Threat actors are increasingly targeting the operational technology (OT) vital to maintaining the nation’s critical infrastructure, according to government officials and other experts.
Two experts from General Dynamics Information Technology (GDIT) confirmed in a recent interview that the threat is serious – and requires a coordinated response from Federal agencies working with private sector partners. They pointed in particular to recent government alerts about Volt Typhoon, a Chinese state-sponsored hacker group targeting U.S. critical infrastructure.
Volt Typhoon represents “a large interest by adversaries in not just knowing where our OT is, but also in taking a living-off-the-land approach to encamping themselves on those networks,” said Matt Hayden, GDIT vice president for cyber and emerging threats for intelligence and homeland security. “This is a national-grade challenge that we’re taking on now with the intelligence community, as well as law enforcement supporting the cyber community, to prevent adversaries from controlling critical services.”
The GDIT experts also voiced optimism that growing use of emerging technologies, such as artificial intelligence (AI), are helping to counter the threats by improving cybersecurity with a zero trust mindset. “It is important to build a really holistic security picture going forward that would certainly be advantageous across the Federal sector,” said Mischa Beckett, director of cyber threat intelligence at GDIT.
OT is hardware and software that critical infrastructure and industrial organizations rely on to execute, monitor, and control physical processes. Examples of OT include climate control systems in buildings, city water treatment and distribution networks, public safety and security systems, smart building technology, and transportation management systems.
In recent months, concern has grown over rising security threats to OT systems, especially in critical infrastructure sectors such as transportation and oil and gas distribution that rely on OT. The danger is far from theoretical: A 2021 ransomware attack against Colonial Pipeline, for example, caused panicked Americans to hoard gasoline.
As part of the government’s response, the Cybersecurity and Infrastructure Security Agency (CISA) brought together major pipeline operators and industrial control systems partners “to strengthen security practices to safeguard the operational technology networks critical to pipeline operations.”
“OT used by critical infrastructure owners and operators faces significant and increasing cybersecurity risks,” the U.S. Government Accountability Office warned in a March report that specified nation states and transnational criminal organizations as threat actors that are “increasingly capable of carrying out attacks.”
Top cybersecurity and critical infrastructure experts voiced similar concerns at a recent U.S. House subcommittee hearing, saying that neither the government nor the private sector are doing enough to secure OT networks of critical infrastructure organizations.
The hearing came one day before CISA issued its warning that Volt Typhoon has already compromised the IT environments of multiple critical infrastructure organizations in sectors such as communications, energy, and transportation.
Experts say the Chinese hackers focus on OT assets through techniques such as infiltrating networks by acquiring administrator credentials.
Officials at GDIT – which recently won a large Air Force cybersecurity contract focused on OT – say the risks stem in part from the nature of OT itself.
“Operational technology is bridging that gap between data at our fingertips and data that causes action,” Hayden said. “You have a lot of machines doing a lot of things out in the real world. How are they being controlled and how are they being accessed and monitored? The implications [of a breach] are not just data loss. They’re also real-world damage and disruption.”
Beckett agreed. “It’s easy to think about how this could affect water or electricity – everybody’s day-to-day lives around the world,” she said.
Beckett added that while the government’s ongoing problems with legacy technology are even more significant for OT than for information technology systems because OT systems have much longer lifecycles, the heightened effort to secure OT is beginning to pay off. “My sense is that, over time, we’re starting to do a better job building in cybersecurity to OT,” she said.
Hayden also pointed to positive OT security developments, such as the increasing use of AI and secure by design initiatives that build cybersecurity into the manufacturing of software and hardware products, as well as zero trust security initiatives that build in network segmentation and ensure OT devices are securely connected to the internet.
But challenges remain, including the “behavior side” of zero trust, Hayden said.
Many OT devices can be turned off and on, he noted, so organizations need to ask questions such as, “Do you have permission to turn it on and off? Should someone be able to authenticate from a remote location? Can they do it at 2 a.m. versus 11 a.m.?”
GDIT is working closely with Federal organizations to address threats to OT by developing security best practices that take advantage of emerging technologies such as AI.
“We serve as consultants to make sure they have the best practices in place for identifying and mitigating risks,” Hayden said.