It takes a team to secure operational technology
State and local governments must look for federal and private-sector partners.
Operational technology has become a prime target for cyberattack. The hardware and software responsible for controlling automation and equipment in everything from manufacturing plants to soybean farms present an opportunity for attackers to not only disrupt a person or a company but the resources and services that whole communities rely on.
Protecting government OT must be a priority, especially when it comes to systems being run and monitored by state and local agencies or by quasi-governmental organizations that manage critical infrastructure like power generation or water treatment plants. OT attacks on these essential services pose a national security risk because they threaten to cut off vital resources.
Many public utilities are managed by private companies but have their revenue (rate structures) set by state or local government commissions, so the public and private sector both have a role to play in securing these operations. For many local jurisdictions, managing or helping manage risk in these critical operational environments can be a daunting task.
The past year has seen an increasing number of attacks on water treatment facilities in the U.S. that had the potential to directly affect public safety. Many public utilities are chronically under-resourced and short of cybersecurity staff, raising concerns that they are unable to keep up with cyber adversaries ranging from nation-states to profit-motivated criminals. This fear of being outplayed was highlighted in early September when ransomware shut down the Los Angeles Unified School District computer systems. If the nation’s second largest school system can be a target, many smaller and less cyber-capable government organizations are left wondering what chance they have of fending off cyberattack.
Recently the Biden administration announced a plan to help local governments strengthen their cyber resilience that includes $1 billion in funding over the next four years. While it could be a huge boon for local public-sector cyber teams, this money comes with challenging stipulations meant to guide state and local governments on their journey.
While $1 billion is a significant sum, it is a down payment or priming of the pump on the investment in cybersecurity that will be needed across the $1.2 trillion of state and local government-driven infrastructure enhancement funded by the IIJA. The grants will fund the establishment of critical governance frameworks across states and territories that are meant to:
- address cyber threats and vulnerabilities.
- identify key vulnerabilities and evaluate needed capabilities.
- implement measures to mitigate the threats.
- develop a 21st-century cyber workforce across local communities.
Following many of those guidelines will require unprecedented efforts on the part of already resource-strained IT and cyber teams. But by collaborating with public and private sector partners, state and local governments and critical infrastructure operators can combine forces to protect the OT that keeps vital systems running.
The Cybersecurity Infrastructure and Security Agency has already said it will support these efforts with a suite of resources, including state cybersecurity coordinators and cybersecurity advisors available to teams across the country. Department of Homeland Security Secretary Alejandro Mayorkas said that this kind of collaboration is vital, not just for state and local governments, but for all stakeholders, public and private. “Our approach is one of partnership, in the service of an all-of-society investment in the security of our homeland,” Mayorkas said in the Sept. 16 statement announcing the grants.
The inclusive approach makes sense because everyone brings something unique to the table. The private sector can innovate at a speed government partners cannot. It plays an essential role in keeping up technologically with attackers. Federal agencies like DHS and the Defense Department are great coordinators, using their understanding of complex missions and access to intelligence to create a clearer vision of the attack landscape. Both of those partners can shepherd state and local governments through the process of developing cyber strategies because they’ve done it before successfully. There is no need to reinvent the wheel when you can team up with someone who already has the mission and a track record in developing and implementing broad strategies.
State and local governments play a key part as well. While they might not have the breadth of perspective of their federal or industrial partners nor use the progressive technology, they understand their local systems and how attackers could affect them better than anyone else.
This is not a problem anyone could or should be handling alone. It takes a diverse cast of players to keep our nation’s systems safe, whether that means federal networks holding government secrets or local networks controlling traffic signals.
Jim Richberg is the public sector field chief information security officer and vice president of Information Security at Fortinet.