The President’s National Security Telecommunications Advisory Committee has put forward proposals that would require all executive civilian branch agencies to monitor operational technology systems in real-time.
In a draft report issued Tuesday, NSTAC said the Cybersecurity and Infrastructure Security Agency should issue a binding operational directive that would mandate federal departments to continuously monitor how any in-use operational technology (OT) devices connect with other systems.
Operational technology is hardware and software that detects or can cause a change through the direct monitoring or control of industrial equipment and assets, such as electrical substations, water treatment plants and manufacturing facilities.
The latest study focuses on the convergence of these systems with conventional IT systems and comes amid heightened concerns over potential cyber threats to industrial manufacturing and utilities including power stations and water filtration plants.
In February last year, an unidentified hacker broke into the computer system of a water treatment plant for a town outside of Tampa, Florida, and temporarily changed the plant’s sodium hydroxide setting to a potentially dangerous level. Concerns over such an attack were further raised this week following news that hackers may have accessed industrial control systems at a South Staffordshire Water filtration plant in the U.K.
“CISA should issue a Binding Operational Directive, similar to what Section 1505 of the Fiscal Year 2022 National Defense Authorization Act requires for the DOD, that requires executive civilian branch departments and agencies to maintain a real-time, continuous inventory of all OT devices, software, systems, and assets within their area of responsibility, including an understanding of any interconnectivity to other systems,” the report said.
NSTAC is made up of 30 chief executives representing the leading communications, network services and IT companies, and acts as a liaison between federal agencies and the private sector. It was created by an executive order signed by President Ronald Reagan in 1982.
The latest draft report also includes a key recommendation that CISA should develop guidance on procurement language for operational technology products and services and that the agency should work with the General Services Administration to require the inclusion of risk-informed cybersecurity capabilities in federal government procurement vehicles.
In addition, the study says that the National Security Council, CISA and the Office of the National Cybersecurity Director should prioritize the development and implementation of interoperable, technology-neutral, vendor-agnostic information-sharing to advance the real-time sharing of sensitive collective defense information between authorized stakeholders.
The report is the third of three commissioned by the White House following several significant cybersecurity incidents including the SolarWinds hack in late 2020 and the Colonial Pipeline cyberattack in May last year.
NSTAC’s prior reports examined software assurance in the IT supply chain and zero trust and trusted identity management. The committee will now work on a fourth and final overarching study.
During a committee meeting Tuesday afternoon, NSTAC members voted to approve the draft report, which will now be passed to the president.