threat alerts and advisories will help ensure that the information transmitted to the sector is concise, actionable, and properly contextualized.”
Morley pointed to a major water-sector proposal for improving cybersecurity, saying, “AWWA recognizes the cybersecurity challenge and is committed to establishing a new paradigm for cybersecurity governance in the water sector. We believe a new approach is necessary, one that recognizes the technical and financial challenges facing the sector and sets minimum cybersecurity standards for all types of water systems.”
He said, “A tiered risk- and performancebased requirements model similar to the approach used in the electric sector under the auspices of North American Electric Reliability Corporation (NERC) would underpin this approach in the water sector. An entity similar to NERC would be created in the water sector to lead the development of the requirements using subject matter experts from the field. It would also perform periodic third-party conformity assessments. Federal oversight and approval of requirements would be provided by the EPA, given existing statutory authority for water and wastewater utility operations.” – Charlie Mitchell (firstname.lastname@example.org)