Serious cybersecurity vulnerabilities continue to plague U.S. critical infrastructure — including the power grid — despite their owners’ commitment to protecting their assets, according to a report released this week by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

The report was prepared by the President’s National Security Telecommunications Advisory Committee (NSTAC), a body of leaders from the telecommunications, information technology, finance and aerospace industries that advises the federal government on maintaining secure and reliable communications. It is part of a broader federal response to the Colonial Pipeline hack and other cybersecurity incidents ordered last year by President Biden. (See Biden Directs Federal Cybersecurity Overhaul.)

Biden’s order directed NSTAC to study three key cybersecurity topics:

• • • software assurance in the commercial information and communications technology supply chain;
    • zero trust and trusted identity management; and
    • the convergence of IT and operational technology systems.

Tuesday’s report, a working draft, focused on the third issue; a later, comprehensive report is planned that will cover all three areas.

Common Risks in OT Systems

In the document, NSTAC identified three common deficiencies that enable potential attackers to cross over from businesses’ IT networks — which are used for data-centric computing and communications — into their OT systems, which monitor and control events, processes, and devices in enterprise and industrial operations. Cybersecurity researchers have warned that cybercrime groups around the world are actively developing such crossover capability. (See Dragos Warns Malware Developers Building Skills Fast.)

The first security issue cited by the report’s authors is the lack of an effective “air gap”: an isolation of a business’s OT and IT assets that prevents any communication, either physically or wirelessly. Air gapping is essential to OT security because attackers can use any contact with an IT system to gain access to and control over the OT system. But the report said that even this basic level of security seems to be a major challenge for many businesses.

“While there are many OT engineers that may rely on the idea of an air gap to protect their environments, asset operators should recognize that in most environments, the air gap is a myth,” the NSTAC said, adding that many of its members “have 25 years-plus experience and have never seen a true ‘air-gapped’ OT system.”

What prevents an effective air gap, the report said, is usually the sheer convenience of connecting OT networks to the internet. Putting systems online rather than limiting access to those who are physically present allows a wider range of employees to monitor and step in if anything goes wrong.

However, it also means that an organization’s security staff lose some control and visibility into who has access to the OT systems. The NSTAC calls this phenomenon “accidental convergence,” and it comprises the second major theme of the report, defined as when “the system owner does not even realize or have visibility into which devices reside where on their networks.” This is especially the case in systems where OT assets have been connected to cloud services, which is increasingly common in the U.S.

While the authors acknowledged efforts are underway to mitigate the security risks of connecting to the open internet, they cautioned that even these advanced security controls cannot entirely remove the “fundamental availability risks of services delivered over the internet.”

The final vulnerability is the existence of “shadow IT,” in which OT systems are “added and modified without official IT change management control and approval.” While the report noted that OT systems usually are designed to “limit the ability to effect changes to assets in the environment,” as with air gapping, such precautions often lapse without highly disciplined change management processes. This can create problems when, for instance, employees use workarounds during urgent troubleshooting that are never removed from the environment afterward, or engineers use off-the-shelf components with unauthorized connectivity capabilities instead of following proper procurement protocol.

NSTAC provided several recommendations for the president and other government agencies, including CISA, to help “further reduce risk and secure the nation’s critical infrastructure.” While these mainly concern government OT networks, they also include measures on communication and information sharing. The report’s authors called on CISA, the National Security Council and the Office of the National Cybersecurity Director to develop “interoperable, technology-neutral, vendor-agnostic information-sharing mechanisms” to allow the sharing of real-time data “between authorized stakeholders involved with securing U.S. critical infrastructure.”

“NSTAC also recognizes that the federal government alone cannot uniquely resolve all the challenges surrounding OT cybersecurity, and readers from all stakeholder groups will benefit from the additional findings, best practices and general guidance contained in the appendices,” the report said.