CISA Must Update Critical Infrastructure Protection PlansIG Report on Dams Urges Agency to Make Several Security Improvements
The U.S. Cybersecurity and Infrastructure Security Agency must update plans to improve the security - both physical and cyber - within the nation's critical infrastructure, according to an inspector general's report that specifically looked at the issue related to the country's dams and levees.
Dams, levees and other water structures are considered part of the 16 critical infrastructure sectors overseen by CISA, according to the U.S. Department of Homeland Security's inspector general's report that examined the agency's response to securing the facilities and overseeing physical security as well as cybersecurity.
The inspector general's report finds that under a 2013 presidential directive, CISA is "required to establish a process to measure and analyze the nation's ability to manage and reduce risks to dams and other critical infrastructure," but those plans - which are part of the National Infrastructure Protection Plan designed to address security - have not been updated in the past eight years.
In addition, CISA has not done enough to coordinate various activities related to dam security, including cybersecurity, the report notes.
"These activities include facilitating public-private partnerships, developing strategic goals to mitigate physical and cyber risks and improve resilience, supporting education, training, information and outreach, and providing support to identify vulnerabilities and mitigate incidents," the report notes. "However, these activities are not centrally managed or formally evaluated, which prevents CISA from determining its impact on Dams Sector security and resilience."
As part of its report, the inspector general outlines five improvements for CISA to make in regard to securing critical infrastructure, especially dams. In response, CISA Director Jen Easterly wrote that her agency agreed with all the recommendations, including updating the 2013 National Infrastructure Protection Plan to address specific issues related to dams. These updates are scheduled to be published in September 2022.
The security of the nation's critical infrastructure has been a major issue for CISA and other agencies, especially following the ransomware attack that targeted Colonial Pipeline Co. in May, which caused fuel shipment delays throughout portions of the U.S. East Coast.
Before the Colonial Pipeline incident, an attack on a water treatment facility in Oldsmar, Florida, in February raised issues concerning the security of these types of facilities as well as protection for operational technology systems - such as industrial control systems and supervisory control and data acquisition, aka SCADA, systems - which manage these types of operations (see: 5 Critical Questions Raised by Water Treatment Facility Hack).
In response, a group of bipartisan senators proposed a bill in June called the Cybercrime Prevention Act, which would give the U.S. Department of Justice additional tools to pursue cybercriminal activity and create enhanced penalties for attackers who target critical infrastructure, including dams, power plants, hospitals and election infrastructure.
And while these incidents have put critical infrastructure in the spotlight and have caught the attention of lawmakers, more needs to be done by CISA and the DHS to address how cyber incidents can cause physical damage and vice versa, says Mike Hamilton, the former vice chair for the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council.
"Apart from the question of crumbling infrastructure, the problem is compounded by a new focus on operational technologies and industrial control systems," says Hamilton, who is now the CISO of security firm Critical Insight. "Because a cyberattack on a dam operation has the potential to cause physical damage and loss of life and the fact that many dams also contribute power to the grid, dams will likely be the poster child for this focus."
What is also missing is specific guidance from the National Institute of Standards and Technology to create goals that will facilitate the voluntary adoption of standards around OT security, Hamilton says.
The inspector general's report offers five recommendations for dam and levee physical security and cybersecurity that CISA has promised to adopt. These include:
- Update the Dams Sector-Specific Plan so that it aligns with the updated National Infrastructure Protection Plan, which CISA is now developing;
- Revamp CISA's organizational chart to clarify roles, responsibilities, coordination processes and reporting procedures for dam security;
- Establish policies, procedures and performance metrics for CISA programs and activities related to dam security;
- Strengthen interagency ties between CISA and other agencies that help oversee dams, such as the Federal Emergency Management Agency;
- Encourage the owners and operators of dams to use the HSIN-CI Dams Portal, which provides information sharing among various stakeholders.
Hamilton notes that many of the issues raised by the inspector general's report need to be addressed.
" The failure to develop the National Infrastructure Protection Plan and the Sector-Specific Plan for the dam sector as well as the lack of effort in gathering performance information for a sector that is known to be in a precarious state of repair is a security issue requiring immediate attention," Hamilton says.