One of the major problems facing the cybersecurity of the nation’s critical infrastructure is a lack of personnel, according to witnesses at both the House Homeland Security Committee and the Senate Energy and Natural Resources Committee on Tuesday. Both committees held hearings on the security of critical infrastructure in the U.S.
“We’re looking for Congress’ support to increase those field deployed [agents] in the 2017 budget,” said Andy Ozment, assistant secretary of the Office of Cybersecurity and Communications National Protection and Programs Directorate at the U.S. Department of Homeland Security, who spoke on the House panel. He explained that his department has six agents called Cyber Security Advisors (CSA) who perform risk assessments of various critical infrastructures. With the added funds, he hopes to have 24 agents. “We must work across the U.S.”
Duane D. Highley, president and CEO of Arkansas Electric Cooperative Corp., agreed in the Senate hearing that the lack of cyber personnel is a prominent concern for the infrastructure industry: “A lot of the time we have to go out of the country to get those people.”
Highley also commented that, as a private entity, his company worried about the vetting and background checks for his employees. Though he has access to state databases to conduct background checks, he worries that without access to Federal, FBI databases, he is at a greater risk for insider threat.
“It’s important that we have access to that Federal database,” Highley told the Senate Energy Committee.
Rob Manning, vice president of transmission at the Electric Power Research Institute, also testified at the Senate hearing, and said that it was hard to quantify how large the insider threat was.
“We don’t know how serious this issue is, because we haven’t experienced a real, serious issue yet in that regard,” Manning said.
Brent Stacey, associate laboratory director of the Idaho National Laboratory, testified at the Senate hearing and explained his organization’s summation of the state of cybersecurity in the sphere of critical infrastructure as one with both advantages and detriments.
“First, the speed of technological innovation is outpacing traditional approaches. Second, determined, sophisticated, and patient adversaries will be successful in penetrating an infrastructure’s systems,” he said. “Third, a disciplined adversary likely will know the dynamics of digital technology better than the asset owner, and the asset owner will know their engineering and processes better than the adversary; we need to leverage our knowledge advantage and strengths. And fourth, technology for automation and digital control are inherently embedded in our infrastructure.”
The Senate hearing concerned the proposed Securing Energy Infrastructure Act, which would “provide for the establishment of a pilot program to identify security vulnerabilities of certain entities in the energy sector.” Though these vulnerabilities could range from an attacker with a gun, as one senator mentioned, to a remote hacker, much of the focus was on the cybersecurity threats faced by the energy sector, and what can be done about them.
“We didn’t design the grid to react to intentional acts of war, but when we designed it with the redundancy to cover weather events and equipment failure, we end up with high reliability,” Highley said.