Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

You Can't Modernize Critical Infrastructure Without Cybersecurity

Will bipartisan legislation in the U.S. make securing IT and operational technology a priority?

U.S. lawmakers have an unprecedented opportunity to vastly improve the cybersecurity posture of the nation's critical infrastructure this week as they negotiate a massive infrastructure package. The bipartisan legislation aims to transform and modernize the nation's infrastructure for generations to come — but only if it prioritizes cybersecurity of the IT and operational technology (OT) upon which such facilities rely. 

Unfortunately, many lawmakers still seem unclear about how ransomware attacks against operators of critical infrastructure, such as the recent hacks of Colonial Pipeline and JBS, could undermine any such modernization efforts. Without clear, strong language addressing cybersecurity, we believe any such legislation would fall short. Criminal groups, foreign adversaries and even lone hackers have shown a strong appetite to target everything from the pipelines that carry fuel to the meatpacking facilities that provide food and even the water treatment plants that supply our most basic needs. And they're making use of flaws in IT and OT technologies in order to accomplish their goals.

As the White House and lawmakers debate the Bipartisan Infrastructure Framework, its scope and what should be considered "infrastructure," cybersecurity must be prioritized. Any legislation should, at a base level, require any infrastructure project receiving funding from the infrastructure plan to assess its cybersecurity risk, identify gaps and outline a plan to address those gaps through cybersecurity risk mitigation practices and technology.

For example, if a state wants to use funding from the legislation to modernize a water treatment plant, or a municipality wants to acquire smart cities capabilities, or a power utility wants to deploy new technologies in its facilities, they must first show their cybersecurity plans. This should not be controversial — why spend money upgrading the backbone of our society if we're going to leave the door open for digital adversaries? Why update the power grid to be able to handle more extreme weather, only for it to be taken down by hackers instead?

Cybersecurity standards for critical infrastructure

Any infrastructure legislation should also provide guidelines for how to secure our critical infrastructure systems. Anne Neuberger, White House deputy national security advisor for cyber and emerging technology, was spot on when she called out the need for basic cyber hygiene practices in a recent memo to organizations across the country

Lawmakers debating the current package can look to the Senate Committee on Energy and Natural Resources for ways to guide infrastructure operators. Section 1106 of the Senate Committee on Energy and Natural Resources energy infrastructure bill allows the secretary of energy to require recipients of grants or funding under the bill to submit a cybersecurity plan. Such cybersecurity plans are required to:

  • Outline how the recipient will maintain and improve cybersecurity throughout the life of the project;

  • Demonstrate how the recipient plans to maintain cybersecurity between the networks, systems, devices, applications or components within the proposed solution and at external interfaces; and 

  • Indicate how the recipient will leverage applicable cybersecurity programs of the department, including cyber vulnerability testing.  


Section 1106 also calls on funding recipients to maximize the use of open guidance and standards, including the Department of Energy Cybersecurity Capability Maturity Model and the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity.

These are excellent provisions and Tenable urges Secretary of Energy Jennifer Granholm to leverage this authority to drive stronger cybersecurity outcomes across the energy sector. The same provisions should apply to the nation's other critical infrastructure sectors as well.

What we need from the upcoming infrastructure modernization package is, at its core, quite simple: language requiring any organization providing these essential services to focus on the cybersecurity basics — including cyber risk assessments, asset management and vulnerability prioritization.  Anything less would be negligent.

We recognize the details of critical infrastructure security are complex and unique. We believe this legislation presents a vital, common-sense place to start, as Congress works towards a final infrastructure plan. While our nation's electric grid and other critical infrastructure facilities are in dire need of physical updates, leaving them open to the barrage of cyberattacks is simply not an option. Congress must include cybersecurity provisions and requirements as it finalizes its infrastructure modernization plan.

Learn more

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training