Transportation and Infrastructure committee weighs in on cyberattacks in evolving threat landscape

The House Committee on Transportation and Infrastructure had on Thursday its first hearing, at which members were able to hear industry perspectives about the gaps in the nation’s ability to prevent, prepare for, respond to, and recover from cyberattacks against critical infrastructure and transportation networks.

Peter DeFazio, a Democrat from Oregon, and chair of the House Committee on Transportation and Infrastructure said in his statement that, “when it comes to the nation’s critical infrastructure and transportation networks—pipelines that fuel our economy, water and wastewater treatment plants, shipping, aviation, railroads, and highways that play critical roles in bringing vital supplies to all Americans—getting everything right, every time, must be the goal.”

He pointed out that an estimated 85 percent of the nation’s critical infrastructure is in private hands, owned and operated by private entities.

“Too often leaders whose organizations are at risk from cyberattacks weigh the risks of an attack against the cost of increasing cybersecurity protections, and they decide to roll the dice, betting they won’t get attacked,” DeFazio said. The good news is, even basic steps like mandating strong passwords and multi-factor authentication, cybersecurity awareness training, and regularly practicing simple cybersecurity exercises can significantly harden cyber defenses and dramatically diminish a company, utility, or federal agency’s chances that they will fall victim to a successful attack, he added.

Unfortunately, recent surveys have shown that too many public and private entities don’t take these simple steps, according to DeFazio.

“In a recent survey of the transit sector, nearly 39% of those surveyed had no staff dedicated to cybersecurity, and more than 24% provide no cybersecurity training to their staff at all. The water sector is even worse,” according to DeFazio. “In a survey published in June of this year, 42% of the water and wastewater utilities surveyed said they conduct no cybersecurity training for their staff, and more than 68% of them said they do not participate in any cybersecurity-related drills or exercises.”

Acknowledging that the administration of U.S. President Joe Biden has finally begun to change things, DeFazio said that, “So, we have an administration that is moving in the right direction. But we need to do more. No single technology, policy, or other action will completely eliminate all cyber threats. But each step can help close the gaps and make success for the cybercriminals and cyberterrorists harder.”

Megan Samford, advisory board chair of the ISA Global Cybersecurity Alliance (ISAGCA) represented over 50 public-and private-sector automation and cybersecurity member organizations that span across the 16 critical infrastructure sectors and contribute to over US$1.5 trillion in aggregate revenue.

Samford focused her testimony on ‘Incident Command System for Industrial Control Systems’ (ICS4ICS), whose goal is to identify how the private sector can adopt portions of the National Incident Management System (NIMS) Incident Command System (ICS) to ensure coordinated, uniform and more effective cyber-incident response. “Implementing ICS4ICS at scale will help the United States more effectively coordinate cyber incident response and recovery efforts within the private sector, especially for critical infrastructures,” she said in her testimony.

Together with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the ISAGCA and its member organizations, such as Schneider Electric, Rockwell Automation, Johnson Controls International, Honeywell, Ford Motor Company, Pfizer, Exelon, Mandiant, Dragos, Claroty, Nozomi, and Idaho National Labs, have established a public-private partnership to deliver the ICS4ICS cyber-incident response framework.

“In a little over a year from its creation, the program has proven that it is possible to apply the NIMS Incident Command System framework to cyberincident responses in the private sector, credential and type cyber-incident response roles into a common response structure (similar to fire and emergency services), as well as create draft common response templates to speed up responses and reduce error,” according to Samford.

“This is all being done on volunteer time because the membership of this understands how badly the lack of scalability in cyber-incident response is hurting industries both in the United States, as well as globally,” she added.

Last month, U.S. agencies released a joint Cybersecurity Advisory (CSA) that details ongoing cyber threats to the U.S. Water and Wastewater Systems (WWS) sector. These threats come from both known and unknown hackers targeting the IT and operational technology (OT) networks, systems, and devices of U.S. WWS sector facilities. The agencies reported that the WWS sector has faced various cyber intrusions from 2019 to early 2021, with the most recent one in August, where malicious cyber attackers used Ghost variant ransomware against a California-based WWS facility.

John P. Sullivan, who currently serves as the chair of the Water Information Sharing and Analysis Center (WaterISAC) also testified at Thursday’s hearing. He brought attention to the different types of cyber-attacks that could target water and wastewater systems. The first is attacks against utilities’ information technology systems, also known as business or enterprise systems. These include email systems, websites, and billing databases, according to Sullivan.

In recent years water and wastewater systems have reported a variety of such attacks, which include ransomware incidents, email compromise scams, and social engineering and phishing attempts. And while these attacks, if successful, can disrupt day-to-day business and compromise sensitive data, they, alone, would not have any impact on the treatment or management of drinking water or wastewater, he added.

A more concerning type of cyber-attack would target a utility’s industrial control system. Industrial control systems operate treatment processes, valves, pumps, and other utility infrastructure, Sullivan added.

While, Sullivan commended the work done by the water and wastewater sector to spread awareness of sound cyber practices, “but additional resources and assistance from the federal government would go a long way toward ensuring the greatest number of water and wastewater utilities are as prepared as they can be. We stand ready to work with you to make this a reality,” he added.

The United States is very much a maritime nation where our food security, energy security, economic security, homeland security, and national security are dependent upon the seas, Gary C. Kessler, a non-resident senior fellow at the Atlantic Council, said in his testimony on Thursday.

“The maritime transportation sector is broad, diverse, and global so that, while international cooperation is essential, central management is impossible. Cyber vulnerabilities are as plentiful in the maritime sector as in the non-maritime world and provide unique threats to the industry,” according to Kessler. “Both the commercial maritime industry and our military maritime interests demand our proactive response to this ongoing threat,” he added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT. Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT. Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT. Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT.