[House Hearing, 118 Congress]
[From the U.S. Government Publishing Office]


                      SECURING OPERATIONAL TECHNOLOGY: A DEEP 
                             DIVE INTO THE WATER SECTOR

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                    CYBERSECURITY AND INFRASTRUCTURE
                               PROTECTION

                                 OF THE

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED EIGHTEENTH CONGRESS

                             SECOND SESSION

                               __________

                            FEBRUARY 6, 2024

                               __________

                           Serial No. 118-51

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
                                     
        Available via the World Wide Web: http://www.govinfo.gov

                               __________
                               

                   U.S. GOVERNMENT PUBLISHING OFFICE                    
57-219 PDF                  WASHINGTON : 2024                    
          
-----------------------------------------------------------------------------------                                    

                     COMMITTEE ON HOMELAND SECURITY

                 Mark E. Green, MD, Tennessee, Chairman
Michael T. McCaul, Texas             Bennie G. Thompson, Mississippi, 
Clay Higgins, Louisiana                  Ranking Member
Michael Guest, Mississippi           Sheila Jackson Lee, Texas
Dan Bishop, North Carolina           Donald M. Payne, Jr., New Jersey
Carlos A. Gimenez, Florida           Eric Swalwell, California
August Pfluger, Texas                J. Luis Correa, California
Andrew R. Garbarino, New York        Troy A. Carter, Louisiana
Marjorie Taylor Greene, Georgia      Shri Thanedar, Michigan
Tony Gonzales, Texas                 Seth Magaziner, Rhode Island
Nick LaLota, New York                Glenn Ivey, Maryland
Mike Ezell, Mississippi              Daniel S. Goldman, New York
Anthony D'Esposito, New York         Robert Garcia, California
Laurel M. Lee, Florida               Delia C. Ramirez, Illinois
Morgan Luttrell, Texas               Robert Menendez, New Jersey
Dale W. Strong, Alabama              Yvette D. Clarke, New York
Josh Brecheen, Oklahoma              Dina Titus, Nevada
Elijah Crane, Arizona
                      Stephen Siao, Staff Director
                  Hope Goins, Minority Staff Director
                       Sean Corcoran, Chief Clerk
                                 ------                                

      SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION

                Andrew R. Garbarino, New York, Chairman
Carlos A. Gimenez, Florida           Eric Swalwell, California, Ranking 
Mike Ezell, Mississippi                  Member
Laurel M. Lee, Florida               Sheila Jackson Lee, Texas
Morgan Luttrell, Texas               Troy A. Carter, Louisiana
Mark E. Green, MD, Tennessee (ex     Robert Menendez,  New Jersey
    officio)                         Bennie G. Thompson, Mississippi 
                                         (ex officio)
               Cara Mumford, Subcommittee Staff Director
           Moira Bergin, Minority Subcommittee Staff Director
                           
                           C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Andrew R. Garbarino, a Representative in Congress 
  From the State of New York, and Chairman, Subcommittee on 
  Cybersecurity and Infrastructure Protection:
  Oral Statement.................................................     1
  Prepared Statement.............................................     2
The Honorable Eric Swalwell, a Representative in Congress From 
  the State of California, and Ranking Member, Subcommittee on 
  Cybersecurity and Infrastructure Protection::
  Oral Statement.................................................     3
  Prepared Statement.............................................     4

                               Witnesses

Mr. Robert M. Lee, Chief Executive Officer and Co-Founder, Dragos 
  Inc.:
  Oral Statement.................................................     6
  Prepared Statement.............................................     8
Mr. Charles Clancy, PhD, Chief Technology Officer, The Mitre 
  Corporation:
  Oral Statement.................................................    14
  Prepared Statement.............................................    16
Mr. Kevin M. Morley, PhD, Manager, Federal Relations, American 
  Water Works Association:
  Oral Statement.................................................    19
  Prepared Statement.............................................    20
Mr. Marty Edwards, Deputy Chief Technology Officer, Operational 
  Technology and Internet of Things, Tenable:
  Oral Statement.................................................    24
  Prepared Statement.............................................    25

                             For the Record

The Honorable Eric Swalwell, a Representative in Congress From 
  the State of California, and Ranking Member, Subcommittee on 
  Cybersecurity and Infrastructure Protection::
  Question From Rep. Robert Garcia...............................    51
  Joint Statement of Dr. Amit Elazari, J.S.D., CEO and Co-Founder 
    of Open- Policy, ISO/IEC 27402 Co-Editor and Lucian Niemeyer, 
    CEO of Building Cyber Security.org...........................    52
  Statement of NACWA.............................................    55
  Letter From Association of Metropolitan Water Agencies.........    57

                                Appendix

Questions From Chairman Andrew Garbarino for Robert M. Lee.......    61
Questions From Chairman Andrew Garbarino for Charles Clancy......    62
Questions From Chairman Andrew Garbarino for Kevin M. Morley.....    62
Questions From Chairman Andrew Garbarino for Marty Edwards.......    63

 
   SECURING OPERATIONAL TECHNOLOGY: A DEEP DIVE INTO THE WATER SECTOR

                              ----------                              


                       Tuesday, February 6, 2024

             U.S. House of Representatives,
                    Committee on Homeland Security,
                         Subcommittee on Cybersecurity and 
                                 Infrastructure Protection,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10 a.m., at 
Room 310, Cannon House Office Building, Hon. Andrew R. 
Garbarino [Chairman of the subcommittee] presiding.
    Present: Representatives Garbarino, Gimenez, Ezell, Lee, 
Swalwell, Carter, and Menendez.
    Also present: Representative Pfluger.
    Chairman Garbarino. The Committee on Homeland Security, 
Subcommittee on Cybersecurity Infrastructure Protection will 
come to order. Without objection, the Chair may recess at any 
point.
    The purpose of this hearing is to receive testimony from a 
panel of expert witnesses on securing operational technology, 
or OT, across critical infrastructure sectors with a specific 
focus on threats to the water sector.
    Without objection, the gentleman from Texas, Mr. Pfluger, 
is permitted to sit on the dais and ask questions to the 
witnesses.
    I now recognize myself for an opening statement.
    Thank you to our witnesses for being here today to discuss 
the importance of securing operational technology or OT. OT 
systems are responsible for controlling the reliable delivery 
of lifeline functions across the United States, including clean 
water and electricity. It is a national imperative to secure 
the foundational technology and infrastructure that underpins 
our Nation's most critical functions.
    During my tenure in this committee, we have made great 
strides to focus on CISA's efforts on securing OT, but given 
recent incidents, we must revisit this topic to consider how 
Congress may further refine and strengthen CISA's support to 
critical infrastructure owners and operators. In late 2023, we 
saw the latest nefarious cyber activity against OT devices in 
multiple sectors, including water and wastewater systems, by 
Iranian-affiliated cyber actors. This malicious activity 
against Israeli programmable logic controllers, or PLCs, is 
unacceptable. I was glad to see the Treasury Department 
announce sanctions for 6 Iranian government officials late last 
week. This is the first step to holding these bad actors fully 
accountable.
    Unfortunately, this exploitation was not isolated to one 
sector, underscoring the risks associated with critical 
infrastructure interdependencies. Owners and operators across 
all sectors must raise the level of security for OT systems. 
Important first steps include following CISA's guidance to 
change default passwords and disconnect OT systems from the 
internet.
    But in my conversations with owners and operators across 
sectors, I learned that sometimes basic cyber hygiene 
principles for information technology or IT systems may not 
translate to OT systems. Many OT systems rely on legacy 
equipment that owners and operators may not have the capacity 
to secure in the same way as traditional IT. Given this, the 
system must update traditional IT guidance to reflect the 
realities of OT systems. I look forward to hearing from our 
private-sector experts today on how this translation can be 
most impactful.
    As a Sector Risk Management Agency, or SRMA, for 8 of the 
16 critical infrastructure sectors, CISA should lead by example 
and prioritize OT personnel and resources internally. I look 
forward to working with the 6 other committees of jurisdiction 
to ensure the remaining SRMAs also prioritize OT personnel and 
resources.
    As we discuss roles and responsibilities today, I would 
like to highlight CISA's success as a partner with industry 
rather than a regulator. I hope my colleagues will join me in 
continuing to empower CISA as an SRMA and also as the national 
coordinator for critical infrastructure, security, and 
resilience. I look forward to our witnesses' testimony and 
developing productive solutions to strengthen our Nation's 
baseline security for the OT that underpins all aspects of 
American life.
    [The statement of Chairman Garbarino follows:]
                 Statement of Chairman Andrew Garbarino
                            February 6, 2024
    Thank you to our witnesses for being here today to discuss the 
importance of securing operational technology, or OT. OT systems are 
responsible for controlling the reliable delivery of lifeline functions 
across the United States, including clean water and electricity. It is 
a national imperative to secure the foundational technology and 
infrastructure that underpins our Nation's most critical functions.
    During my tenure on this committee, we have made great strides to 
focus CISA's efforts on securing OT. But given recent incidents we must 
revisit this topic to consider how Congress may further refine and 
strengthen CISA's support to critical infrastructure owners and 
operators.
    In late 2023, we saw the latest nefarious cyber activity against OT 
devices in multiple sectors, including water and wastewater systems, by 
Iranian-affiliated cyber actors. This malicious activity against 
Israeli programmable logic controllers, or PLCs, is unacceptable. I was 
glad to see the Treasury Department announce sanctions for 6 Iranian 
government officials late last week--this is the first step to holding 
these bad actors fully accountable.
    Unfortunately, this exploitation was not isolated to one sector, 
underscoring the risks associated with critical infrastructure 
interdependencies. Owners and operators across all sectors must raise 
the level of security for OT systems. Important first steps include 
following CISA's guidance to change default passwords and disconnect OT 
systems from the internet.
    But in my conversations with owners and operators across sectors I 
learned that sometimes basic cyber hygiene principles for information 
technology, or IT, systems may not translate to OT systems. Many OT 
systems rely on legacy equipment that owners and operators may not have 
the capacity to secure in the same way as traditional IT.
    Given this, CISA must update traditional IT guidance to reflect the 
realities of OT systems. I look forward to hearing from our private-
sector experts today on how this translation could be most impactful.
    As the Sector Risk Management Agency, or SRMA, for 8 of the 16 
critical infrastructure sectors, CISA should lead by example and 
prioritize OT personnel and resources internally. I look forward to 
working with the 6 other committees of jurisdiction to ensure the 
remaining SRMAs also prioritize OT personnel and resources.
    As we discuss roles and responsibilities today, I would like to 
highlight CISA's success as a partner with industry rather than a 
regulator. I hope my colleagues will join me in continuing to empower 
CISA as a SRMA and also as the national coordinator for critical 
infrastructure security and resilience.
    I look forward to our witnesses' testimony and to developing 
productive solutions to strengthening our Nation's baseline security 
for the OT that underpins all aspects of American life.

    Chairman Garbarino. I now recognize the Ranking Member, the 
gentleman from California, Mr. Swalwell, for his opening 
statement.
    Mr. Swalwell. Thank you. I thank the Chairman for stitching 
together such an impeccable panel of witnesses for an urgent 
and important topic.
    You know, right now, the United States is involved in a 
number of different global conflicts, from aiding Ukraine as it 
defends its own territorial integrity against Russia, helping 
Taiwan as it prepares for the threat of a Chinese invasion, 
and, of course, working in the Middle East to assist Israel in 
defending itself against terrorism and the allies of Hamas in 
the region who are targeting Israel, which includes Iran.
    Having such a presence like that puts an even greater 
target on the back of the United States and our infrastructure, 
and makes us more and more vulnerable to a cyber attack or an 
attack on particularly our water infrastructure. We don't have 
to imagine what this could look like, because we are already 
seeing actors like China and Iran carry out and execute these 
attacks.
    So today we have an opportunity to really, you know, take a 
deep dive into what our water infrastructure looks like. I want 
to commend, as the Chairman noted, CISA's director, Jen 
Easterly. Last week, she testified to another committee that 
CISA has observed a ``deeply concerning evolution in Chinese 
targeting of U.S. infrastructure,'' and that Chinese intrusions 
have already been eradicated across multiple sectors, including 
water.
    The FBI also announced last week that it had disrupted Volt 
Typhoon, and I want to thank the Bureau for their work there. 
It doesn't change the fact, though, that Chinese hackers, you 
know, likely under the direction of President Xi, will continue 
to target the United States, and China will leverage its 
significant cyber arsenal to undermine the efforts of the 
United States and others who are interested in helping Taiwan 
preserve its democracy against a violent attack.
    Since 2018, CISA has been warning about Russian hackers as 
well, targeting U.S. critical infrastructure, including the 
water, energy, nuclear, and aviation sectors. But China, 
Russia, and Iran, of course, are only the tip of the iceberg. 
In addition to those nations, you have rogue cyber actors who 
are capable of targeting and disrupting our water 
infrastructure.
    So there is a lot that we can do, from expanding the 
CyberSentry program to signing into legislation that I have 
drafted, the Industrial Control System Cybersecurity Training 
Act, President Biden and CISA are raising the bar on OT 
security, but we still are not as prepared and as resilient as 
we need to be. It is target-rich, resource-poor sectors like 
the water sector that remain particularly vulnerable to cyber 
attacks.
    So, Chairman, again, I would rather get to the witnesses 
here. I think you and I are in alignment about what we need to 
do and just grateful that you have called us together as we 
face so many threats from so many places and want to make sure 
that our locals are particularly prepared.
    [The statement of Ranking Member Swalwell follows:]
               Statement of Ranking Member Eric Swalwell
                            February 6, 2024
    Good morning. I want to thank Chairman Garbarino for holding 
today's hearing on how we can improve the cybersecurity of operational 
technology, particularly as it is deployed across the water sector.
    Everyday our adversaries grow bolder and more capable of exploiting 
vulnerabilities across OT networks.
    Just last week, Cybersecurity and Infrastructure Security Agency 
(CISA) Director Jen Easterly testified before another committee that 
CISA has observed a ``deeply concerning evolution in Chinese targeting 
of U.S. infrastructure'' and that Chinese intrusions have already been 
eradicated across multiple sectors, including water.
    Director Easterly's comments build on an advisory issued last year 
by the United States and its Five Eyes partners, which described the 
increasingly sophisticated and difficult-to-detect tactics of Chinese 
threat actor Volt Typhoon.
    The FBI announced last week that it had disrupted Volt Typhoon, and 
I commend them.
    But it doesn't change that fact the President Xi has been clear 
about his ambitions regarding Taiwan, and Director Wray has said that 
China will leverage its significant cyber arsenal to undermine the 
efforts of the United States and others who are interested in helping 
Taiwan preserve its democracy.
    China's hackers will continue to be a menace to U.S. critical 
infrastructure for years to come.
    But it isn't just China.
    Late last year, Iranian hackers targeted and compromised water 
utilities across the country.
    And since at least 2018, CISA has been warning about Russian 
hackers targeting U.S. critical infrastructure, including the water, 
energy, nuclear, and aviation sectors.
    But China, Russia, and Iran are just the tip of the iceberg.
    Other nations are rapidly developing their capabilities, and that 
is to say nothing of cyber criminals looking to make a buck.
    For too long, the Federal Government has left critical 
infrastructure owners and operators on their own to defend against 
these sophisticated threat actors and failed to integrate the unique 
security concerns of OT in its guidance and programs.
    Even efforts to improve cyber workforce training overlooked the 
skills required to develop the OT security experts we will need as 
technology deployed across critical infrastructure networks continues 
to evolve.
    I commend the Biden administration for accelerating efforts to 
improve OT security across critical infrastructure networks.
    From expanding the CyberSentry program to signing into law 
legislation I drafted, the Industrial Control Systems Cybersecurity 
Training Act, President Biden and CISA are raising the bar on OT 
security.
    Despite this progress, our critical infrastructure networks are not 
as prepared or resilient as they need to be.
    Target-rich, resource-poor sectors--like the water sector--remain 
particularly vulnerable to cyber attack.
    In my view, there are three things we can do that would have a 
meaningful impact on OT cybersecurity, particularly in target-rich, 
resource-poor sectors.
    First, many critical infrastructure owners and operators lack the 
resources necessary to modernize and secure the technology they use.
    For the past two budget cycles, CISA has proposed a Critical 
Infrastructure Cybersecurity Grant Program, but it has never provided 
authorization language and Congress has never funded it.
    Moving forward we should explore opportunities to provide resources 
for critical infrastructure to improve cybersecurity--whether it is 
through grants or through a revolving fund program.
    Second, we need to ensure that the programs, tools, and guidance 
CISA and its Federal partners are offering are accessible, usable, and 
provide security value to their full spectrum of stakeholders--from 
target-rich, resource-poor sectors to those who have been building 
cybersecurity capacity for decades.
    Too often, I have heard the Federal Government's tools and services 
are too difficult to navigate and that it is too difficult to 
understand which are appropriate for a particular entity's needs.
    Finally, we need to formalize CISA's approach to collaborating with 
the private sector to defend against threats to OT, including by 
authorizing the Joint Cyber Defense Collaborative.
    When it was first established, JCDC galvanized the public-private 
response to Log4j and Russia's invasion of Ukraine.
    Although JCDC continues to provide an important forum for public-
private collaboration, there have been complaints that activity has 
slowed absent a momentum-driving--or formal authorization legislation--
event to drive activity.
    For over a year, I have been working on legislation to authorize 
JCDC, collecting and incorporating multiple rounds of feedback from 
both private-sector and Government partners.
    My legislation recognizes the potential of JCDC, and puts it on a 
path of realizing it.
    Before I close, I would be remiss if I did not acknowledge an 
article I read in Politico yesterday regarding growing concerns about 
the value of JCDC.
    Many of the concerns raised in the story can and should be resolved 
by Congress stepping in to provide direction and accountability to JCDC 
through authorization--and that work is under way.
    More concerning, however, is the apparently growing sentiment among 
some in the private sector that collaborating with CISA--and JCDC in 
particular--could put them in the ``crosshairs'' of conservative 
critics who buy the former President's election fraud claims and are 
therefore rethinking whether they should collaborate with Government on 
cybersecurity issues.
    Given the pressing cyber threats facing the United States, we 
cannot allow for CISA's cybersecurity work to become politicized and 
the trusted partnerships it has spent multiple administrations 
cultivating to erode.
    I look forward to working with my colleagues on legislative 
solutions to improve OT security, particularly in target-rich, 
resource-poor sectors.
    With that, I look forward to the witnesses' testimony and I yield 
back.

    Chairman Garbarino. Thank you, Ranking Member Swalwell.
    Other Members of the committee are reminded that opening 
statements may be submitted for the record. I am pleased to 
have these witnesses before us today to discuss this very 
important topic. I ask that our witnesses please rise and raise 
their right hand.
    [Witnesses sworn.]
    Chairman Garbarino. Let the record reflect that the 
witnesses have all answered in the affirmative. Thank you. 
Please be seated.
    I would now like to formally introduce our witnesses. 
Robert Lee is chief executive officer and cofounder of Dragos, 
a global technology leader in cybersecurity for OT. Mr. Lee 
also serves on the Department of Energy's Electricity Advisory 
Committee, is a member of the World Economic Forum's 
Subcommittees on Cyber Resilience for the Oil and Gas and 
Electricity Communities. He began his work in OT as a U.S. Air 
Force cyber warfare operations officer tasked to the National 
Security Agency. Throughout his career, he has supported 
analysis of some of the most significant cyber attacks on 
industrial infrastructure, including the 2021 Colonial Pipeline 
ransomware attack.
    Dr. Clancy is senior vice president and chief technology 
officer for MITRE and heads MITRE's labs. MITRE operates 6 
Federally-funded research and development centers for the U.S. 
Government and provides agencies like CISA with deep technical 
capabilities. Dr. Clancy also sits on several boards and 
executive committees on intelligence, systems engineering, 
telecommunications, and artificial intelligence. Previously, 
Dr. Clancy led Virginia Tech's research programs in defense and 
intelligence. He started his career at the National Security 
Agency with a focus on research and engineering for wireless 
communications.
    Dr. Morley is a manager of Federal relations for the 
American Water Works Association. For 20 years, he has worked 
to advance security and preparedness in the water sector. He is 
also a disaster resilience fellow for the National Institute of 
Standards and Technology, a member of the President's National 
Infrastructure Advisory Council, and a representative on the 
Water Sector Coordinating Council.
    Marty Edwards is deputy chief technology officer for OT and 
internet of things at Tenable. Mr. Edwards leads Tenable's role 
in the OT Cybersecurity Coalition and served as a working group 
lead for the National Security Telecommunications Advisory 
Committee Report to the President on IT-OT convergence. Prior 
to his time at Tenable, he held leadership roles at the 
International Society of Automation, the U.S. Department of 
Homeland Security's Industrial Control Systems Cyber Emergency 
Response Team, and the U.S. Department of Energy's Idaho 
National Laboratory. Thank you all for being here today.
    Mr. Lee, I now recognize you for 5 minutes to summarize 
your opening statement.

  STATEMENT OF ROBERT M. LEE, CHIEF EXECUTIVE OFFICER AND CO-
                      FOUNDER, DRAGOS INC.

    Mr. Lee. Chairman Garbarino, Ranking Member Swalwell, and 
Members of the subcommittee, thank you for providing me the 
opportunity to testify before you today. My name is Robert Lee, 
and I'm the CEO and cofounder of Dragos, a leading OT 
cybersecurity technology provider.
    Today, water utilities and other critical infrastructure 
organizations find themselves on the front lines, defending 
against both state actors and criminal groups. They face 
growing threats, most importantly to their OT or operational 
technology networks. These systems are the critical part of 
critical infrastructure.
    In 2018, I testified before Congress that Dragos tracked 5 
state actors specifically focused on OT networks. Today, we 
track over 20 such groups, and my message has more urgency. My 
testimony focuses on three core points.
    First, there are fundamental differences between OT and IT 
networks. The biggest difference is the mission or business 
purpose of these systems. Generally, IT supports how you manage 
a business where OT is the reason the business exists. They're 
the specialized computers and networks that interact with the 
physical world around us, including things like control pumps, 
chemical levels, and so forth at water treatment facilities.
    OT security is also unique from IT security. Most of our 
standards and regulations and best practices simply apply IT 
security controls to OT without considering whether or not they 
should be applied. This results in wasted resources and 
operational disruptions. OT security instead should focus on 
unique OT security controls and adopt from IT security only 
when it makes sense, such as those in the SANS Institute's ICS 
Five Critical Controls.
    My second point is that cyber threat landscape for OT has 
shifted irreversibly. More standardized infrastructure has 
brought efficiencies, a homogeneous infrastructure, to manage. 
But it's also opened the door for reusable, scalable 
capabilities that can be used across sectors.
    In 2022, Dragos worked with our partners, as well as 
closely with the U.S. Government, to identify and analyze a 
state actor capability, or malicious software, called Pipe 
Dream. It was the first reusable capability to cause the 
ability for disruptive as well as destructive capabilities 
across industrial equipment. This class of capabilities will 
increase the frequency of high-consequence attacks we observe.
    There's a victory here as well. Dragos and his partners 
worked with Federal agencies to report out to the broader 
infrastructure community prior to the capability being 
employed. It's one of the most significant public-private 
partnership wins of all time for OT security.
    My third point is that public and private sectors must work 
together to secure water security and water sector operational 
technology. For Federal agencies, this means providing clear 
and consistent guidance to the industry that identifies 
specific requirements they need to support, such as realistic 
threat scenarios and opportunities to exercise them.
    When it comes to regulation, the Government must harmonize 
across frameworks and use an outcome-based approach that 
defines why they are concerned, what the outcome is that we are 
driving toward. and leaves the how to the private sector or, 
simply stated, give us the requirements, not the answers.
    Government resources also should not be directed to 
programs that replicate technologies and services already 
available in the private sector. A good example is the 
Department of Energy's cyber-informed engineering that operates 
in an area where there is no market and rethinks how we design 
the energy system to engineer out some of the cyber risk.
    The water sector resources need to be made available as 
well. As an example, at Dragos we launched a program called the 
Community Defense Program, which gives all U.S.-based utilities 
with under $100 million in resources and under $100 million in 
annual revenue free access forever to our tech and resources. 
Yet, most water sites will never be able to take advantage of 
this. Even something as simple as a $3,000 one-time investment 
at water utilities for basic hardware and networking gear is 
almost impossible due to budget limitations and overly 
difficult spending approval processes that aren't informed by 
appropriate cybersecurity knowledge. Taxpayer-funded Government 
assessments or further Federal investments to develop the next 
great technology acutely miss the need. Small municipal water 
and wastewater facilities need direct resourcing.
    In conclusion, I have so much optimism that what we all can 
do together will work. We know what to do, oftentimes as simply 
as making it happen. However, a major shift must take place in 
order to solve the underlying economic issue that happens at 
our local water facilities.
    Together, we can figure out a way to make sure that those 
bad actors do not impact our local communities. I would very 
much love for my children to grow up in a world with safe water 
and electricity. Again, we know how to do it, but we must work 
together to get it done with an OT-first mindset and all 
playing to our strengths.
    I sincerely thank the subcommittee for providing me the 
opportunity to testify today and welcome any questions or 
requests for additional information as we go on.
    [The prepared statement of Mr. Lee follows:]
                  Prepared Statement of Robert M. Lee
                            6 February 2024
    Chairman Garbarino, Ranking Member Swalwell, and distinguished 
Members of the subcommittee, thank you for providing me the opportunity 
to testify before you today. My name is Robert M. Lee and I am the CEO 
and co-founder of Dragos, Inc. a leading industrial cybersecurity 
technology and services provider. Additionally, I serve in advisory 
roles to numerous governments and international organizations across 
the world including the United States Department of Energy (DOE), 
Singapore's Cyber Security Agency, and the World Economic Forum's 
cybersecurity committees on oil and gas and electricity. I am a veteran 
of the United States Air Force and National Security Agency. It has 
been my privilege to be on the front lines of this problem in both 
Government and the private sector.
    Both Government and industry have invested significantly in the 
cybersecurity of our Nation's critical infrastructure. However, a vast 
majority of the focus has been on securing information technology (IT) 
networks. Less emphasis was traditionally placed on cybersecurity for 
operational technology (OT) and industrial control systems (ICS). These 
systems are the specialized computers and networks that interact with 
the physical world, including assets like a control system that opens a 
circuit breaker on an electric substation or operates pumps at a water 
facility. Most executives and policy leaders are shocked to find that 
upwards of 95 percent of cybersecurity budgets go to the Enterprise IT 
portions of the business and not the OT networks that can impact 
safety, the environment, and generate the revenue for the organization. 
OT systems are the critical part of critical infrastructure.
    Even 20 years ago, ICS and OT were largely disconnected from other 
networks. The infrastructure was also complex and heterogenous with 
little in common between two facilities even in the same industry, 
making it more difficult and more costly for adversaries to create 
attacks that caused disruption or physical destruction in a way that 
was repeatable across sites and industries. Now, these systems, 
including those in the water and wastewater sector, are increasingly 
digital and homogenous by necessity. Threat groups can develop 
capabilities that target devices commonly used in OT environments 
across sectors and have found new ways to access and manipulate them 
causing disruption and posing safety risks.
    In 2018, I testified before Congress that Dragos, Inc. tracked 5 
state actor cyber groups that targeted industrial networks 
specifically. At the time, I noted that while that sounded alarming, we 
had time to address these issues if we worked diligently. Today, Dragos 
tracks over 20 such groups and my message has more urgency. Water 
utilities and other critical infrastructure organizations are also 
facing challenges stemming from the current geopolitical environment. 
They find themselves on the front lines, often with very limited 
resources, needing to defend against both state actor cyber groups and 
criminal groups.
    To protect and defend OT in the water sector requires both an 
understanding of the environment and investment in the right resources. 
My testimony focuses on three key points that are relevant to the 
subcommittee and this hearing's focus.
   The first point is that there are fundamental differences 
        between the operational technology and information technology 
        that underpin our Nation's critical infrastructure. IT is 
        focused on how you enable and manage the business while OT is 
        focused on why you are a business. The different missions, or 
        purposes, of IT and OT systems dictate what is required of them 
        and how organizations manage risk to them. The risks and 
        threats to those systems, how the threats operate, the 
        consequence of attacks, as well as the controls used to manage 
        that risk, are also different across OT and IT environments.
   The second point is that the cyber threat landscape for 
        operational technology and industrial control systems, 
        including those used in facilities in the water and wastewater 
        sector, has shifted irreversibly in recent years. The same 
        digitalization, connectivity, and uniformity in OT that is 
        enhancing efficiency and reliability for infrastructure owners 
        and operators is also adding risk. This digital transformation 
        of our industrial industries is necessary but without investing 
        in cybersecurity in advance of that transformation the 
        consequences will be dire. To minimize that risk and defend 
        water systems and other infrastructure against those 
        adversaries, the community must invest in and prioritize the 
        cybersecurity of OT and ICS networks with a focus on 
        implementing security controls that have demonstrated success 
        against the methods used by those threat groups.
   The third point is that the public and private sectors must 
        continue to work together to make sure infrastructure owners 
        and operators, including small and under-resourced 
        organizations, have the information, tools, and resources they 
        need to protect their systems. Both Government and industry 
        have unique capabilities and insights that provide real value 
        to operators of infrastructure, including water and wastewater 
        systems. We need to remove barriers that those operators face 
        in accessing information, tools, and equipment they need to 
        defend their systems. We must also not forget that the issues 
        are primarily an economics and awareness issue at our numerous 
        municipally-owned water utilities across this country. No 
        amount of free vendor tools or taxpayer-funded cybersecurity 
        services will alleviate this issue without addressing the core 
        economic challenge.
                i. it and ot are fundamentally different
    Both conceptually and functionally, IT and OT are fundamentally 
different. The biggest difference between IT and OT is the mission or 
business purpose of the system. Generally, IT systems are designed to 
support how you manage business. OT systems focus on the reason the 
business or organization exists. OT systems are the specialized 
computers and networks that interact with the physical environment to 
do things like control the pumps or chemical levels at a water 
treatment facility.
    The distinct mission, or purpose, of those systems dictates what is 
required of them and informs how risks and threats to the system are 
defined and managed. For example, a Windows operating system computer 
hosting a database for a financial institution has a distinctly 
different purpose and impact of failure than a Windows operating system 
hosting the Human Machine Interface (HMI) for a nuclear power plant. An 
adversary may be able to exploit a targeted Windows system in a similar 
way across IT and OT, but their behavior within that system will differ 
depending on whether they are focused on intellectual property theft of 
the financial institution's database or on causing an unsafe operating 
condition and physical impact.\1\
---------------------------------------------------------------------------
    \1\ https://www.sans.org/white-papers/36297/.
---------------------------------------------------------------------------
    The impact of a breach or compromise is different as well. IT tends 
to be focused on system and data security, and OT tends to focus on the 
system of systems and physics. In many IT compromises, gaining access 
to the system and understanding the system or its data are critical. 
The goal is likely data theft or disabling the systems. The adversary, 
in this case, does not often seek to cause physical impacts. In the OT 
cybersecurity community, the types of attacks that cause the greatest 
concern are those that seek to disrupt operations, cause physical 
damage, or even cause safety-related incidents that lead to equipment 
damage or loss of life. The threats operate differently, often using 
unique methods and capabilities to achieve their goals in OT networks.
    OT also has unique requirements. While the requirements of both IT 
and OT environments sound similar--high uptime, redundancy, low 
latency--OT must support specific circumstances. High uptime for OT, 
for instance, is often measured in years, not months, with systems that 
literally run for multiple years between rounds of maintenance. 
Redundancy for OT focuses on availability more than security. Many OT-
critical components can't be turned off. Instead of the time it takes 
to move data from one place to another, latency in OT deals with the 
milliseconds that determine whether an assembly line functions 
correctly.
    OT security requires a different mentality. It is unique from IT 
security. This is due to the nature of the physical environments and 
also because the threats that target them are different. The way threat 
groups operate, as well as the tactics and techniques they use, are 
different across IT and OT environments. Even just a decade ago, the 
threat landscape for operational technology (OT) and industrial control 
systems (ICS) was very limited. As a result, many of the security 
controls for OT have traditionally been IT controls that can be applied 
to OT environments. Many standards, regulations, and ``best practices'' 
are often focused on how to apply IT security controls to OT and not 
whether they should be applied. There are many IT cybersecurity 
practices, such as vulnerability management and endpoint protection 
systems, that have a completely different value proposition, emphasis, 
and effect in OT networks. Applying all of the IT cybersecurity 
controls of a business to the OT networks would yield wasted resources 
and likely cause more disruption to the environment than all the state 
actors currently tracked combined. Simply put, organizations should 
look to unique OT cybersecurity controls and then evaluate the IT 
cybersecurity controls based on what risk they reduce and, if so, the 
unique way they should be applied. Our communities cannot afford for 
companies to ``gold plate'' the problem nor can they afford them to 
ignore it.
     ii. the cyber threat landscape for ot has shifted irreversibly
Increasing digitalization, connectivity, and homogeneity in OT is 
        changing the threat landscape
    The same digitalization, connectivity, and uniformity in OT that is 
enhancing efficiency and reliability for infrastructure owners and 
operators is also adding risk. At the same time, a growing number of 
threat groups are targeting OT. To minimize that risk and defend water 
systems and other infrastructure against those adversaries, the 
community must invest in and prioritize the cybersecurity of OT and ICS 
networks with a focus on implementing security controls that have 
demonstrated success against the methods used by those threat groups.
    Twenty years ago, manual and truly disconnected OT environments 
meant that cyber adversaries could not as easily reach or interact with 
OT systems through cyber means. However, as those environments started 
becoming connected and digitalized, adversaries have paid attention. In 
2015 and 2016 Ukraine experienced the first power outages due to cyber 
attacks that used malicious software, or malware, that could be 
deployed at other electric transmission substations around the world. 
In 2017 the first-ever cyber attack that targeted human life directly 
took place in a Saudi Arabian petrochemical facility by targeting an OT 
safety system.
    As industry has moved toward more homogenous infrastructure with 
common software packages, common network protocols, and common facility 
designs, it has brought both cost and operating efficiencies. At the 
same time, it has also reduced the complexity in which adversaries have 
to operate and opened the door for reusable, scalable adversary 
capabilities that can be used to target the OT of multiple 
organizations within and across sectors. Threat groups are also taking 
advantage of native functionality in increasingly digitalized and 
connected systems, demanding an emphasis on detection and response 
efforts, in addition to prevention.
    In 2022, Dragos and its third-party partner in collaboration with 
the U.S. Government discovered and analyzed PIPEDREAM, the first 
reusable cross-industry capability that can cause physical disruption 
or destruction. The PIPEDREAM toolkit has the capabilities to impact 
devices that control critical infrastructure in different sectors--
devices that manage electrical systems, oil and gas pipelines, water 
systems, manufacturing plants, and even the control systems in military 
assets such as unmanned aerial vehicles and naval ships. PIPEDREAM also 
cannot simply be patched away as it takes advantage of native 
functionality in the software and network protocols available cross-
industry. Prevention is important to attempt but the necessity is on 
identifying, detecting, responding, and recovering correctly. At best 
guess currently less than 5 percent of global infrastructure has the 
ability to achieve this against PIPEDREAM-like capabilities.
    Though a capability like PIPEDREAM is concerning, it is important 
to take a moment to acknowledge the victory here as well. Dragos and 
its partners worked with Federal agencies to identify, analyze, and 
report on PIPEDREAM to the broader infrastructure community prior to 
PIPEDREAM being employed. This is one of the most significant public-
private partnership wins of all time in cybersecurity and truly 
represents a ``left of boom'' moment for the industry. The capability 
can still be used in the future though and it would be shocking if 
other countries were not developing similar capabilities.
Threats to water and wastewater systems have the potential to disrupt 
        operations and pose safety risks
    Water and wastewater systems are vulnerable to a variety of cyber 
attacks that have the potential to disrupt operations and pose safety 
risks to the systems' ability to perform fundamental functions. In over 
half of our engagements with customers, Dragos has encountered issues 
with ICS/OT network accessibility from the internet.\2\ Using weak or 
default credentials, which are often publicly available in the vendor's 
documentation, for OT devices increases the threat of exposure. Several 
recent examples demonstrate adversaries exploiting ICS/OT exposed 
systems.
---------------------------------------------------------------------------
    \2\ https://www.dragos.com/year-in-review/.
---------------------------------------------------------------------------
   In November 2023, CyberAv3ngers, a self-styled hacktivist 
        collective, executed an exploitation campaign targeting 
        Unitronics programmable logic controllers (PLCs) across 
        multiple sectors, including the water and wastewater sector. 
        The campaign employed unsophisticated methods such as secure 
        shell (SSH) brute-forcing and exploiting default 
        configurations.\3\ In December 2023, government agencies from 
        the United States and Israel released a joint Cybersecurity 
        Advisory linking the activity to Iranian National Revolutionary 
        Guard (IRGC) activities targeting an Israeli company.\4\ The 
        campaign's impact was notable, causing operational disruptions 
        such as the shutdown of a water scheme in North Mayo, Ireland, 
        and affecting wastewater treatment facilities in the United 
        States. Despite the unsophisticated nature of the attacks, they 
        underscored the potential for high-impact consequences in 
        industrial control systems (ICS) environments, highlighting the 
        disparity between attack sophistication and potential 
        operational impact. This also emphasizes the urgent need for 
        organizations with OT environments to implement fundamental 
        security measures, adhere to critical controls, and conduct 
        regular monitoring to mitigate risks.
---------------------------------------------------------------------------
    \3\ https://www.dragos.com/blog/cyber-av3ngers-hacktivist-group-
targeting-israel-made-ot-devices/.
    \4\ https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-
335a.
---------------------------------------------------------------------------
   In January 2021, an adversary used stolen TeamViewer 
        credentials to delete programs related to the water treatment 
        system for a San Francisco water utility.\5\ Dragos is unaware 
        whether the deleted water treatment programs were in an ICS/OT 
        system, but had the attack been successful, San Francisco's 
        water operations certainly would have been impacted through 
        loss of control, availability, and safety.
---------------------------------------------------------------------------
    \5\ https://www.nbcnews.com/tech/security/hacker-tried-poison-
calif-water-supply-was-easy-entering-password-rcna1206.
---------------------------------------------------------------------------
   In February 2021, similar to the attack against the San 
        Francisco water treatment facility, an adversary leveraged 
        stolen TeamViewer credentials to access a human-machine 
        interface (HMI) in the ICS/OT environment of an Oldsmar, 
        Florida, water supply organization to change the water's sodium 
        hydroxide (NaOH) level.\6\ If successful, the Oldsmar water 
        supply would have been poisoned and may have impacted the 
        health of Oldsmar's citizens. The similarity of the San 
        Francisco and Oldsmar attacks, including the same initial 
        intrusion techniques, highlights how universal OT architecture 
        within the water and wastewater sector can lower the barrier 
        for adversaries to attack. Successful tactics, techniques and 
        procedures (TTPs) used against one entity can be effective 
        against others as well.
---------------------------------------------------------------------------
    \6\ https://www.dragos.com/blog/industry-news/recommendations-
following-the-oldsmar-water-treatment-facility-cyber-attack/.
---------------------------------------------------------------------------
    Adversaries are also targeting remote service technologies and 
solutions, as well as communications protocols. In 2023, Dragos 
observed an uptick in the water and wastewater sector in adversary 
actions using these types of connectivity. This highlights the 
importance of properly securing remote service applications and 
coordinating with third-party vendors and contractors to do the same.
   In October 2021, in a joint advisory, the U.S. Federal 
        Bureau of Investigation (FBI), the Cybersecurity and 
        Infrastructure Agency (CISA), the Environmental Protection 
        Agency (EPA), and the National Security Agency (NSA) stated 
        that between 2019 and 2021, adversaries gained access to water 
        and wastewater sector ICS/OT environments through spearphishing 
        as an initial intrusion and then pivoting to ICS/OT 
        environments through internet-accessible PLCs that required no 
        authentication using remote services.\7\
---------------------------------------------------------------------------
    \7\ https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-
287a.
---------------------------------------------------------------------------
   In January 2024, CyberArmyofRussia--Reborn, a known 
        hacktivist group that has been associated with a known state 
        actor, posted a video to their Telegram channel showing the 
        manipulation of water tanks associated with two water 
        authorities in Texas in the United States. Based on information 
        in the video, it appeared that they changed the tank water 
        level indicators, which turned on the pumps. The adversary 
        remotely accessed the human-machine interface (HMI) via remote 
        services, likely causing Damage to Property, Denial of Control, 
        Manipulation of Control, and Loss of Availability.
    Also notable, almost all of the activity observed by Dragos in the 
water and wastewater sector was indicative of reconnaissance efforts, 
suggesting adversaries are using tools to map out water entities' 
public-facing internet infrastructure for future operations.
    While largely opportunistic, ransomware operators are increasingly 
attacking industrial organizations in several sectors, including water 
and wastewater. Ransomware has primarily threatened organizations' IT 
systems, without proper network hygiene, the connectivity between the 
IT and ICS/OT environments often provides a pathway for adversaries to 
attack ICS/OT systems directly. Double extortion tactics used by 
ransomware operators add to the threat for water and wastewater 
organizations because releasing sensitive ICS/OT data and diagrams 
could provide other capable adversaries with valuable information they 
can use in campaigns with ICS/OT disruptive or destructive objectives.
   In August 2022, adversaries attacked a United Kingdom (UK) 
        water supply company, South Staffordshire Water (SSW), using 
        the cl0p ransomware. The ransomware operators disrupted SSW's 
        corporate Information Technology (IT) network; however, their 
        ability to supply clean public water was not impacted. On 16 
        August 2022, the ransomware operators posted pictures on its 
        leak site of what appear to be stolen identification documents 
        and screenshots of SSW's Human Machine Interfaces (HMIs). They 
        claimed to have gained access to SSW's ICS/OT network and could 
        manipulate chemical processes.\8\
---------------------------------------------------------------------------
    \8\ https://thecyberwire.com/newsletters/control-loop/1/4.
---------------------------------------------------------------------------
  iii. the public and private sectors must work together to make sure 
 infrastructure owners and operators have the information, tools, and 
      resources they need to protect their systems and communities
    The best way to help the water and wastewater sector, as well as 
other critical infrastructure sectors, protect against threats to their 
OT environments and to manage risk is for Government and industry to 
work together, each using our unique capabilities, insights, and 
expertise to provide real value to operators. We need to remove 
barriers that those operators face in accessing information, tools, and 
equipment they need to defend their systems.
    For Federal agencies, such as CISA and EPA, this means focusing 
efforts at the strategic level, providing direction to industry 
regarding what to focus on protecting (i.e. what is a critically 
important entity/asset), what scenarios to protect against (such as the 
known threat scenarios to OT water systems), and provide opportunities 
to practice efforts while sharing knowledge. It also means investing in 
areas where the private sector isn't already investing and providing 
guidance that must come from the Government. As an example, the 
Department of Energy's Cyber-Informed Engineering operates in an area 
where there is no market. It is intended to build cybersecurity 
resilience and principles into engineering efforts so that some of the 
cyber risks that we are concerned about are engineered out at a control 
and physics level before adversaries can exploit them. On the other 
hand, Government resources continue to get funneled into grant programs 
and Government initiatives that completely replicate technologies and 
services already available in the private sector that have been 
developed at lower costs with more expertise.
    When it comes to regulation, the Government must define and 
communicate what it is seeking to accomplish and prioritize outcomes. 
Dictating highly-prescriptive controls that tell infrastructure owners 
how to run security in their own environments, which they know better 
than the Government, will not reduce risk and is often 
counterproductive. I would recommend, instead, that the Government 
coordinate with the private sector to use their expertise and knowledge 
of their systems to inform outcome-based regulations. Regulations 
should also be informed by research such as the SANS Institute's 5 ICS 
Cybersecurity Critical Controls,\9\ which analyzed all known cyber 
threat attacks to industrial systems and identified the most effective 
and efficient controls against them.
---------------------------------------------------------------------------
    \9\ https://www.sans.org/white-papers/five-ics-cybersecurity-
critical-controls/.
---------------------------------------------------------------------------
    We have seen this work well with models that the Federal Energy 
Regulatory Commission (FERC) and North American Energy Reliability 
Corporation (NERC) use. A regulatory agency proposes a regulation with 
details on what it seeks to achieve. NERC then forms a committee of 
members across the community to evaluate the effectiveness and 
feasibility of the proposed changes. This allows time for input and 
alignment and creates regulations that better meet the objectives. 
Further, models for collaboration instead of simply information sharing 
have begun to show value. NERC also facilities GridEx, a valuable 
sector-wide, large-scale operational exercise that brings Government, 
vendors, and operators together under blue sky conditions to simulate 
real-world scenarios. The exercise provides real, valuable insights 
that inform future priorities.
    Another example of Government successfully providing this strategic 
level of direction is when the administration reached out to the 
Electricity Subsector Coordinating Council, the industry-CEO-led group 
that collaborates with CISA and DOE, to coordinate on its priorities on 
threats to electricity ICS and OT. The administration essentially laid 
out why they were concerned, including insights to cyber threats, what 
outcome was necessary to detect and respond to such ICS/OT cyber 
threats, but left the how to the private sector. The CEOs led a group 
to rapidly enhance the visibility across our industrial networks in the 
sector to detect industrial cyber threats by deploying commercial 
technologies, including one developed by Dragos called Neighborhood 
Keeper. The result is that the United States Government now voluntarily 
receives real-time insights from across the ICS and OT networks of the 
power companies that serve over 70 percent of Americans for free and at 
any time can identify new cyber threats and vulnerabilities.\10\ This 
model of why, and what, but not how allows for the Government to set 
and communicate straightforward priorities while allowing the expertise 
and innovation of the infrastructure operators to advise on how best to 
achieve the desired outcomes.
---------------------------------------------------------------------------
    \10\ https://www.utilitydive.com/news/an-eye-for-an-eye-the-
electric-sectors-defense-will-depend-on-Federal-g/601643/.
---------------------------------------------------------------------------
    In another example of successful public-private sector 
collaboration, Dragos worked with Rockwell Automation and the U.S. 
Government in advance of the disclosure of a novel exploit capability 
attributed to a state actor that affected select communication modules 
by Rockwell Automation deployed in industrial companies across the 
country. The U.S. Government was able to leverage the insights from 
Neighborhood Keeper to determine how far wide these assets and 
vulnerabilities could be found, work with Dragos and Rockwell to 
develop detections and mitigations, deploy them in real time to the 
asset owners in the Neighborhood Keeper network, and simultaneously 
make the insights available to those who were not.\11\ Another great 
``left of boom'' example of what right can look like when the public 
and private sector utilize their strengths.
---------------------------------------------------------------------------
    \11\ https://www.dragos.com/blog/mitigating-cves-impacting-
rockwell-automation-controllogix-firmware/.
---------------------------------------------------------------------------
    When the Government speaks with one voice, the infrastructure 
community listens. However, when owners and operators receive different 
priorities and guidance from different agencies, it can cause analysis 
paralysis in security teams. Agencies like CISA and EPA have tremendous 
opportunity to help critical infrastructure organizations prioritize 
security efforts to ensure they are investing in the things that truly 
reduce risk. For small organizations, like many water utilities, clear, 
relevant and aligned guidance really matters because they do not have 
large teams to analyze and prioritize recommendations.
    Additionally, these efforts need to be properly resourced, both in 
the private sector and in the Government. Some organizations have the 
resources and mechanisms to invest in cybersecurity. Many do not. There 
are thousands of water utilities across the country that share 
information technology contractors with other organizations simply to 
do basic information technology support. They do not have the expertise 
or resources for cybersecurity efforts, including those to protect 
operational technology. Free Government assessments or further 
Government investments in trying to develop the next greatest 
technology acutely miss their need. These smaller municipal and public 
utility infrastructure sites need direct resourcing through changes at 
a State and local level or resourcing from a Federal level to go out 
and hire talent and purchase proven tools and technologies. Though we 
know ``what'' to do, the unfortunate reality is it is absolutely an 
economics issue.
    In my role at Dragos, I see the challenges that these organizations 
face every day in building their OT cybersecurity programs. And so, in 
December, Dragos expanded our Community Defense Program to give under-
resourced U.S.-based utility providers with under $100 million in 
annual revenue free access, forever, to Dragos products and training to 
build their operational technology cybersecurity programs, improve 
their security posture, and reduce operational technology cyber risk. 
And yet, even with access to tens of thousands of dollars' worth of 
free technology and training each year most water sites will be unable 
to take advantage of the program. To use any technologies most of the 
water municipalities need basic infrastructure upgrades. Even a one-
time cost of $3,000 on hardware and networking gear would be completely 
out of budget for these organizations and require a city council vote 
on the topic of cybersecurity that they do not likely understand. I 
have so much optimism about what we all can do together by playing to 
our strengths and caring enough about our communities to act using our 
knowledge to counter even the most sophisticated cyber threats. 
However, a major shift must take place in order for us to solve the 
underlying economic issues that would make any of it work at scale, 
especially in the water sector.
                             iv. conclusion
    In conclusion, in order to help secure operational technology in 
the water sector, we must first understand the fundamental differences 
between the operational technology and information technology. The 
risks and threats to those systems, as well as the controls used to 
manage that risk, are also different across OT and IT environments. The 
cyber threat landscape for the OT environment has also shifted 
irreversibly. The same digitalization, connectivity, and uniformity in 
OT that is enhancing efficiency and reliability for infrastructure 
owners and operators is also adding risk. To adequately defend water 
systems and other infrastructure against threats and adversaries, the 
community must invest in and prioritize the cybersecurity of OT and ICS 
networks using security controls that have demonstrated success against 
actual threats. Finally, the public and private sectors must work 
together using our unique capabilities and expertise to ensure that 
water and wastewater organizations have the tools and resources they 
need to protect their systems. But all of this is predicated on 
addressing the economics and awareness of issues that exist at our 
local municipalities and town water systems.
    I sincerely thank the subcommittee for providing me the opportunity 
to testify today and welcome any questions or requests for additional 
information.

    Chairman Garbarino. Thank you, Mr. Lee.
    Dr. Clancy, I now recognize you for 5 minutes to summarize 
your opening statement.

 STATEMENT OF CHARLES CLANCY, PH D, CHIEF TECHNOLOGY OFFICER, 
                     THE MITRE CORPORATION

    Mr. Clancy. Chairman Garbarino, Ranking Member Swalwell, 
and committee Members, my name is Charles Clancy. I'm a senior 
vice president at the MITRE Corporation, where I serve as chief 
technology officer. It's my pleasure to address the committee 
today.
    Given the testimony last week in the House Select Committee 
on the CCP hearings from Directors Wray and Easterly and 
General Nakasone, I need not belabor the threat. Suffice it to 
say that President Xi has tasked the PLA with being ready to 
invade Taiwan by 2027, and our intelligence community assesses 
that such an invasion would include wide-spread attacks against 
U.S. lifeline critical infrastructure sectors, including water.
    This is not a hypothetical threat. We've seen through Volt 
Typhoon as an example that China is preparing for such an 
action.
    Software supply chains is one potential area of 
vulnerability, and the Software Bill of Material, or SBOM, 
industry has matured significantly over the last couple of 
years. One option is to create an SBOM clearinghouse for 
critical infrastructure sectors that notifies both vendors and 
utilities when new vulnerabilities affect their products. Much 
like safety recalls in the automobile sector, it would prompt 
operators to close security gaps in a more timely manner.
    Another area to improve is incident response, particularly 
in the water sector. Presidential Policy Directives 21 and 41 
create the status quo that we operate under today, but they 
also silo our SRMAs from our incident responders within CISA 
and the FBI. By resourcing SRMAs to be more involved in 
incident response, they can better understand the current 
threat environment and bring much-needed context to that 
incident response.
    Today's process is often open-loop. We don't learn--learn 
the regulatory environment doesn't improve based on learnings 
we get from incidents, which runs counter to the NIST 
cybersecurity framework. Reforms here can help close the loop 
for many sectors, including water.
    But if you agree with the intelligence assessments, we 
can't tackle the gravity of the threat we face with policy 
reforms just around the edges. In 3 years, we'll still be 
negotiating the footnotes of a PPD 21 rewrite as our 
adversaries launch wide-spread destructive cyber attacks 
against our critical infrastructure.
    Today, we view cyber attacks against our infrastructure as 
tactical discrete events that we can identify, respond to, and 
recover from. Depending on the scope, scale, and impact of such 
attacks, we may respond proportionately, such as the sanctions 
against Iran we saw last week.
    But this thinking does not scale to the strategic threat 
that we face. Instead, we must think of these attacks in the 
same veins as a major natural disaster, where the solution is 
not technology band-aids, but it's more about procedures and 
people. We need to plan, practice, and be prepared to act.
    Military systems have what are called wartime reserve modes 
that change the configuration and operating posture to confound 
adversary exploitation, and our critical infrastructure systems 
need an intellectually similar set of contingencies that can be 
activated in a period of major conflicts.
    Unless we prepare, train, and exercise for isolated 
operations where we can literally pull the plug between our IT 
and OT systems, physically separating them from the internet, 
we really won't have much of an ability to defend ourselves. 
This dramatically limits our adversaries' ability to activate 
destructive logic that's embedded in our systems or to gain new 
accesses to our systems.
    Likely, many critical infrastructure operators lack the 
needed engineering staff to sustain isolation operating systems 
in an on-going capacity. So new programs are needed to train 
National Guard units or create a civilian core reserve of cyber 
physical operators and experts to augment utilities to sustain 
such operations.
    Moreover, we need to practice for multiple-sector failures 
in population centers and assess cascading impacts. This 
includes not only tabletop exercises and hypothetical 
wargaming, but also live drills where we test contingency 
operations.
    The cost of compliance is a common pushback for levying new 
responsibilities on public and private-sector utilities. To 
offset, FEMA should extend their existing grants program in 
partnership with the SRMAs to fund necessary preparation, 
training, and exercises. CISA should be resourced to manage 
systematic exercise programs to ensure that we have the 
National experience necessary to act under such urgent 
circumstances.
    There is considerable opportunity for EPA to step up, CISA 
and FBI to systematically engage across, and for industry to do 
better with information sharing, but these modest reforms must 
be measured against the scale of the threat that we face. With 
the limited time and resources available, we should certainly 
begin piloting, exercising, and preparing for contingency 
scenarios that require isolated operations across our lifeline 
critical infrastructure sectors.
    I look forward to answering questions from the committee. 
Thank you.
    [The prepared statement of Mr. Clancy follows:]
                  Prepared Statement of Charles Clancy
                            6 February 2024
    Chairman Garbarino, Ranking Member Swalwell, and Committee Members: 
Thank you for inviting me to testify before you today on a topic of 
critical national importance. My name is Charles Clancy, and I am a 
senior vice president and chief technology officer at MITRE where I 
lead science, technology, and engineering for the company. MITRE is a 
non-profit, non-partisan research institution that operates Federally-
Funded Research and Development Centers (FFRDCs) on behalf of the U.S. 
Government. Among other technical disciplines, our team of over 1,500 
cybersecurity professionals provide deep expertise across the Executive 
branch, including in support of organizations like the Cybersecurity 
and Infrastructure Security Agency (CISA), the National Institute of 
Standards and Technology (NIST), and U.S. Cyber Command. MITRE's 
ATT&CKTM framework has become the de facto language between 
Government and industry for describing and combatting cyber threats.
    Prior to joining MITRE, I spent 9 years as a member of the faculty 
at Virginia Tech where I held the Bradley Distinguished Professorship 
of Cybersecurity in the Department of Electrical and Computer 
Engineering, and served as executive director of what is now the 
Virginia Tech National Security Institute. I started my career at the 
National Security Agency leading advanced research and development 
programs.
    It is my pleasure to address this committee.
                           threat environment
    Threats to our Nation's critical infrastructure cybersecurity have 
heightened dramatically over the past 7 years as Russia and China have 
shifted to using cyber access to U.S. critical infrastructure as a 
strategic instrument of state craft. Targeting and penetrating our 
infrastructure have grown precipitously, leading then-Director of 
National Intelligence Dan Coats to famously say the ``warning lights 
are blinking red again'' in 2018,\1\ comparing warning signs about 
critical infrastructure penetrations to the pre-9/11 indicators. Just 
last week FBI Director Christopher Wray testified that the U.S. 
Government had successfully disrupted Volt Typhoon,\2\ a persistent and 
sophisticated Chinese Communist Party (CCP) campaign to gain strategic 
access to U.S. critical infrastructure systems for disruptive and 
destructive effects.
---------------------------------------------------------------------------
    \1\ https://www.npr.org/2018/07/18/630164914/transcript-dan-coats-
warns-of-continuing-russian-cyberattacks.
    \2\ https://www.washingtonpost.com/national-security/2024/01/31/
china-volt-typhoon-hack-fbi/.
---------------------------------------------------------------------------
    In its 2023 annual threat assessment,\3\ the intelligence community 
assessed that the CCP would launch widespread cyber attacks against 
U.S. critical infrastructure ahead of an invasion of Taiwan to ``deter 
U.S. military action by impeding U.S. decision making, inducing 
societal panic, and interfering with the deployment of U.S. forces.'' 
Their primary targets are assessed to be energy, transportation, 
communications, and water infrastructure.
---------------------------------------------------------------------------
    \3\ https://www.dni.gov/files/ODNI/documents/assessments/ATA-2023-
Unclassified-Report.pdf.
---------------------------------------------------------------------------
    With President Xi's asserted time line of being ready for a Taiwan 
invasion by 2027,\4\ the U.S. military is kicking its response planning 
into high gear, but the United States may be existentially unprepared 
to defend its critical infrastructure for what would undoubtedly be an 
initial wave of attacks, followed by a sustained cyber campaign 
targeting U.S. infrastructure. Campaigns like Volt Typhoon demonstrate 
that this threat is not hypothetical: the CCP is deliberately gaining 
access to critical infrastructure so it can strategically disrupt and 
destroy these systems at a future time.
---------------------------------------------------------------------------
    \4\ https://www.reuters.com/world/china/logistics-war-how-
washington-is-preparing-chinese-invasion-taiwan-2024-01-31/.
---------------------------------------------------------------------------
    Much of the U.S. strategy to date has focused on strengthening our 
systems to keep adversaries out of our critical infrastructure and to 
blunt the first wave; however, this strategy fails to recognize that 
CCP attacks in conjunction with a Taiwan invasion will not be discrete 
events for which we can respond proportionately, but an enduring cyber 
conflict. Our current approach is inadequate. Advanced persistent 
threat actors are frequently obviating protections we have placed in 
these systems. It also doesn't address the rapid response and 
restoration activities that will inevitably be needed to reconstitute 
when attacks occur.
                        needed strategic posture
    Much can be done to improve the current apparatus for securing 
critical infrastructure, and I will address those within the context of 
the water sector shortly. But I fear those actions miss the forest for 
the trees.
    Nationally, we need to prepare for a more realistic adversary 
operational plan. Military systems have wartime reserve modes that 
change their configuration and operating posture to confound adversary 
exploitation, and the United States' critical infrastructure systems 
need an intellectually similar set of contingencies that can be 
activated in a period of major conflict.
    Many critical infrastructure operators already contemplate such 
impacts through the lens of natural disasters. For example, electric 
grid operators consider ways to minimize the impacts of geomagnetic 
disturbances from the sun by modifying the state and configuration of 
their operations. This operational adaptability mindset needs to extend 
to cyber-attack scenarios.
    Operators need to prepare, train, and exercise for isolation 
operations where they operate their operational technology (OT) systems 
physically isolated from the information technology (IT) systems and 
the internet. This includes creating continuity of operations plans 
that sever IT and OT systems to disrupt an adversary's ability to 
command and control malicious tools deployed into OT systems. Given CCP 
threat actors have adopted a strategy of ``living off the land'' where 
they do not install detectable malicious agents in target networks, but 
rather access systems like authorized administrators,\5\ severing IT-OT 
connectivity would prevent them from triggering effects to degrade or 
destroy critical infrastructure sytems.
---------------------------------------------------------------------------
    \5\ https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-
144a.
---------------------------------------------------------------------------
    Likely many critical infrastructure operators lack the needed 
engineering staff to sustain isolation operations in an on-going 
capacity, so new programs are needed to train National Guard units or 
create a civilian reserve corps of cyber physical operators and experts 
to augment critical infrastructure operators to sustain isolation 
operations. Moreover, we need to practice for multiple sector failures 
in population centers and assess cascading impacts. This includes not 
only tabletop exercises and hypothetical wargaming, but also live 
drills where we test contingency operations.
    The cost of compliance is a common pushback to levying new 
responsibilities on private-sector critical infrastructure asset-owner-
operators, therefore, to incentivize adoption of cyber best practices, 
the Federal Government needs to reduce that burden. The Federal 
Emergency Management Agency (FEMA) should extend their existing grants 
program,\6\ in partnership with Sector Risk Management Agencies 
(SRMAs), to fund the necessary preparation, training, and exercises. 
The Cybersecurity Infrastructure Security Agency (CISA) should be 
resourced to manage a systematic exercise program to ensure that, if 
necessary, we have the national experience necessary to act under 
urgent circumstances.
---------------------------------------------------------------------------
    \6\ https://www.cisa.gov/state-and-local-cybersecurity-grant-
program.
---------------------------------------------------------------------------
    Given the scale of the challenge, FEMA and CISA should focus on the 
current CISA lifeline sectors: energy, water, communications, and 
transportation.\7\
---------------------------------------------------------------------------
    \7\ https://www.cisa.gov/sites/default/files/publications/Guide-
Critical-Infrastructure-Security-Resilience-110819-508v2.pdf.
---------------------------------------------------------------------------
                              water sector
    The water sector is perhaps the most under-resourced and 
disadvantaged among the lifeline sectors. In addition to preparing and 
practicing contingencies for a large-scale and enduring cyber conflict, 
there are plenty of more targeted things that could help improve 
cybersecurity and make China and Russia's cyber exploitation efforts 
more difficult.
    Presidential Policy Directive (PPD) 21,\8\ Critical Infrastructure 
Security and Resilience, and PPD 41,\9\ United States Cyber Incident 
Coordination, organized the ecosystem we have today between CISA, the 
Federal Bureau of Investigation (FBI), and SRMAs. Accordingly, SRMAs 
bear the front-end regulatory responsibilities, while CISA and the FBI 
are responsible for back-end incident management and investigation 
after a cyber attack has occurred. There is a perception by operators, 
however, that systematically engaging SRMAs in incident response could 
lead to punitive regulatory actions. That, combined with their frequent 
lack of incident response experience and expertise, leads to an open 
loop system where we do not learn from attacks, which is antithetical 
to the goals of the NIST Cybersecurity Framework \10\ and Executive 
Order 13636.\11\ While sectors like the bulk electric power system \12\ 
have been forced to ameliorate this through robust working-level 
relationships, public-private partnerships, and unique authorities held 
by the Secretary of Energy,\13\ other sectors such as water lack this 
scale, sophistication, and authorities.
---------------------------------------------------------------------------
    \8\ https://obamawhitehouse.archives.gov/the-press-office/2013/02/
12/Presidential-policy-direc- tive-critical-infrastructure-security-
and-resil.
    \9\ https://obamawhitehouse.archives.gov/the-press-office/2016/07/
26/Presidential-policy-directive-united-states-cyber-incident.
    \10\ https://www.nist.gov/cyberframework.
    \11\ https://obamawhitehouse.archives.gov/the-press-office/2013/02/
12/executive-order-improving-critical-infrastructure-cybersecurity.
    \12\ https://www.nerc.com/pa/Stand/Pages/default.aspx.
    \13\ https://www.energy.gov/ceser/energy-security-provision-within-
fixing-americas-surface-transportation-act-fast-act.
---------------------------------------------------------------------------
    At a national level, water's SRMA, the Environmental Protection 
Agency (EPA) needs to deepen its in-house cybersecurity expertise and 
develop a strategy to promote cybersecurity more effectively within the 
sector. This strategy should be informed by threat and incident 
information by EPA being much more engaged with CISA in incident 
response and analysis. The recently-released incident response guide 
\14\ is a good indicator that these connections are strengthening. 
Given the large number of water entities without any cybersecurity 
expertise and limited resources, implementation guidance, in plain 
language, will likely be needed to translate existing CISA, FBI, and 
NSA guidance to a simplified list of priority actions.
---------------------------------------------------------------------------
    \14\ https://www.cisa.gov/resources-tools/resources/water-and-
wastewater-sector-incident-response-guide-0.
---------------------------------------------------------------------------
    Grass-roots efforts being led by the Water Sector Coordinating 
Council and Water Information Sharing and Analysis Center (ISAC) are 
also important positive steps. In fact, both MITRE and Dragos are 
working closely with the Water ISAC on constructive solutions.\15\ More 
broadly, MITRE has recommended SRMAs shift the focus from compliance 
checking to self-assessments, threat sharing, technical assistance, and 
fostering the organizational capacity and expertise execute.\16\
---------------------------------------------------------------------------
    \15\ https://www.waterisac.org/portal/water-and-wastewater-
utilities-and-other-critical-infra- structure-fortify-defenses-against.
    \16\ https://www.mitre.org/sites/default/files/2023-11/PR-23-02057-
08-Cybersecurity-Regulatory-Harmonization.pdf.
---------------------------------------------------------------------------
    Another important step is standardizing reporting of cyber 
incidents. Despite highlighting significant cybersecurity gaps within 
the water sector, prior EPA efforts were withdrawn over legal 
challenges.\17\ The Cyber Incident Reporting for Critical 
Infrastructure Act (CIRCIA) of 2022 \18\ offers the potential to close 
this gap if the information collected is robust and focused on 
reporting tangible threat behaviors and indicators. Similarly, improved 
coordination and interoperability among OT security vendors \19\ could 
also help close the information and reporting gap.
---------------------------------------------------------------------------
    \17\ https://www.securityweek.com/epa-withdraws-water-sector-
cybersecurity-rules-due-to-lawsuits/.
    \18\ https://www.cisa.gov/topics/cyber-threats-and-advisories/
information-sharing/cyber-incident-reporting-critical-infrastructure-
act-2022-circia.
    \19\ https://www.nozominetworks.com/blog/ethos-emerging-threat-
open-sharing-platform.
---------------------------------------------------------------------------
    Meanwhile, since Executive Order 14028,\20\ industrial capacity to 
generate and deliver software bills of material (SBOMs) has been 
improving. Open-source software underpins most of the internet, and is 
also pervasive in OT networks. In most cases, this software has dubious 
supply chains \21\ and critical infrastructure operators need tools to 
better manage this risk. One approach is to have OT vendors selling 
into the U.S. market provide SBOMs for their products to a 
clearinghouse that notifies them if a new vulnerability is disclosed 
that impacts their product. Much like safety recalls for automobiles 
governed by the National Highway Traffic Safety Administration (NHTSA), 
similar notices could be combined with regulatory rulemaking to prompt 
critical infrastructure operators to close security gaps in a timelier 
manner.
---------------------------------------------------------------------------
    \20\ https://www.whitehouse.gov/briefing-room/Presidential-actions/
2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.
    \21\ https://industrialcyber.co/reports/fortress-research-finds-
most-us-energy-software-contains-code-from-russian-chinese-developers/.
---------------------------------------------------------------------------
                               conclusion
    In closing, there is a considerable opportunity for EPA to step up, 
CISA and FBI to systematically engage across, and the network of 
security vendors to make it easier for everyone to coordinate. But 
these modest reforms should be kept in context with the scale of the 
threat, and the limited amount of resources available to critical 
infrastructure operators, particularly in the water sector. We should 
urgently begin piloting, exercising, and preparing for contingency 
scenarios that require isolated operations across lifeline critical 
infrastructure sectors.

    Chairman Garbarino. Thank you, Dr. Clancy.
    Dr. Morley, I now recognize you for 5 minutes to summarize 
your opening statement.

STATEMENT OF KEVIN M. MORLEY, PH D, MANAGER, FEDERAL RELATIONS, 
                AMERICAN WATER WORKS ASSOCIATION

    Mr. Morley. Good morning, Chairman Garbarino, Ranking 
Member Swalwell, and Members of the subcommittee. My name is 
Kevin Morley. I'm the Federal relations manager for the 
American Water Works Association, or AWWA.
    Established in 1881, AWWA provides solutions to improve 
public health, protect the environment, strengthen our economy, 
and enhance our quality of life. In the modern era of utility 
operations this mission also includes managing cybersecurity 
risks that could threaten the essential lifeline function that 
water professionals provide 24/7/365.
    In terms of prioritizing cybersecurity in the water sector, 
AWWA has been at the forefront with our partners in building 
cybersecurity awareness and providing resources to support the 
implementation of best practices. Collaboration has been a core 
organizing principle. For example, AWWA worked closely with 
NIST, CISA, EPA, and subject-matter experts from the water 
sector to develop a sector-specific approach to implementing 
the NIST cybersecurity framework, as called for in Executive 
Order 13636.
    Our guidance and assessment tool, first issued in 2014, 
helps the utility identify and address the highest priority 
controls based on their application of various IT and OT 
systems. More recently, in 2021, AWWA assessed the potential 
for regulatory oversight options. Our recommended approach 
would create an independent, non-Federal entity to lead the 
development of minimum cybersecurity requirements, leveraging 
subject-matter experts from the field.
    Federal oversight and approval of those requirements would 
be provided by EPA as the Sector Risk Management Agency. This 
collaboration approach builds on a similar model used in the 
electric sector, with Congressional approval via FERC and NERC.
    In a maturing CISA, consistent public-private collaboration 
is essential. Recent examples of the benefits include filling 
the water sector liaison position in the Stakeholder Engagement 
Division, which has provided continuity of communications and 
engagement with the Sector Coordination Council and the EPA. A 
recent stakeholder engagement process facilitated by the JCDC 
has generated a new water sector cyber incident response guide 
informed by subject-matter experts and the needs of utility 
owner-operators. More recently, as noted in Director Easterly's 
testimony last week, threat hunting is obviously a critical 
value that CISA can provide to multiple critical infrastructure 
sectors.
    There continues to be significant opportunity to 
collaborate to support the cybersecurity needs of 50,000 
community drinking water systems and nearly 16,000 wastewater 
systems, including the following: unified messaging to launch 
an outreach campaign with partners to expedite enrollment in 
CISA's vulnerability scanning service to help utilities address 
threat exposure; inform and enable utilities by investing in 
capacity development to empower utility owner operators to 
effectively engage cybersecurity issues that are aligned with 
their needs.
    We believe, for example, AWWA's small systems guidance 
provides a robust Getting Started guide focused on 6 key 
domains from the NIST cybersecurity framework. Training on the 
application of guidance delivered by trusted partners like AWWA 
is highly effective and has been a proven force multiplier for 
building awareness and enabling utilities to assess potential 
vulnerabilities and implement controls to mitigate risk.
    Frankly, we do not need new resources. We need to organize 
those that we already have in place in a manner that is more 
accessible to owners and operators.
    Technology transformation, as noted, drinking water-
wastewater utility operators have been evolving and adapting to 
new technologies since the turn of the last century. The 
difference today as it relates to cybersecurity is the 
convergence of technology systems that have traditionally 
operated independently.
    This integration of IT and OT systems has definitely 
improved operational efficiencies, but legacy OT systems were 
not designed to be connected. Many of these OT systems were 
major capital investments at the time of their implementation, 
with an expected service life of 20 to 25 years.
    The difficulty that we faced is that IT systems cycle 
through upgrades at a rate that has simply outpaced those OT 
systems. This digital divide has stranded many utilities on 
legacy OT systems.
    Funding that prioritizes and expedites technology upgrades 
to address legacy OT systems is necessary to overcome this 
digital divide. We must also ensure that those new technologies 
apply a Secure by Design principle as recommended by CISA.
    Improving threat information sharing also requires EPA and 
CISA to work collaboratively with the water ISAC to establish 
standard operating procedures for the inclusion of SMEs to 
ensure that those advisories inform--information is transmitted 
in a concise, actionable, and properly contextualized manner.
    With that, sir, I appreciate the opportunity of the 
committee to share these points and welcome your questions.
    [The prepared statement of Mr. Morley follows:]
                 Prepared Statement of Kevin M. Morley
                            February 6, 2024
    Good morning, Chairman Garbarino, Ranking Member Swalwell, and 
Members of the subcommittee. My name is Kevin Morley, and I am the 
federal relations manager for the American Water Works Association 
(AWWA), on whose behalf I am speaking today. Established in 1881, AWWA 
is the largest nonprofit, scientific, and educational association 
dedicated to managing and treating water, the world's most vital 
resource. We represent water systems large and small, municipal and 
investor-owned, urban and rural. With approximately 50,000 members, 
AWWA provides solutions to improve public health, protect the 
environment, strengthen the economy and enhance our quality of life. In 
the modern era of water utility operations, that mission also includes 
managing cybersecurity risks that could threaten the essential lifeline 
function water professionals provide 24/7/365.
                      it & ot in the water sector
    Drinking water and wastewater utility operations have been evolving 
and adapting to new technologies since the turn of the last century. A 
paper presented during AWWA's 1965 Annual Conference includes a 
statement that is just as relevant today as it was then:

``The complex expansion of water systems has resulted in substantial 
adoption of instrumentation by the water industry. Modern instrument 
systems have made possible the surveillance and remote control of 
wells, treatment facilities, pumping stations, storage tanks, and 
transmission main valving, while rising labor costs have prompted water 
utility management to follow other industries in establishing some 
degree of automation and centralized control.''\1\
---------------------------------------------------------------------------
    \1\ Crow, W.B. & Eidsness, F.A (1965) Savings Through 
Instrumentation and Control In Two Water Systems. Journal AWWA, 
57:12:1509.

    The difference today as it relates to cybersecurity is the 
convergence of technology systems that had traditionally operated 
independently. Information technology (IT) are the business enterprise 
systems like laptops and software systems used to manage email, 
payroll, customer billing, and service contracts. The operational 
technology (OT) are the systems used to manage and control various 
physical operations for the treatment and distribution of drinking 
water or the collection and treatment of wastewater. The integration of 
IT and OT systems has improved operational efficiency to optimize 
various unit processes and allowed greater visibility into those 
systems.
    The challenge is that many current IT systems were designed to be 
connected to the internet, while OT systems were not but have since 
been plugged in. This integration began before the prospect of 
cybersecurity threats targeting today`s critical infrastructure systems 
were envisioned. The cost savings realized were long ago absorbed into 
capital projects and reconfigurations of the workforce. Those OT 
systems were capital-intensive and often had an expected service life 
of 20-25 years. This is very different than IT systems which have 
cycled through new versions at a pace that has outpaced the support for 
OT systems. As a result, older legacy OT systems are dependent on IT 
systems that are no longer supported and are unable to communicate with 
the new versions.
    The ``fix'' for this digital divide is complex since utility 
services must continue working 24/7 until the transition is complete. 
While implementation of certain controls can help to manage cyber risk, 
ultimately IT upgrades may require total overhaul, rip and replace, of 
various OT elements. These capital projects are often lengthy and cost-
intensive. As an example, a large water system recently embarked on a 
5-year, $80 million capital project to complete these upgrades. The 
financial cost associated with this type of transformation is amplified 
by the reality that 90 percent of water systems serve less than 3,300 
people and have severely constrained budgets.
    Drinking water utilities are already facing significant costs to 
comply with multiple regulations, including the revised lead and copper 
rule and pending PFAS standards. The treatment processes necessary to 
comply with these rules will require greater automation and digital 
dependency. The compliance costs for new regulatory obligations come on 
top of the $1.2 trillion that AWWA estimates is needed over 20 years 
for the repair and replacement of aging distribution and transmission 
lines nationally.\2\ Escalating supply chain costs on essential 
treatment chemicals, piping materials and equipment have also imposed 
considerable pressure on operating budgets, which are not expected to 
moderate in the near term.\3\
---------------------------------------------------------------------------
    \2\ AWWA (2012) Buried No Longer: Confronting America's Water 
Infrastructure Challenge.
    \3\ Morley, KM. (2023) Supply Chain Threats Persist. Journal AWWA 
115(2):6. https://doi.org/10.1002/awwa.2048.
---------------------------------------------------------------------------
    Unlike other critical infrastructure sectors, to date, there has 
been no dedicated funding appropriated to expedite technology upgrades 
at water systems with legacy OT systems. While cybersecurity is one of 
many eligible activities within the State Revolving Fund (SRF) program, 
constraints on that program may not allow utilities to acquire the 
optimal cybersecurity support they need. If the water sector is truly a 
national security priority, then it will need support to expedite 
technology transformations to address the digital divide in a manner 
that is not punitive and fulfills our shared commitment to the 
communities we serve.
             prioritizing cybersecurity in the water sector
    Drinking water and wastewater systems sustain our way of life and 
support public health, safety, and economic vitality. These systems are 
robust and resilient but, like all critical infrastructure entities, 
are not immune to cyber threats. In recognition of this threat, AWWA 
has actively engaged our members, and the sector at large, in building 
cybersecurity awareness and providing resources to support the 
implementation of best practices. As evidence of growth in awareness, 
utility leaders have consistently rated cybersecurity as a very high 
priority in AWWA's annual State of the Water Industry report for 
several years. This trend runs parallel to AWWA's collaboration with 
water utility subject-matter experts and Federal partners to provide a 
water sector-specific approach for implementing the NIST Cybersecurity 
Framework (CSF), as called for in Executive Order 13636.
    AWWA's Water Sector Cybersecurity Risk Management Guidance and 
Assessment Tool, first issued in 2014, helps a utility examine which 
cybersecurity controls and practices are most applicable based on the 
technology applications they have implemented. The resource emphasizes 
actions that address the highest-priority controls expected to quickly 
provide the greatest risk reduction value. AWWA also partnered with the 
United States Department of Agriculture to develop the Water Sector 
Cybersecurity Risk Management Guidance for Small Systems, a ``getting 
started guide'' that helps small, rural utilities serving fewer than 
10,000 people assess and implement cybersecurity best practices.
    Strong cybersecurity measures are essential to ensuring a cyber 
incident does not threaten public health. Several cyber incidents led 
AWWA in 2021 to assess a variety of potential options, which resulted 
in our recommendation to establish a new cybersecurity governance 
framework in the water sector. Our recommended approach would create an 
independent, non-Federal entity to lead the development of minimum 
cybersecurity requirements, leveraging subject-matter experts from the 
water sector. Federal oversight and approval of requirements would be 
provided by the EPA. This framework builds on a similar model that has 
been applied in the electric sector with Congressional approval.
    This governance model would follow a tiered, risk- and performance-
based approach that accommodates the differences in operational 
complexity and maturity in the sector. This recommendation aligns with 
calls for public-private collaboration included in the National Cyber 
Strategy. It recognizes that cybersecurity is a shared responsibility 
that benefits from the direct engagement and operational knowledge of 
owner/operators and the accountability that comes with Federal 
oversight.
    We believe it is timely and prudent for Congress to authorize this 
collaborative model to ensure utilities are directly engaged in 
developing appropriate cybersecurity requirements--with oversight from 
EPA--to create a robust cybersecurity risk management paradigm in the 
water sector.
    In addition to establishing a sound oversight model, it is critical 
to recognize other collaborative opportunities to support cybersecurity 
in the water sector.
                consistent public-private collaboration
    CISA's maturity has evolved significantly since its formation, 
including predecessor functions. Most notable is the permanent addition 
of a water sector liaison in the Stakeholder Engagement Division. This 
has provided continuity in communications and generated productive 
engagement with the Water Sector Coordinating Council (SCC) and EPA as 
the Sector Risk Management Agency (SRMA). The most recent output was a 
stakeholder engagement process facilitated by the Joint Cyber Defense 
Collaborative (JCDC) which published ``Incident Response Guide: Water 
and Wastewater Systems (WWS) Sector.'' This effort integrated the 
insights and recommendations provided by the stakeholder community to 
ensure that the guidance is best suited address their needs.
    Another useful outcome was a collaborative effort to raise the 
visibility and awareness of CISA's Vulnerability Scanning service, as 
recommended in prior testimony. Before the fact sheet developed with 
the WSCC and Association of State Drinking Water Administrators, the 
value and purpose of this tool was not accessible to the entities that 
would derive the greatest benefit if enrolled. The fact sheet requires 
an organized outreach campaign that can provide a unified message on 
the resources provided by CISA and their relationship with other 
resources.
    In the earlier years of CISA's predecessor, the SCCs would come 
together with agency staff for strategic planning, a requirements 
assessment of sorts, to identify the needs of the various critical 
infrastructure sectors. While not all sector needs became action items 
for agency workplans, it was a useful exercise to examine unique 
conditions and identify cross-sector needs. The WSCC, working with 
State and Federal partners, has developed a strategic roadmap that 
defines top-level priorities for managing risk and building resilience. 
When Federal partners initiate projects to act on those priorities, it 
is in our collective interest that collaboration occurs early and often 
to ensure the approach is aligned with the needs of the stakeholders 
for whom it is presumably designed to support. Miscues lead to missed 
opportunities, duplication of effort and products that do not fulfill 
the needs of owner/operators.
    As we did following 9/11, collaboration with trusted partners like 
AWWA is a high-value force-multiplying capability that should be 
maximized to address the national security risk cyber threats impose on 
drinking water and wastewater systems. Other action items to be 
considered further include the following:
    1. Unified Messaging.--Launch a collaborative campaign to expedite 
        enrollment in CISA's vulnerability scanning service to help 
        utilities address threat exposure. This is a highly-valuable 
        service for systems with limited in-house resources to provide 
        timely information on exposures and recommended mitigations.
    Work with stakeholders in the water sector to review the myriad 
        resources and prepare a matrix that communicates, in plain 
        English, the function they provide and associated relationship. 
        Currently, the array of ``stuff'' is overwhelming and as a 
        result undersubscribed or inaccessible to those with the 
        greatest need, absent some order or clearly-defined progression 
        of applicability.
    2. Inform and Enable.--Invest in capacity development to empower 
        utility owner/operators to effectively engage cybersecurity 
        issues that are aligned with their needs. We believe AWWA's 
        small system guidance provides a robust ``getting started'' 
        guide focused on six key domains from the NIST CSF.
    Training on the application of this guidance delivered by trusted 
        partners like AWWA is a highly effective and proven force 
        multiplier for building awareness and enabling utilities to 
        assess potential vulnerabilities and implement control to 
        mitigate risks. There is a significant opportunity to 
        collaborate to support the cybersecurity needs for 50,000 
        community drinking water systems and nearly 16,000 wastewater 
        systems.
    3. Technology Transformation.--Funding that prioritizes and 
        expedites technology upgrades to address legacy operational 
        technologies will be necessary to overcome the growing digital 
        divide. These legacy OT systems simply cannot operate on newer 
        enterprise platforms and, in many instances, this requires a 
        rip and replace project that is capital- and time-intensive.
    4. Improve threat information sharing.--We recommend that CISA and 
        EPA work with partners like the WaterISAC and the Water Sector 
        Coordinating Council to establish a standard operating 
        procedure for the inclusion of SMEs in the development of 
        threat alerts and advisories to ensure that the information 
        transmitted is concise, actionable, and properly 
        contextualized.
    In addition, it is critical to recognize and address the 
        unconscious competence associated with many cybersecurity 
        advisories. Simply state the problem and the recommended 
        mitigation. We would recommend putting the TTPs and MITRE 
        Attack explanation in an appendix, as they are interesting but 
        often a distraction from the action being recommended to 
        mitigate the threat.
    5. Research and Development.--The Water Security Test Bed (WSTB), 
        developed by Idaho National Laboratory (INL) and the EPA Office 
        of Research and Development's (ORD), can help support research 
        into water sector-specific vulnerabilities and coordinate 
        information sharing. The WSTB is a large-scale, adaptable 
        testing environment that can be disrupted or destructively 
        tested by Government and industry partners. Funding for this 
        program would provide an objective platform to evaluate cyber 
        intrusion scenarios, demonstrate physical impacts, deliver 
        scalable mitigations useful for water utilities of various 
        sizes and budgets, and provide realistic utility operator 
        training.

    Chairman Garbarino. Thank you, Dr. Morley.
    Mr. Edwards, I now recognize you for 5 minutes to summarize 
your opening statement.

 STATEMENT OF MARTY EDWARDS, DEPUTY CHIEF TECHNOLOGY OFFICER, 
     OPERATIONAL TECHNOLOGY AND INTERNET OF THINGS, TENABLE

    Mr. Edwards. Chairman Garbarino, Ranking Member Swalwell, 
and Members of the subcommittee, thank you for the opportunity 
to testify on securing the industrial control systems that 
underpin our Nation's water sector.
    I am Marty Edwards, deputy chief technology officer for 
operational technology and internet of things at Tenable, a 
leading cybersecurity exposure management company with 43,000 
customers world-wide, including just about every Federal 
department and multiple critical infrastructure providers.
    In recent years, there has been an increase of successful 
cyber attacks against U.S. infrastructure, including the water 
sector. In November, attackers targeted the Municipal Water 
Authority of Aliquippa, Pennsylvania, exploiting OT assets that 
were directly accessible from the internet. Just last week, we 
learned of Chinese attempts to plant malware within U.S. 
critical infrastructure systems, including water treatment 
plants.
    Efforts to infiltrate the underlying systems that support 
not only the daily lives of Americans, but also the economy, 
are emerging as an acute national security risk. We must accept 
that our national security defense requires securing all of the 
systems that keep U.S. water infrastructure operational.
    There is no doubt that the history of OT systems and the 
current challenge of IT, OT, and even IoT convergence makes 
securing our critical infrastructure more difficult. But we 
have the tools and resources to be successful. The Federal 
Government has several on-going initiatives to improve critical 
infrastructure, OT, and IoT security, including for the water 
sector. I've outlined many of these in my written testimony.
    These are strong starting points, but there are 
insufficient to address the challenge. There is still 
significant opportunity for Congress to enhance critical 
infrastructure cyber preparedness.
    First, Congress should establish baseline cybersecurity 
requirements or standard of care for critical infrastructure. 
Based on effective cyber hygiene and preventative security 
practices, these should be developed in partnership with 
stakeholders and align with CISA's cross-sector cybersecurity 
performance goals, the NIST cybersecurity framework, and 
international standards.
    Basic cyber hygiene for critical infrastructure operations 
includes continuous visibility into what assets are on your 
network, strong identity and access management, discovering and 
remediating known vulnerabilities, and implementing incident 
detection and response capabilities. These baseline 
requirements must also address the challenges of securing 
converged IT and OT systems.
    Second, Congress should prioritize robust cybersecurity 
funding for programs and initiatives aimed at improving OT 
security. CISA's cyber hygiene program provides a range of 
cybersecurity assessments to critical infrastructure and other 
organizations. However, it does not currently include 
assessments of OT and IoT systems. The program should be 
expanded and resourced to include these services.
    Congress should support CISA and the Federal civilian 
Executive branch agencies to implement cybersecurity policy 
recommendations, like binding Operational Directive 2301 and 
M2404. Protecting our Nation's cybersecurity requires 
comprehensive knowledge of our networks, including conducting 
inventories of IT, OT, and IoT assets and prioritizing risk 
reduction accordingly.
    CISA and the Office of the national cyber director should 
have adequate budgets to fulfill their missions and continue to 
break down silos. CISA must serve as an effective operational 
coordinator to strengthen security in these environments in 
real time. ONCD should serve as a strategic coordinator across 
Government agencies.
    Last, cybersecurity should be incorporated into 
infrastructure funding. Modern infrastructure projects rely 
more on digital technologies and network connectivity, so it is 
imperative that OT cybersecurity is addressed in all phases of 
Federal infrastructure projects. Recipients should be allowed 
to allocate funds toward OT security, and any projects seeking 
funding should include a cybersecurity risk assessment.
    Thank you again, Chairman Garbarino, Ranking Member 
Swalwell, and Members of the subcommittee for the opportunity 
to testify before you today on the critical subject of securing 
the industrial control systems vital to our Nation's water 
sector. I appreciate the work of this committee and the 
bipartisan support that is here for cybersecurity.
    I look forward to the on-going collaboration to safeguard 
the IT, OT, and IoT systems that form the foundation of our 
Nation's critical infrastructure, and I'm happy to answer your 
questions.
    [The prepared statement of Mr. Edwards follows:]
                  Prepared Statement of Marty Edwards
                            February 6, 2024
                              introduction
    Chairman Garbarino, Ranking Member Swalwell, Chairman Green, 
Ranking Member Thompson, and Members of the subcommittee, thank you for 
the opportunity to testify before you today on securing the industrial 
control systems that underpin our Nation's water sector.
    My name is Marty Edwards and I am the deputy chief technology 
officer for operational technology (OT) and internet of things (IoT) at 
Tenable, a cybersecurity exposure management company that provides 
organizations, including the Federal Government, with an unmatched 
breadth of visibility and depth of analytics to measure and communicate 
cybersecurity risk. In collaboration with industry, Government, and 
academia, Tenable is raising awareness of the growing security risks 
impacting critical infrastructure and the need to take steps to 
mitigate those risks.
    My expertise is in OT and Industrial Control System (ICS) 
cybersecurity, and my work with Tenable has focused on furthering 
Government and industry initiatives to improve critical infrastructure 
security. I also previously served as the working group lead in the 
development of the Information Technology (IT)/OT Convergence Report 
\1\ issued by The President's National Security Telecommunications 
Advisory Committee (NSTAC) in August 2022.
---------------------------------------------------------------------------
    \1\ President's National Security Telecommunications Advisory 
Committee, ``Information Technology and Operational Technology 
Convergence Report,'' https://www.cisa.gov/sites/default/files/
publications/NSTAC%20IT-
OT%20Convergence%20Report_508%20Compliant_0.pdf.
---------------------------------------------------------------------------
    Prior to joining Tenable, I worked in the industry as an industrial 
control systems engineer and as a program manager at the U.S. 
Department of Energy's Idaho National Laboratory focused on 
cybersecurity. I was the last and the longest-serving director of the 
U.S. Department of Homeland Security's Industrial Control Systems Cyber 
Emergency Response Team (ICS-CERT), which is now part of the 
Cybersecurity and Infrastructure Security Agency (CISA).
                             about tenable
    Tenable is the Exposure Management company. Approximately 43,000 
organizations around the globe rely on Tenable to understand and reduce 
cyber risk. As the creator of Nessus, Tenable extended its expertise 
in vulnerabilities to deliver the world's first platform to see and 
secure nearly any digital asset on any computing platform, including OT 
and IoT. Tenable customers include approximately 60 percent of the 
Fortune 500, approximately 40 percent of the Global 2000, and large 
Government agencies.\2\
---------------------------------------------------------------------------
    \2\ Tenable, ``About Tenable,'' www.tenable.com.
---------------------------------------------------------------------------
                           why ot and why now
    On January 31, 2024, news broke that the U.S. disrupted attempts by 
China to plant malware within U.S. critical infrastructure systems, 
including water treatment plants. That same day, General Paul Nakasone, 
commander of U.S. Cyber Command; Jen Easterly, director of the 
Cybersecurity and Infrastructure Security Agency (CISA); Christopher 
Wray, director of the Federal Bureau of Investigation (FBI); and Harry 
Coker, Jr., director of the Office of the National Cyber Director 
(NCD), appeared before your colleagues on the House Select Committee on 
the Chinese Communist Party (CCP).
    The testimonies of these four cyber leaders addressed the threats 
to our critical infrastructure. Director Wray stated that, ``cyber 
threats to our critical infrastructure represent real-world threats to 
our physical safety,''\3\ and Director Easterly echoed that sentiment, 
saying ``cybersecurity is national security.''\4\
---------------------------------------------------------------------------
    \3\ House Select Committee on the Chinese Communist Party, ``The 
CCP Cyber Threat to the American Homeland and National Security,'' 
testimony of FBI Director Christopher Wray (22:10), https://
www.youtube.com/watch?v=MJOX3cpHfUI.
    \4\ House Select Committee on the Chinese Communist Party, ``The 
CCP Cyber Threat to the American Homeland and National Security,'' 
testimony of CISA Director Jen Easterly (36:10), https://
www.youtube.com/watch?v=MJOX3cpHfUI.
---------------------------------------------------------------------------
    Tenable CEO Amit Yoran responded to Director Wray's comments, 
calling his warning ``an urgent call to action. Continuing to turn a 
blind eye to the risk sitting inside our critical infrastructure is the 
definition of negligence.''\5\
---------------------------------------------------------------------------
    \5\ https://apnews.com/article/fbi-china-espionage-hacking-
db23dd96cfd825e4988852a34a- 99d4ea.
---------------------------------------------------------------------------
    Efforts to infiltrate the underlying systems that support not only 
the daily lives of Americans but also our economy are emerging as an 
acute national security risk. Cyber attacks against water systems can 
cause significant health effects, render property uninhabitable, and 
displace entire communities. We live in a digital world, and as a 
Nation we must accept that our national security defense requires 
securing the IT and OT systems that keep U.S. critical infrastructure 
operational.
    While Government and industry OT security initiatives are moving in 
the right direction, another key component to ensuring success is 
Federal funding. As Tenable CEO Amit Yoran stated in a recent letter to 
Congressional appropriators, robust cybersecurity funding must continue 
to be prioritized to ensure we can meet the cyber threats of today 
while securing against those of tomorrow.\6\
---------------------------------------------------------------------------
    \6\ Amit Yoran, ``Support for Prioritizing CISA Funding,'' 
LinkedIn, November 8, 2023, https://www.linkedin.com/posts/
ayoran_support-for-cisa-activity-7128398109985935360-xj7C/.
---------------------------------------------------------------------------
    There is no doubt that the history of OT systems and the current 
challenge of IT/OT/IoT convergence makes securing our critical 
infrastructure all the more difficult. However, we have the tools, 
knowledge, and capabilities to be successful.
       the complicated history of securing operational technology
    While OT has always been part of utilities, manufacturing, and 
other critical infrastructure sectors, OT technology was considered 
``safe'' from attacks because most OT devices were not connected to 
outside networks. It has been commonplace for software-dependent 
systems to be placed into service and never touched again for the next 
10 years, resulting in OT systems left unincorporated into standard 
processes for regular software updates, vulnerability assessments, and 
risk mitigation practices. With the convergence of IT and OT in today's 
modern facilities, these devices are often no longer air-gapped and in 
many cases are exposed to the internet--and to the threat of ransomware 
and cyber attacks.\7\
---------------------------------------------------------------------------
    \7\ Tenable, ``Operational Technology (OT) Security: How To Reduce 
Cyber Risk When IT and OT Converge,'' https://www.tenable.com/source/
operational-technology.
---------------------------------------------------------------------------
    The siloed nature of cybersecurity, especially between IT and OT 
teams, presents additional challenges for those tasked with securing 
OT. OT systems have yet to advance their security posture to be on par 
with their IT counterparts. In addition, IT and OT systems have their 
own goals and priorities, performance requirements, purposes, and life 
cycles. To reduce cyber risk, organizations world-wide must consider 
the deeply entrenched people, process, and technology issues within 
both IT and OT.\8\
---------------------------------------------------------------------------
    \8\ Tenable, ``Zero Day Vulnerabilities in Industrial Control 
Systems Highlight the Challenges of Securing Critical Infrastructure,'' 
https://www.tenable.com/blog/zero-day-vulnerabilities-in-industrial-
control-systems-highlight-the-challenges-of-securing.
---------------------------------------------------------------------------
    OT and IoT systems require specialized asset discovery solutions in 
order to not disrupt the safety and reliability of these environments. 
However, in a converged system-of-systems, asset owners must 
continuously evaluate all aspects of their systems, to include IT, OT, 
IoT, Cloud, Asset Exposure, and Identity. If all of these 
characteristics are being measured by separate security systems, it can 
make the CISO's job to provide concise, consolidated reporting 
difficult. Modern exposure management platforms can provide this 
overarching measurement of risk that can then be communicated to senior 
executives or to boards of directors.
    Today's environment brings numerous opportunities for 
misconfigurations and overlooked assets which makes it nearly 
impossible for cybersecurity leaders to obtain a unified view of their 
exposure. Too often, cybersecurity professionals develop an orientation 
toward reactive, incident-focused practices.
    Therefore, preventive tasks are often relegated to nothing more 
than a compliance exercise which leaves security teams unable to 
effectively evaluate what's happening across the attack surface.
    It has long been challenging for organizations to reduce cyber 
exposure with existing preventive tools. The new expanding complexity 
of the modern attack surface--encompassing multiple cloud systems, 
numerous identity and privilege management tools, multiple web-facing 
assets along with OT and IoT systems and software--can make exposure 
management all the more difficult.
    Security professionals need a unified view of their environments to 
realistically identify the objective security truths that indicate 
their exposure to risk. For operators of critical infrastructure 
environments, practices focused on cybersecurity governance, risk, and 
compliance must be revamped to improve exposure visibility. Management 
and remediation of security weaknesses in OT systems must be as routine 
a part of plant maintenance as the mechanical servicing of hardware.
 the state of operational technology in the water sector recent threats
    In recent years, there has been an increase of successful cyber 
attacks against U.S. water systems and utilities, as well as wastewater 
systems. California, Maine, and Nevada's water facilities have all 
fallen victim to ransomware attacks. These attacks are continued 
evidence that industrial security is in need of significant 
improvements. In addition, some level of Government regulation is 
necessary to ensure the cyber safety of water and wastewater systems.
    More recently, the Municipal Water Authority of Aliquippa, 
Pennsylvania was the target of the exploitation of Unitronics' 
programmable logic controllers (PLCs).\9\ Programmable logic 
controllers (PLCs) are common tools utilized in the water and 
wastewater sectors. The exploitation of PLCs and similar OT systems are 
not new nor uncommon, but this set of attacks took advantage of direct 
internet accessibility, which enables control systems assets to be 
accessed remotely.
---------------------------------------------------------------------------
    \9\ CNN, ``Federal investigators confirm multiple US water 
utilities hit by hackers,'' https://www.cnn.com/2023/12/01/politics/us-
water-utilities-hack/index.html.
---------------------------------------------------------------------------
    In a water or wastewater facility, PLCs are the literal brains of 
the operation. They are often programmed to do virtually all of the 
operational functions at a water treatment plant. When PLCs are 
compromised, threat actors can take control of motor and pump 
functions, and manipulate chemical settings. The effects on water 
quality and safety can be immediate or programmed to cause disruption 
at a future time.
    Attacks such as the one in Aliquippa, Pennsylvania, are largely due 
to poor cyber hygiene. Bad actors can easily roam the internet in 
search of assets that still have the factory default password. Allowing 
for direct accessibility from the internet, default passwords, and a 
lack of authentication security is more than negligent; it is a failure 
of not only the asset owner but of the complete OT security 
environment. The attack on Aliquippa's Municipal Water Authority 
underscores the critical need to enhance security measures within the 
water sector. This, along with robust multi-factor authentication, is 
imperative for critical infrastructure organizations to strengthen 
their cybersecurity posture.
             federal support for bolstering sector security
    In an effort to safeguard U.S. water and wastewater systems, CISA 
partnered with the Environmental Protection Agency (EPA) to develop a 
comprehensive toolkit designed to ``help water and wastewater systems 
build their cybersecurity foundation and progress to implement more 
advanced, complex tools to strengthen their defenses and stay ahead of 
current threats.''\10\
---------------------------------------------------------------------------
    \10\ U.S. Department of Homeland Security Cybersecurity and 
Infrastructure Security Agency, ``Water and Wastewater Cybersecurity 
Toolkit,'' https://www.cisa.gov/water.
---------------------------------------------------------------------------
    Additionally, CISA, the FBI, and the EPA recently issued a joint 
water sector incident response guide, which was developed under the 
Joint Cyber Defense Collaborative (JCDC), with participation from 
Tenable. The guide provides an extensive range of resources that cover 
the four stages of the incident response life cycle, from preparation 
to proactive post-incident activities. The guide also offers best 
practices for cyber incident reporting. CISA Executive Assistant 
Director for Cybersecurity Eric Goldstein emphasized, ``In the new 
year, CISA will continue to focus on taking every action possible to 
support `target-rich, cyber-poor' entities like WWS utilities by 
providing actionable resources and encouraging all organizations to 
report cyber incidents.''\11\
---------------------------------------------------------------------------
    \11\ U.S. Department of Homeland Security Cybersecurity and 
Infrastructure Security Agency, ``CISA, FBI and EPA Release Incident 
Response Guide for Water and Wastewater Systems Sector,'' https://
www.cisa.gov/news-events/news/cisa-fbi-and-epa-release-incident-
response-guide-water-and-wastewater-systems-sector.
---------------------------------------------------------------------------
    The EPA also issued--and then rescinded--its cybersecurity rule 
which mandated that states evaluate the cybersecurity capabilities of 
their drinking water systems. This mandate included assessing the 
cybersecurity of their public water systems' OT environment. Despite 
the rule no longer being in effect, the EPA continues to recommend 
aligning cybersecurity practices with CISA's CPGs.\12\ Tenable strongly 
encourages water infrastructure entities to follow this guidance as it 
empowers users to inventory assets, proactively assess vulnerabilities, 
implement robust cybersecurity protocols, and mitigate potential risks 
to build resilient water and wastewater systems.
---------------------------------------------------------------------------
    \12\ Regulatory Oversight, ``EPA Withdraws Cybersecurity Rule for 
Public Water Systems,'' https://www.regulatoryoversight.com/2023/11/
epa-withdraws-cybersecurity-rule-for-public-water-systems/.
---------------------------------------------------------------------------
    It is worth noting that following the EPA's decision to rescind its 
cyber rule, there have been significant efforts within the water sector 
to support a collaborative approach with Federal partners to develop a 
framework similar to that employed by the North American Electric 
Reliability Corporation (NERC) and the Federal Energy Regulatory 
Commission (FERC) in the electric sector.\13\ We are pleased to see 
this high level of stakeholder engagement in the development phase and 
the strategic utilization of preexisting successful frameworks to 
enhance cybersecurity in the water sector. However, while this long-
term initiative is considered, it is imperative that we also support 
more immediate actions. CISA's CPGs should be the blueprint for 
implementing effective risk reduction practices in the interim.
---------------------------------------------------------------------------
    \13\ American Water Works Association, ``AWWA repeats call for 
strong cybersecurity measures after EPA withdraws rule,'' https://
www.awwa.org/AWWA-Articles/awwa-repeats-call-for-strong-cybersecurity-
measures-after-epa-withdraws-rule.
---------------------------------------------------------------------------
    There is no denying that foreign adversaries will continue to 
target the U.S. water sector and its more than 148,000 public water 
systems. How we address vulnerabilities today and build security into 
future systems will be the most important factors in determining the 
outcome of a large-scale targeted attack on our water infrastructure. 
Government officials and private-sector leaders must stay focused on 
addressing critical infrastructure vulnerabilities, particularly those 
stemming from the convergence of IT and OT technologies.\14\ Tenable 
firmly believes this is a national security imperative.
---------------------------------------------------------------------------
    \14\ U.S. Environmental Protection Agency, ``Information about 
Public Water Systems,'' https://www.epa.gov/dwreginfo/information-
about-public-water-systems.
---------------------------------------------------------------------------
       current federal initiatives improving ot and iot security
    Until recently, Federal resources have primarily focused on 
securing IT networks. While this focus was more understandable prior to 
the convergence of IT and OT, the modern attack surface is rapidly 
expanding. Cyber criminals continue to use effective tactics such as 
exploiting known but unpatched vulnerabilities and deploying ransomware 
to gain entry into and compromise unsecured OT systems.
    There are several Federal initiatives to help OT organizations 
address modern security challenges, including Pillar One of the 
administration's National Cybersecurity Strategy, CISA's Cross-Sector 
Cybersecurity Performance Goals (CPGs), the CISA Cyber Hygiene program, 
the JCDC Industrial Control Systems (ICS) Working Group, the 
CyberSentry program, and the EPA's Cybersecurity Resources for Drinking 
Water and Wastewater Systems. Additionally, efforts like The 
President's National Security Telecommunications Advisory Committee 
(NSTAC) resulted in recommendations to improve IT/OT convergence. 
CISA's BOD 23-01 is helping Federal civilian departments and agencies 
identify assets and prioritize OT vulnerabilities. Finally, 
partnerships like the OT Cybersecurity Coalition (OTCC) are bringing 
together industry and Government stakeholders to better protect ICS and 
critical infrastructure assets. The following initiatives discussed 
below provide direction and guidance to improve OT cybersecurity 
outcomes.
    Pillar One of the administration's National Cybersecurity Strategy 
prioritizes establishing best practices and expanding minimum 
cybersecurity standards, including basic cyber hygiene and secure-by-
design principles. The Strategy highlights the persistent security 
threat of IT/OT convergence, prompting organizations to strategize 
responses to these challenges.\15\
---------------------------------------------------------------------------
    \15\ https://www.whitehouse.gov/wp-content/uploads/2023/03/
National-Cybersecurity-Strategy-2023.pdf.
---------------------------------------------------------------------------
    CISA's CPGs are a voluntary baseline of cybersecurity practices for 
all critical infrastructure entities that align with functions of the 
National Institute of Standards and Technology's (NIST) Cybersecurity 
Framework (CSF), which is widely utilized by critical infrastructure 
owners and operators. These goals integrate recommended practices for 
both IT and OT owners to prioritize security measures. Primary among 
these recommended practices is the requirement of a role to oversee all 
OT-related cybersecurity activities which will strengthen the 
relationship between IT and OT teams, improve incident response times, 
and provide OT-specific training for individuals in charge of OT 
operations.
    While a crucial step forward, it is necessary to acknowledge that 
additional efforts are needed, particularly to fortify the security of 
OT systems, especially those on which our Nation's water sector 
depends.
    CISA's Cyber Hygiene Program provides critical infrastructure 
facilities with essential services, including network discovery and 
vulnerability reporting. However, the number of eligible entities that 
participate in this valuable service is limited. There is an 
opportunity for CISA to enhance the promotion of these services and 
expand them to cover assessments of OT systems and networks. Further, 
Congress should ensure the program is adequately funded so that a 
greater number of resource-poor crucial infrastructure entities and 
utilities can improve their baseline cyber defenses.
    CISA recently established an ICS working group within the JCDC, 
which enables collaboration with CISA across a range of cybersecurity 
and vulnerability management issues, including bolstering the 
cybersecurity and resiliency of OT systems. Managing vulnerabilities is 
essential to secure critical IT and OT infrastructure and the work done 
by JCDC and CISA promotes the prioritization of network security. 
Tenable is a proud Alliance Partner of the JCDC.
    The CyberSentry Program was also established by CISA as part of its 
on-going commitment to safeguarding the Nation's critical 
infrastructure against sophisticated cyber threats. This threat 
detection and monitoring capability, managed by CISA, collaborates 
closely with critical infrastructure providers to vigilantly monitor 
and detect cyber threats targeting both IT and OT networks. CyberSentry 
facilitates collective defense and mutual benefit across the critical 
infrastructure landscape through these partnerships. It provides IT and 
OT network operators with comprehensive visibility into both known and 
unknown assets, which is essential for effectively assessing and 
managing risks.
    The EPA provides cybersecurity guidance and resources for drinking 
water and wastewater systems.\16\ The ``EPA Cybersecurity for the Water 
Sector'' guide includes resources for cybersecurity assessments, 
planning, training, and response, as well as funding options available 
for water utilities.\17\
---------------------------------------------------------------------------
    \16\ U.S. Environmental Protection Agency Cybersecurity for the 
Water Sector, https://www.epa.gov/waterresilience/cybersecurity-
assessments.
    \17\ Ibid.
---------------------------------------------------------------------------
    NSTAC's 2022 IT/OT Convergence Report recommendations have been 
impactful for improving OT security.\18\ The report included 3 
recommendations that the administration could immediately implement to 
strengthen the cybersecurity posture of U.S. Government-owned and -
operated OT systems. To date, only one of those three recommendations 
has been partially implemented.\19\
---------------------------------------------------------------------------
    \18\ Ibid 1.
    \19\ Tenable, ``IT/OT Convergence: Now Is The Time to Act,'' 
https://www.tenable.com/blog/itot-convergence-now-is-the-time-to-act.
---------------------------------------------------------------------------
    The report recommended that the President issue a Binding 
Operational Directive (BOD) (similar to what Section 1505 of the Fiscal 
Year 2022 National Defense Authorization Act (NDAA) requires for the 
Department of Defense (DoD)) to require Executive civilian branch 
departments and agencies to maintain a real-time, continuous inventory 
of all OT devices, software, systems, and assets within their areas of 
responsibility. The BOD should also require such inventory to include 
an understanding of any interconnectivity to other systems. Following 
the release of the NSTAC report, CISA issued BOD 23-01: Improving Asset 
Visibility and Vulnerability Detection on Federal Networks.\20\
---------------------------------------------------------------------------
    \20\ https://www.cisa.gov/news-events/directives/bod-23-01-
improving-asset-visibility-and-vulnerability-detection-Federal-
networks.
---------------------------------------------------------------------------
    Binding Operational Directive 23-01 was issued in October 2022, and 
requires Federal agencies to enhance visibility into agency assets and 
associated vulnerabilities. The BOD will help Federal agencies have the 
necessary foundation to maintain a successful cybersecurity program, 
focusing on two core activities: Asset Discovery, and Vulnerability 
Enumeration.
    This directive applies to all IP-addressable networked assets that 
can be reached over IPv4 and IPv6 protocols and outlines new 
requirements for cloud assets, IPV6 address space, and OT in an effort 
to reduce cyber risk. It builds on BOD 22-01, which was issued in 2021, 
and requires Federal agencies ``to remediate vulnerabilities in the 
Known Exploited Vulnerabilities (KEV) catalog within prescribed time 
frames.''\21\ The KEV catalog is maintained by CISA and helps 
organizations prioritize remediation of listed vulnerabilities and 
reduce the opportunities for threat actors to compromise systems.
---------------------------------------------------------------------------
    \21\ U.S. Department of Homeland Security Cybersecurity and 
Infrastructure Security Agency, ``Reducing the Significant Risk of 
Known Exploited Vulnerabilities,'' https://www.cisa.gov/known-
exploited-vulnerabilities.
---------------------------------------------------------------------------
    Additionally, in December 2023 the Office of Management and Budget 
(OMB) issued a memorandum (memo M-24-04) to Federal departments and 
agencies requiring IoT and OT asset inventory, in an effort to 
``enhance the U.S. Government's overall cybersecurity posture and to 
help ensure integrity of systems.''\22\ The OMB set a deadline for 
agencies to inventory assets by the end of fiscal year 2024.
---------------------------------------------------------------------------
    \22\ Office of Management and Budget, ``Fiscal Year 2024 Guidance 
on Federal Information Security and Privacy Management Requirements,'' 
https://www.whitehouse.gov/wp-content/uploads/2023/12/M-24-04-FY24-
FISMA-Guidance.pdf.
---------------------------------------------------------------------------
    While the release of BOD 23-01 and M-24-04 are positive directions 
for Federal agencies, there remain challenges with implementation. 
Compared to the IT environment, where patching, upgrading, and 
replacing systems is standard, an OT environment typically requires 
working with legacy technologies. To prioritize remediation efforts, 
agencies need a detailed view of OT and IT assets in the OT environment 
and the ability to map connections between devices and identify high-
risk assets.
    To ensure that Federal Civilian executive branch (FCEB) systems, 
and agencies operating those systems, meet said requirements, Congress 
should appropriate funding to implement CISA's BOD 23-01, and OMB M-24-
04. This will enable agencies to maintain an updated inventory of 
assets, identify software vulnerabilities, track how often an agency 
enumerates its assets, and share information with CISA's Continuous 
Diagnostics and Mitigation Program (CDM) Federal Dashboard. Pursuant to 
BOD 23-01, the scope of this implementation encompasses all reportable 
OT and IT assets.
    The OTCC brings together a range of OT cybersecurity and technology 
providers to promote the use of standards-based, interoperable 
cybersecurity solutions to help critical infrastructure and other 
organizations defend themselves against growing threats. The OTCC also 
works with Government stakeholders to promote effective operational 
technology cybersecurity.
                         policy recommendations
    Tenable recommends that Congress enact the following policy 
objectives to enhance the cyber preparedness of U.S. critical 
infrastructure:
   Establish baseline cybersecurity requirements or standards 
        of care for critical infrastructure that align with CISA's 
        Cross-Sector Cybersecurity Performance Goals, international 
        standards, and the NIST CSF, based on effective cyber hygiene 
        and preventive security practices. Basic cyber hygiene for 
        critical infrastructure operators includes continuous 
        understanding of what assets are on networks, ensuring strong 
        identity and access management, discovering and patching known 
        vulnerabilities, and implementing incident detection and 
        response capabilities. For critical infrastructure providers, 
        these baseline requirements must address the challenges of 
        securing converged IT and OT environments. Pillar One of the 
        recently released National Cybersecurity Strategy calls for 
        baseline cybersecurity requirements for critical infrastructure 
        providers. The CISA Cross-Sector Cybersecurity Performance 
        Goals, based on the NIST CSF, are an excellent resource for 
        industry and Sector Risk Management Agencies to utilize in the 
        development of baseline requirements and standards of care.
   Prioritize robust cybersecurity funding for programs and 
        initiatives that support improving OT security, including:
     CISA Cyber Hygiene services, to provide expanded services, 
            including OT and IoT assessments, to critical 
            infrastructure entities and utilities, enabling them to 
            achieve a minimum cybersecurity posture.
     CISA and FCEB agencies, to implement BOD 22-01, and BOD 
            23-01, and M-24-04 policy recommendations. Protecting our 
            Nation's cybersecurity means knowing what is on our 
            networks and maintaining such networks in good working 
            order, which includes conducting an inventory of OT assets 
            and prioritizing remediation of known vulnerabilities. If 
            an organization does not know an asset exists, it cannot 
            assess it for vulnerabilities. With the issuance of BOD 23-
            01, Federal agencies need comprehensive visibility into 
            their assets and vulnerabilities across their organization. 
            This includes:
         External unknowns
         Cloud workload and resources
         Operational technology
         Network infrastructure and endpoints
         Web application
         Identity systems.
     CISA and the Office of the National Cyber Director, to 
            ensure they can meet mission requirements. The threats to 
            Federal networks and critical infrastructure are growing at 
            a significant rate and CISA must serve as an effective 
            coordinator to strengthen security in these environments. 
            Tenable supported the creation of the Office of the 
            National Cyber Director and applauded efforts to stand up 
            this office.
   Ensure that cybersecurity is incorporated for infrastructure 
        grant funding. Modern infrastructure projects increasingly 
        leverage digital technologies and network connectivity. OT 
        cybersecurity should be addressed in all Federal infrastructure 
        grant projects and should be an allowable expense for 
        infrastructure grant recipients.
   In its oversight of CISA implementation of CIRCIA, Congress 
        should ensure that CISA is adequately resourced to ingest the 
        wealth of information that will be shared by critical 
        infrastructure entities. CISA should request and share 
        anonymized cyber incident data. It should provide actionable 
        information through trusted partners, such as JCDC Alliance 
        Partners, to provide cyber situational awareness to the broader 
        critical infrastructure ecosystem. Finally, CISA should move 
        toward automated and machine-readable formats to ingest and 
        share this information to the full extent possible.
   Continue implementation of the NSTAC IT/OT Convergence 
        Report policy recommendations.
     Direct Federal civilian agencies to inventory their OT 
            assets and provide OT asset and vulnerability information 
            to the CDM Dashboard. CISA has already taken steps to 
            address this obstacle through BOD 23-01, but Congress 
            should reinforce the need to gain visibility into these 
            mission-critical environments so we can understand the 
            scale of cybersecurity challenges and begin to 
            systematically address serious risks. The foundation for 
            every security framework, whether IT or OT, always begins 
            with visibility into the assets for which you are 
            responsible. Achieving this visibility is a significant 
            step forward for Federal departments and agencies to 
            protect their critical IT and OT assets against evolving 
            cybersecurity threats.
     Develop enhanced OT-specific cybersecurity procurement 
            language. Public and private-sector OT procurements should 
            require the inclusion of risk-informed cybersecurity 
            capabilities for products and services. Updating 
            procurement language guidance will help asset owners 
            specify that cybersecurity be built into products and 
            projects rather than bolted on as an afterthought. 
            Including cybersecurity in both Government and private-
            sector procurement vehicles will significantly enhance the 
            resilience of critical infrastructure systems.
     Implement standardized, technology-neutral, real-time 
            interoperable information-sharing mechanisms to promote the 
            sharing of sensitive information across agencies and to 
            break the traditional siloed approach. Cyber attacks often 
            target multiple critical infrastructure sectors and 
            attackers have the ability to move at machine speed to 
            compromise multiple industrial sectors. Our defenses need 
            to match this threat. It is imperative for our critical 
            infrastructure sectors to securely communicate with each 
            other to get the right information to the right person, at 
            the right time. This requires a standardized, technology-
            neutral approach, in order to leverage cyber threat and 
            vulnerability information from the broader critical 
            infrastructure ecosystem.
   Support the JCDC and provide oversight of CISA to clarify 
        roles and responsibilities of other public-private 
        partnerships. Congress should continue to support the JCDC as 
        it advances strategic planning and incident response 
        capabilities for the industry. However, it is important for 
        Congress to provide robust oversight of CISA's JCDC efforts to 
        ensure there is a clear delineation of roles and 
        responsibilities and appropriate opportunities for industry to 
        engage. Congress should also provide oversight to ensure that 
        JCDC adequately addresses OT cybersecurity risks, threats, and 
        operational response capabilities.
   Improve the ICS cyber workforce by ensuring CISA implements 
        the ICS cybersecurity training initiative included in Ranking 
        Member Swalwell's Industrial Control Systems Cybersecurity 
        Training Act, which was passed as part of the fiscal year 2024 
        Defense Authorization bill.
   Require Independent Assessments of critical software (to 
        include OT and IoT). CISA should apply the Sarbanes-Oxley 
        ``separation of duties'' principles to cybersecurity and 
        prohibit the provider responsible for developing and/or running 
        critical software from also conducting its exposure management 
        or otherwise testing its security, conducting security audits, 
        or reporting on its security.
                               conclusion
    There are fundamental steps all Federal agencies and critical 
infrastructure entities must take to improve their OT cybersecurity 
posture. Security professionals need visibility into which assets are 
on their networks and whether those assets are vulnerable. Known 
exposures should be addressed in a timely manner and user access and 
privileges must be effectively controlled. Finally, security teams must 
have unified visibility into, and management of, interconnected 
critical systems. These steps make it more difficult for bad actors to 
compromise interconnected IT and OT systems. Government policy can help 
drive these effective practices for critical infrastructure owners and 
operators.
    Risk assessment and asset inventory processes are desperately 
needed as rapid expansion of access and interconnectivity dramatically 
increase risk. Policy guidance for minimum security requirements and 
standards of care are needed to help drive improvements in risk 
management practices while at the same time act to foster innovation. 
Government support and funding are necessary to strengthen 
cybersecurity programs for critical infrastructure providers which lack 
the resources to protect themselves from malicious actors. Finally, 
stakeholder engagement through public-private partnerships and other 
collective defense efforts can improve cyber situational awareness, 
strengthen policy guidance, and enhance broad adoption of cybersecurity 
best practices.
    Chairman Garbarino, Ranking Member Swalwell, Chairman Green, 
Ranking Member Thompson, and Members of the subcommittee, thank you for 
the opportunity to testify before you today on the critical matter of 
securing the industrial control systems vital to our Nation's water 
sector. I appreciate the work this committee is doing to elevate 
cybersecurity issues with bipartisan support. I look forward to on-
going collaboration to safeguard the IT/OT/IoT systems that form the 
foundation of our Nation's critical infrastructure.

    Chairman Garbarino. Thank you, Mr. Edwards.
    Members will be recognized by order of seniority for their 
5 minutes of questioning. An additional round of questioning 
may be called after all Members have been recognized.
    I now recognize my friend from Florida, Mr. Gimenez, for 5 
minutes.
    Mr. Gimenez. Thank you, Mr. Chairman.
    I was privy to a kind-of informational kind of briefing the 
other day about quantum computing, and the CCP is engaged in a 
Manhattan Project-level effort to develop quantum computing.
    So, you know, a lot of people don't know what that is, and 
I certainly didn't. But one of the things that struck me is an 
example they gave me, that today's supercomputer could be able 
to crack a certain code, it would take about 15,000 years for 
that supercomputer to crack the code. A quantum computer can do 
it in 30 seconds.
    So, and the CCP is actually kind-of laser-focused on 
developing quantum computers that will crack codes. So if 
that's the case, is any IT system safe? Mr. Lee.
    Mr. Lee. Thank you, sir, for the question.
    So I think this is absolutely the right question to start 
thinking about where the state is going. But when you look at 
the current state of our infrastructure, most of these water 
facilities, as an example, lack a firewall. So we talk about 
quantum computing and AI and similar, and you could just log 
into the system and change the water levels. So it's 
appropriate to think long-term about that. But it's not 
actually the problem that we face today. Moreover, you 
absolutely can always do defense. It's just we have to actually 
start investing in it.
    Mr. Gimenez. Yes, but wouldn't defense be the only defense 
at the end, when you're facing quantum computers that can crack 
any code, can get into any system, wouldn't it be to go back to 
the future, or in other words, go back where you have to 
disconnect and then have manual systems again where, you know, 
it's cracked? Also now we have to manually start to do this and 
the switches and all that.
    Because it seems to me that if you get into this realm and 
they actually can do that, and you can crack any code in 30 
seconds, 10 seconds, et cetera, you can get into anything. 
Therefore, all of our systems that are actually tied into it 
are super vulnerable or will be super vulnerable. So shouldn't 
we be preparing for that today, not when it happens?
    Mr. Lee. We absolutely should be. We're just very far 
behind already. Additionally----
    Mr. Gimenez. No, but it seems that your solutions is to get 
more integrated with IT.
    Mr. Lee. I'm more advocating the fact that the horse is out 
of the barn. Like, we are not going back to manual operations 
or disconnecting it. Sounds great, but you can't operate a 
digital system that way at scale.
    Mr. Gimenez. Well, that is the problem. You are in a 
digital system, so you are leading to inevitable failure, 
inevitable defeat.
    Mr. Lee. Well, yes, sir. So I would argue, though, that the 
inability to operate the system in the first place would end up 
being more risky. So we actually can't go back to that way of 
operating. We don't have the staff physically possible to do 
that, and our vendors aren't providing anything that's not 
digital. There's good reason for that. You want to be able to 
reduce the cost and operate the system. But ultimately, if we 
take the position that we have to do manual for everything, we 
won't be able to run the system.
    Mr. Gimenez. I am not saying that you have to do it for 
everything, but you have to have a way to get back to manual if 
the system is completely compromised. So you are saying, OK, 
that is it, we are done? All right, so the quantum computers 
are here. Everything is, boop, we can be compromised. They can 
shut us down any time they want. So we are done because we 
can't go back to a manual system. Is that you are saying?
    Mr. Lee. I would actually argue that we--you're going to 
lose the battle of trying to prevent everything. But when you 
put humans in the loop to start doing detection, response, 
recovery, you can win. We've shown that over and over again.
    Mr. Gimenez. How, if you are all dependent on IT?
    Mr. Lee. So as we----
    Mr. Gimenez. You are dependent on a digital world, and that 
digital world can be compromised at any time. How are you going 
to win that battle?
    Mr. Lee. You put humans and you defend, and you allow them 
to be in defensible environments. So we've got plenty of case 
studies that never go to the public on state actors from China, 
Russia, Iran, et cetera, getting into systems that A player 
teams and well-resourced teams running circles around them. 
Defenders have an advantage. You're just not going to have an 
advantage on every single front.
    Mr. Gimenez. That is today's reality with today's 
computers, where you actually need people to infiltrate your 
system. In the future, with AI and quantum, you are not going 
to need people. The computers will be unleashed against us. I 
don't care how many people you have, you are not going to be 
able to defend it. The only way you can defend it is with your 
own quantum computer and your own AI.
    Mr. Lee. I think there's a lot of argument to be made of 
that, but a lot of that is theory. Ultimately, what we've seen 
consistently over and over again is well-resourced offenders 
beat well-resourced adversaries.
    Mr. Gimenez. I hope you are right, but I also think that we 
have got to have a plan B. The plan B is, hey, we may be able 
to need to turn that off and operate somewhat of a manual 
system, because if not, if they somehow defeat us, we are done. 
They can get our electrical grid. They can get our water 
supply. They can, you know, run havoc with transportation. They 
can do all kinds of things that can, you know, really disrupt 
our way of life.
    With that, my time is up and I yield back.
    Chairman Garbarino. The gentleman yields back.
    I now recognize Mr. Carter from Louisiana for 5 minutes of 
questions.
    Mr. Carter. Mr. Chairman, Ranking Member, thank you very 
much. To the witnesses, thank you very much for being here for 
a timely discussion about something that is obviously 
critically important.
    I represent Louisiana, and, as you may know, we narrowly 
averted a real catastrophe with salt intrusion due to low water 
content and the issues with climate change. How will Federal 
agencies such as CISA collaborate with State and local 
authorities to implement proactive measures aimed at preventing 
and mitigating saltwater intrusion in vulnerable areas, such as 
in my district in New Orleans?
    Dr. Morley, you want to take a crack at that?
    Mr. Morley. Planning for alternative water supply is 
certainly a critical need, and the challenges that were faced 
in that portion of Louisiana were certainly challenging. I 
think it requires a collaborative approach between EPA, the 
Corps of Engineers, to some extent CISA, to evaluate some of 
those opportunities. The Water Sector Coordinating Council, for 
example, has made wide-scale--or regional-scale emergency water 
supply a critical priority. The challenge, obviously, is the 
scale. Right? Moving--I think they were estimating barging.
    Mr. Carter. Well, we did water barging.
    Mr. Morley. Right.
    Mr. Carter. We did reverse osmosis. We were fortunate that 
the weather changed and we got a little break, and it wasn't as 
bad as it could be. But now, given that we have had that test, 
what are we doing going forward? Because this was Mother 
Nature. This was climate. This was issues that were done by 
humans.
    Mr. Morley. Right.
    Mr. Carter. What happens if it were used in that capacity 
by a bad actor?
    Mr. Morley. Well, that's where the contingency is managing 
for the consequence, independent of cause, is, I think, some of 
the challenge that we need to overcome and address some 
innovative opportunities to provide new and different water 
sources.
    Mr. Carter. In light of climate change, what funding 
initiatives and Federal resources are being proposed to support 
long-term resilience and adaptation efforts in addressing 
saltwater intrusion within areas that are impacted? Anyone care 
to chime in? Dr. Morley, thank you. Mr. Edwards, Mr. Lee, Dr. 
Clancy.
    Mr. Morley. I'm not sure on a specific funding program 
specifically targeted at saltwater intrusion, sir, but programs 
like the State revolving loan fund and the WIFIA program are 
set up to help utilities get low-cost loans to invest in new 
treatment technologies and alternative water supply.
    Mr. Carter. Have you guys looked at this, what happened in 
Louisiana, to use it as a case study to determine how we might 
address it in the future?
    Mr. Morley. I think that's an area for continued research 
and analysis and how to overcome such a large-scale type of 
incident.
    Mr. Carter. What partnerships and coordination efforts are 
being established between Federal, State, and local 
stakeholders to ensure a cohesive and comprehensive approach in 
addressing saltwater intrusion? How can these collaborations 
strengthen and be sustained effectively going forward?
    As my dear friend from Florida just said, we shouldn't wait 
until these things happen. In this case, it did happen. We saw 
what we narrowly averted, what could have been a major, major 
issue for my State in multiple parishes. What are we learning 
from that and what are we doing?
    You four are notable experts in the area of water and 
infrastructure and critical infrastructure. Surely you have 
thought about this, and there are some thoughts on what we can 
do. You are now sitting before this committee, and we want to 
be able to arm you with the necessary tools that we don't wait 
until we have a catastrophe. You now have the opportunity to 
make an ask. What might that be to ensure that we are better 
prepared going forward?
    Mr. Lee.
    Mr. Lee. Yes. I would add in that we need a consistent 
message from Government. You go to different agencies and 
you'll hear different things.
    We need requirements. On the Department of Energy side of 
the House, on the Advisory Committee side, we talk about cyber 
resilience, cyber safety, climate change discussions, go down 
the list of it, and every time from the actual electric 
companies, well, here, we can do anything you want. Just pick 
three and who's resourcing it.
    I think we need to standardize on what are actually the 
requirements and communicate with one single voice out to the 
asset owners.
    Mr. Carter. OK. This administration has invested a great 
deal of money in mitigating lead and the issues with lead 
poisoning and lead in our water. How is that working, and what 
can we do to further enhance that?
    Dr. Clancy? You can't take a nap in the middle of the 
course, man.
    Mr. Clancy. So that is not my area of expertise.
    Mr. Carter. OK, fair enough. Anybody else? Dr. Morley. Mr. 
Edwards.
    Mr. Morley. Yes. There has been a substantial amount of 
funding made available directly to support lead service line 
replacement through EPA. In addition, the agency is going 
through a regulatory revision process on programs or 
regulations to protect the public from lead exposure.
    Mr. Carter. My time has expired. I yield back, Mr. 
Chairman.
    Chairman Garbarino. The gentlemen yields back.
    I now recognize my friend from Mississippi, Mr. Ezell, for 
5 minutes of questioning.
    Mr. Ezell. Thank you, Mr. Chairman. Thank you all for being 
here today and discussing this very important matter.
    Considering the Iranian-backed cyber attacks on our 
country's water infrastructure recently, I am glad to discuss 
today how CISA and the Federal Government can better understand 
these events and increase its security measures.
    Dr. Morley, I understand that CISA has released their 
cross-sector cyber performance goals. Do you believe these 
goals align with existing Federal frameworks? How can CISA 
further ensure coordination with other Federal agencies?
    Mr. Morley. Yes, sir. So I am familiar with the cyber 
performance goals, or the CPGs. They're derived from the NIST 
cybersecurity framework. So I think some of the resources that 
we've already developed align with those principles.
    I think it is a little bit of a branding shift from the 
NIST cybersecurity framework, which has created a little bit 
confusion outside of Washington, DC. But I think we're prepared 
to continue moving forward and have those all mapped together 
and support utilities and other critical infrastructure systems 
in addressing some of those performance goals.
    Mr. Ezell. Thank you. Dr. Clancy, you raised a point about 
CISA needing to prioritize its efforts based on the specific 
risk and threat levels for each sector. For example, the water 
sector may face more risk based on a historic lack of 
investment and expertise. On the other hand, the energy sector 
is more prone to threats from our adversaries. Both of these 
seem like pretty big threats to me. How do you believe CISA 
should navigate the balance between risk and threat 
considerations in the OT space?
    Mr. Clancy. I think we--every sector faces risk. I think 
some of the more resourced and more mature sectors have been 
able to better manage that risk. But I think less resourced 
sectors, like the water sector, have a significant accumulated 
risk because they're so fragmented. There's so many individual 
water utilities and just a lack of cyber capacity across the 
whole ecosystem.
    I think where we see the adversaries focusing are really 
these lifeline sectors. So CISA has prioritized energy, water, 
telecommunications, and transportation as sort-of the four 
sectors that they think are the sort-of must-survive sectors 
with respect to critical infrastructure attacks. So I think we 
need to continue to prioritize those sectors, because without 
those sectors, many of the other sectors would see cascading 
failures.
    Mr. Ezell. Can you expand on the level of risk and threat 
posed to OT systems as compared to IT systems?
    Mr. Clancy. I think IT systems have been the primary target 
of adversaries for a long time. I think Russia, China, and 
others, in addition to criminal organizations, have been 
primarily focused on either criminal enterprises or espionage. 
But I think what we're seeing fundamentally different in the 
threat landscape is Russia and China beginning to shift from 
penetrating IT systems to now starting to attack OT systems. 
The number of attacks that we're starting to see that are 
destructive really paint the picture that we're headed in a 
really bad direction in terms of fundamentally established 
international norms around what it means to cause a destructive 
attack to critical infrastructure.
    Mr. Ezell. Thank you. As CISA designates important 
entities, what kind of OT-specific risk and threat 
consideration should these agencies be looking at?
    Mr. Clancy. Which agencies? The Sector Risk Management 
Agencies----
    Mr. Ezell. Yes, sir.
    Mr. Clancy [continuing]. Or CISA? I think we have a fairly 
comprehensive set of frameworks in place, all starting with 
Executive Order 13636. I think the challenge is less about 
having the right framework and infrastructure in place, and 
it's more about the utilities being able to effectively 
implement those frameworks. It's a complex ecosystem and just 
the very limited IT staff, much less cybersecurity staff, it 
just makes it impossible.
    Mr. Ezell. I will tell you, you know, just each time we 
come to these hearings, I get a little nervous and I get a 
little more confident, but I would like to express my sincere 
whatever effort I can put into this for you. You know, we 
cannot wait. We cannot procrastinate. We have got to do 
everything within our power, and you have got to get the 
information to us so we can make sure that we can cut through 
some of the red tape that continually surrounds Government 
operations. So, you know, please work with us as hard as you 
can so that we can make you be successful and we can protect 
this country.
    So with that, Mr. Chairman, I yield back.
    Chairman Garbarino. The gentleman yields back.
    I now recognize Mr. Swalwell, the Ranking Member, for 5 
minutes of questioning.
    Mr. Swalwell. Great, thank you. Any sort of scoring system 
as far as vulnerability that water agencies could have, and I 
am of two minds of this. I mean, you don't really want to put 
out there who is the most vulnerable, but you can also almost, 
I don't want to say publicly shame, but, you know, call out the 
most vulnerable to try and get them, you know, to update their 
systems. You know, Mr. Edwards pointed out, you know, a recent 
attack occurred on a system, you know, via the internet.
    So is that out there? Like, is there more that the private 
sector can do or trade associations can do to just make sure 
everyone is, you know, at a high standard?
    Mr. Morley. Sure. Appreciate the question. Give it a shot 
here.
    There's not a scoring system. I think the complexity and 
diversity of the sector makes that quite challenging. Where I 
was leading in some of my testimony was, I think this requires 
it's a shared responsibility. Right?
    There's excellent knowledge and information available from 
agencies like CISA on the threats, folks like MITRE and others 
at the table that inform that process. Getting it into the 
hands of a utility to actualize it and take action on it, 
that's where we need greater investment in capacity development 
and leveraging trusted partners like AWWA and others in the 
sector to work in the field with utilities to actually 
implement these controls. Right?
    There's a capacity issue. You noted the work force 
challenges that we have, you know, the skill sets are excellent 
at treatment of water. They're not cybersecurity experts like 
the gentlemen surrounding me. So that's where I think there's 
great opportunity to improve our shared responsibility to 
protect----
    Mr. Swalwell. But, I guess, are there, like, just across 
the board metrics that CISA could use or a trade association 
could use, you know, on multifactor authentication?
    Mr. Morley. Sure.
    Mr. Swalwell. You know, level of training for, you know, 
anyone, you know, who operates, you know, the systems' 
accessibility, you know, the public has, you know, from, you 
know, the outside? I just wondered, like, is there more we 
could do to try and, as I said, just kind-of bring everybody up 
to the highest standards?
    Mr. Morley. Well, I think that's where, I think Rob 
mentioned this, right, we need to define the outcome that we're 
trying to achieve and kind-of unify around what that message is 
and then put resources toward enabling entities to achieve 
those outcomes.
    Mr. Swalwell. Great. Mr. Edwards, one key program at CISA 
to facilitate cooperation between the agency and critical 
infrastructure is the Joint Cyber Defense Collaborative, also 
known as JCDC. As part of an expansion of JCDC, CISA has 
established an ICS working group to focus on operational 
technology security issues, and I am pleased to see that it has 
prioritized work in the water sector.
    As a member of JCDC, Tenable, would you agree that JCDC 
would benefit from a formalized structure and accountability? 
What kind of results have you seen from its ICS work, and how 
would you like to see it build on its ICS work going forward?
    I guess, you know, the bigger question here is, does it 
need more scaffolding and structure and be less opaque so that 
people know how to get into JCDC and JCDC has an ability to 
also throw people out if they are not faithful, trusted 
partners? Is it a one-way relationship as far as you sharing 
information with them or do you feel like you are benefiting 
from what is coming to you?
    Mr. Edwards. Yes, thank you. It's a great question.
    I think from Tenable's perspective, there's no doubt that 
the JCDC provides some significant value. I think when CISA 
focuses on the operational aspects of information sharing, you 
know, sharing information that's pertinent for a current threat 
or an emerging threat, and they have sort-of a finite time 
window or activity around that, it really shines. You known, so 
we see great value there.
    I think as a constructive criticism, perhaps, some 
additional thought around how CISA incorporates other sort-of 
what I would almost consider program offices into the JCDC 
construct. Right? They tend to want to paint everything with 
the JCDC brand. Quite frankly, I don't think that's as 
effective and it dilutes some of the operational successes that 
we've had.
    With regards to the industrial control system group at the 
JCDC, I think it's still fairly young and needs some additional 
shepherding there. But we're eager, I think, to continue to 
work with CISA and all of our partners at the table to improve 
that entity.
    Mr. Swalwell. Great. Thank you. I yield back.
    Chairman Garbarino. The gentleman yields back.
    I now recognize myself for 5 minutes of questions.
    It is funny, the Ranking Member has asked about JCDC, that 
was going to be one of my questions. Sir, you did a great job, 
I think, walking the line there because we talk about JCDC I 
think at every hearing we have.
    I know, Mr. Lee, Dragos is also a member, so I wouldn't 
mind hearing your opinion also on the question that the Ranking 
Member just asked.
    Mr. Lee. Yes, I think Mr. Edwards, as you said, did a good 
job walking the line. Let's acknowledge that CISA consistently 
cares and is putting the effort to try to collaborate, like, 
and that's a beautiful thing. The reality is we're not seeing a 
lot of success out of it currently, but I think that's the 
growing pains.
    When Government ends up focusing, especially CISA, on 
here's the strategy level, it's very effective. A lot of the 
messaging coming out from Director Easterly and similar is 
spot-on.
    When he gets into the tactical and actually having the, 
sort-of the experts around the table, that tends to be a bit 
lacking. I think if they continue to invest in the strategic 
level and enable the group versus trying to be the players in 
the field, I think they'd see more success.
    Chairman Garbarino. OK, great. I appreciate that.
    Dr. Morley, there are several legislative proposals 
floating around that offer alternative solutions to improving 
water sector cybersecurity, including a proposal for a water 
sector regulatory model that is similar to the energy sector's 
model. However, we have heard from the energy sector 
stakeholders that some of their regulatory requirements are 
compliance-based rather than security-based, and often take up 
to possibly 50 percent of an operator's time that can be spent 
on actual securing systems.
    In any future legislative solutions how can Congress ensure 
operators are consulted in a way that prioritizes outcomes-
based security?
    Mr. Morley. Absolutely. So I think part of what we're 
trying to achieve with the recommended approach that we've 
suggested Congress take into consideration is to move to a 
risk- and performance-based approach that can scale across the 
sector. So the recommendation that we've suggested isn't just a 
lift in their XIP model and drop it onto the sector. I think 
there needs to be some recognition of the diversity and the 
complexity of the operations. Some of the controls, as 
Representative Swalwell noted, right, there are some baseline 
requirements that we need to establish and then allow that to 
scale associated with the complexity of the system. Owners and 
operators in the field need to be directly involved in defining 
what those are because they understand those operational 
challenges, with insight that can be provided by Federal 
partners at EPA and CISA, for example.
    Chairman Garbarino. So when you think through the 
appropriations process--I mean, what is the best process then 
for us to legislative fix this or to make sure that operators 
are included? I mean, this changes rather quickly, I think, 
with the, you know, technology. As we heard before by my 
colleague Mr. Gimenez, this stuff is moving very quickly. So 
does the industry have a thought on what is the proper process 
to make sure the operators are at least successful when dealing 
with Congress?
    Mr. Morley. Yes, I think the process that we're trying to 
establish and what we've suggested sets clearly-defined 
objectives for what performance would be in place to manage 
cybersecurity at a water utility system with some audit and 
oversight function to provide for that accountability. 
Oversight from EPA would be provided as a Sector Risk 
Management Agency, and certainly information and other threat 
intelligence from other agencies, including CISA, would be 
informative to that process.
    Chairman Garbarino. EPA is the Sector Risk Management 
Agency right now.
    Mr. Morley. Yes, sir.
    Chairman Garbarino. Do you think they should be?
    Mr. Morley. Yes, sir.
    Chairman Garbarino. Do they have the employees to be able 
to do it?
    Mr. Morley. This is why we think that there is a need to 
create an independent, non-Federal entity to leverage sector-
specific knowledge of owners and operators to inform similar to 
what NERC does, to establish those requirements and then be in 
the field to do that. EPA does not have the staff to go out in 
the field and work with 50,000 community water systems.
    Chairman Garbarino. Thank you. Dr. Clancy, I understand 
that EPA is, again, we just talked about this, the SRMA for the 
water sector with the mandate to carry out incident management 
responsibilities and to facilitate technical assistance under 
the PPD 21. With this in mind, EPA--as the administration 
rewrites PPD 21, what should they consider when balancing 
responsibilities between CISA and each SMRA, especially when it 
comes to OT technology?
    Mr. Clancy. I think the primary thing would be a more 
deliberate engagement of the SRMAs in the incident response 
process. They can bring domain expertise and context. They can 
also learn from hands-on experience in the incident response 
process to better inform any regulations that they're 
developing on the front end of the process.
    Chairman Garbarino. I appreciate that. I know we are going 
to have a second round of questions, so now my time has 
expired.
    So I recognize the gentleman from New Jersey, Mr. Menendez, 
for 5 minutes.
    Mr. Menendez. Thank you, Chairman. Thank you for bringing 
us together today. Thank you to the witnesses.
    In 2021, Congress passed the Infrastructure Investment Jobs 
Act, a historic investment in our Nation's infrastructure that 
will help build and modernize our water system, transit 
networks, and broadband, among others. One struggle for much of 
our critical infrastructure is a reliance on decades-old 
operational technology that is hard to update and which does 
not have the security for today's threats.
    Mr. Edwards and Mr. Lee, how can CISA and other Federal 
agencies help ensure that critical infrastructure investments 
build in stronger security utilizing the latest Secure by 
Design practices?
    Mr. Edwards. I'll take a shot first, so thank you for the 
question.
    Mr. Menendez. Sure.
    Mr. Edwards. You know, I think we talked earlier in our 
opening testimony that there's no doubt that all infrastructure 
now relies on digital equipment to function. So I think that I 
would emphasize we need to continue to fund that at all aspects 
of a project. So it's not just a once and done, right. This 
isn't a capital expenditure like building a bridge or building 
a tank with water in it. This is an on-going care and feeding 
that's required of these OT networks.
    I'm pretty optimistic that if the funding agencies or 
entities, be them State, local, Tribal, territorial, or 
Federal, follow things like CISA's cyber performance goals as 
those minimum baseline requirements, that we can get there. I 
think that long-term, some regulatory capabilities are 
necessary to put the checks and balances in place, but we just 
need to make sure that from the get-go, we're defining the 
cybersecurity objectives in the project and then measuring them 
with metrics and key performance indicators along the way.
    Mr. Menendez. Appreciate that. Anything on the Secure by 
Design practices that you would like to touch on?
    Mr. Edwards. Yes, I think that that's certainly an area of 
passion for me. You know, many, many entities, vendors, OEMs, 
et cetera, have built equipment over the years that wasn't 
necessarily Secure by Design. So I think having, again, a 
minimum baseline kind-of set of requirements that in order to 
be used in critical infrastructure, your equipment must meet 
the minimum requirements. Right? You must change the default 
password upon, you know, first installation kind-of thing. Then 
we would alleviate some of the challenges we've seen recently 
with equipment directly connected to the internet with default 
passwords.
    So, yes, I believe that this initiative by CISA has got 
some really good opportunity, and I'm happy to see that they're 
structuring some of IT specifically for OT and industrial 
control systems.
    Mr. Menendez. Sure. Mr. Lee, anything you would like to 
add?
    Mr. Lee. Yes, I would agree with Mr. Edwards and add that 
it really goes back to the strategy of what do we actually care 
about? So we can talk about cyber hygiene, cyber resilience, 
all those cyber buzzwords all day long, but what are the 
scenarios we actually care about? You care about ransomware in 
an OT system. You care about targeted attacks, like Pipe Dream, 
we've seen before. There are certain things that have happened 
that we need to address. Right now, we oftentimes, especially 
from a government perspective, get into how to operate the 
system or how to change things, and the asset owners and 
operators are confused about what we're even trying to 
accomplish.
    So we need to get out of the weeds a little bit and go back 
to the why and what are we doing this? Leave the expertise to 
the ones that are actually operating the infrastructure to 
accomplish that. Or said a little bit more punchy, there's a 
lot of folks that have never set foot in a pump station that 
are trying to tell people how to operate it. Let's figure out 
what are the scenarios and then let them go use their expertise 
to do it, and we can do exactly what you're talking about.
    Mr. Menendez. Sure. How quickly are those different 
scenarios evolving in terms of this, like, threat landscape?
    Mr. Lee. On the OT side, not as much. We have high-
consequence attacks, but they're much less frequency in terms 
of IT. So in the water sector, there's probably 3 or 4 
scenarios that we should really be guiding toward, and then 
there's slowdown effect to a bunch of the other scenarios that 
may happen by the same security controls we're putting in 
place. But if we get out there and tell them to do 50 things, 
and most water utilities in this country share one IT 
contractor, let alone a full-time IT or security staff, it's 
just not going to work that way.
    Mr. Menendez. Sure. Dr. Morley, how is the water sector in 
particular seeking to ensure investments in water 
infrastructure built with security in mind?
    Mr. Morley. Well, unlike many of the other sectors, we have 
not had direct investment in supporting our technology 
transformation, and so that is something that we've advocated 
for. I think there are opportunities within America's Water 
Infrastructure Act of 2018 to authorize some resources to 
address resilience of utilities, but they have not been 
appropriated to date.
    Mr. Menendez. Got it. With the last question, the EPA 
serves as the Sector Risk Management Agency for the water and 
wastewater sector, but has often struggled to have the 
resources and expertise to support the sector, making 
collaboration with CISA particularly important. For anyone that 
wants to answer, how can CISA and the EPA better coordinate to 
improve their support for the water sector?
    Mr. Morley. I guess I'll take a run at that.
    Mr. Menendez. Sure.
    Mr. Morley. Sitting with them, with the Sector Coordinator 
Council. I think it really necessitates a much more 
collaborative approach that brings the stakeholders to the 
table to clearly identify the needs that we actually have, so 
that the solution set satisfies those requirements.
    Mr. Menendez. Got it. With that, I yield back.
    Chairman Garbarino. You are out of time. The gentleman's 
time has expired.
    I now recognize my friend from Texas, happy he is here to 
waive on today, Mr. Pfluger.
    Mr. Pfluger. Thank you, Mr. Chairman. I appreciate you 
letting me waive on. Thanks for holding this.
    Dr. Morley, good to see you again. I know you testified in 
front of the Energy and Commerce Committee on this important 
subject.
    Mr. Chairman, I will say that important to have both 
perspectives, you know, on the homeland side with the critical 
infrastructure, but also with the jurisdiction of ENC. I think 
this highlights why it us important to have Members on those 
committees.
    We held a hearing last week. It was clear to me that any 
standard or Government action has to be collaborative between 
the operators who know the issues. A one-size-fits-all approach 
is probably--you know, that is really what I took away from our 
hearing last week.
    So I will start with Mr. Lee, and I would like to hear from 
you. Can you highlight a few key differences in the industrial 
cybersecurity community when it comes to different operational 
technologies?
    Mr. Lee. Yes, and thank you for the question, sir.
    Absolutely, when you look at the operational technology 
side of the house, a lot of those IT security things that we 
know as basics and smart things to do are maybe not even the 
right emphasis. You talk about vulnerability management in IT. 
When we look at it from an intelligence perspective, it's 
something like 2 or 3 percent of vulnerabilities that matter to 
operations technology at all. So a lot of the times we just put 
the wrong emphasis on what we're supposed to do in OT. So we 
give out pages of guidance to folks that actually don't move 
the needle toward operational resilience.
    If you steal from IT, you steal somebody's data, you target 
OT, you kill people. You need to treat that differently.
    Mr. Pfluger. Across industries what are the commonalities 
that you are seeing?
    Mr. Lee. Across industries the commonality is that the 
native functionality of those systems is important and needs to 
be protected, and it's also what the adversaries target. If I 
can open up a circuit breaker on an electric substation as an 
engineer, so can the adversary. If I can control a water 
station as an operator, so can the adversary. It's not just 
about exploiting the system, it's about knowing how to operate 
it. That part is common. Then when it gets to the physical 
process and the purpose of the operations, that's where it gets 
more specific to industries.
    Mr. Pfluger. Thank you very much.
    I will go to Dr. Morley now. In the Energy and Commerce 
hearing, the need for a collaborative approach was discussed. I 
think that was a bipartisan conversation and agreement across 
both sides of the aisle. We talked about the electricity sector 
in that particular hearing, which is an industry with 
significant risk.
    Can you talk to us about how, on January 9, DHS published a 
report highlighting this need entitled, ``CISA needs to improve 
collaboration to enhance cyber resiliency in the water and 
wastewater sector''? Based on your hearing last week, this week 
as well, how can CISA improve their coordination and 
communication with EPA, the water industry, and the cyber 
community?
    Mr. Morley. Yes. I mean, they have made some substantial 
strides since the focus period of that report. First, starting 
with actually having a sector liaison dedicated to the water 
sector, which we didn't really have for several years. So 
that's a significant improvement in the stakeholder engagement 
division.
    I think some of the current activities centered around 
elevating visibility on the vulnerability scanning service is a 
positive development, and we look forward to working to elevate 
the profile on how those resources can support utilities with 
some of these capacity challenges.
    Mr. Pfluger. Thank you. We have got about a minute-and-a-
half left. Let's just go to that, you know, most vulnerable 
situation. I want to go down the line. You know, what is the 
situation, the attack scenario, specifically dealing with water 
that keeps you guys up at night? Minute-and-a-half. We will 
have to do about 15 seconds, 20 seconds per.
    Mr. Lee. Yes, I would say, generally speaking, I care about 
things at scale. Local communities can kind-of respond, but 
when you start looking at sophisticated capabilities that could 
be reused and you start looking at destructive or disruptive 
operations, you can very quickly deny drinking water. I mean, I 
can't sit through this hearing without going through this water 
for, you know, 30 seconds, let alone 2 weeks. So denying access 
to our communities or even manipulating chemical levels in that 
at scale is a scary scenario that we have to prepare for.
    Mr. Pfluger. Thank you. Dr. Clancy.
    Mr. Clancy. I'm particularly concerned about the 
interdependencies between several of the different critical 
infrastructure sectors. You hit energy, water goes down shortly 
thereafter. Same thing with natural gas. Right? So they're all 
interlinked. If you have a significant attack on one, you can 
cause cascading failures in others.
    Mr. Pfluger. Great point. Dr. Morley.
    Mr. Morley. Yes. I would signal the similar concern with 
cascading implications for degradation of drinking water or 
wastewater services and the consequences within the community 
for that service being unavailable.
    Mr. Pfluger. OK. Last, Mr. Edwards.
    Mr. Edwards. Yes. I think echoing the previous witnesses, 
the, you know, the reuse or the common use of some of these OT 
devices, the programmable logical controllers, is across many, 
many sectors. Right? So you have the same box in a water 
treatment plant that you do in an electrical substation that 
you do in a manufacturing plant. So kind-of my nightmare 
scenario is some type of malware or ransomware that holds all 
of those devices hostage or makes them inoperable, and we just 
simply do not have the supply chain capacity to replace all of 
them in any reasonable amount of time.
    Mr. Pfluger. Thank you for all of the witnesses being here.
    Chairman, I yield back.
    Chairman Garbarino. The gentleman yields back. Thank you 
very much for coming.
    I now recognize Ms. Lee from Florida for your first round 
of questions. Right? Yes. Wonderful.
    Ms. Lee. Thank you, Mr. Chairman. Thank you to all of our 
witnesses for joining us here today. It really helps us to hear 
your insight and perspective.
    One thing that I am interested in is CISA, you know, who, 
as you all know, offers a lot of voluntary cybersecurity tools 
and assessments and ways that they can help critical 
infrastructure entities. But not all organizations really have 
a lot of visibility or awareness of these tools and how they 
can be useful.
    So I am interested, you know, Dr. Morley, maybe we start 
with you. In your view, what can CISA do to make sure that the 
entities who can avail themselves of these tools and supports 
know that they exist and actually engage and utilize them?
    Mr. Morley. Sure. I think we've started some of those 
conversations, and I think what's really important is, again, 
the diversity and the complexity and capacity of the systems 
within the water sector really requires us to organize the 
resources in a manner that's more accessible. Some of the 
resources that are there now, you know, it's one line. You 
don't know what it is. If you're not a cyber expert, you're not 
going to sign up for it. So I think a more collaborative effort 
with stakeholders to define different entry points into those 
resources, right, so it scales to what their need is, and then 
they progress within a maturity model would be very effective.
    Ms. Lee. Do any of the other witnesses have something to 
add on that particular subject?
    Mr. Lee. I would just say that, again, at a strategy level, 
CISA is doing an amazing job. When you're talking about a lot 
of these services, many of them are done more efficiently in 
the private sector. If there was more direct resourcing to the 
local communities and the water companies that actually deal 
with their local integrators, the local contractors, et cetera, 
you would not only achieve more efficiency, but then you 
wouldn't have to worry about trying to make awareness available 
to 50,000 entities, they would know who to reach out to, and 
you would create jobs and resources in the local communities as 
a result.
    Ms. Lee. On that subject, I am also interested in your 
experiences working with the regional offices. It sounds like 
taking some of that national and making it more local-based and 
regional-based would be effective. What is your experience 
working with those regional offices?
    Mr. Lee. It tends to be a wide variety of skill sets. So as 
an example, where CISA can have more of the general strategy 
and cybersecurity, I would look for the regionals to be much 
more aware of their local sites, much more aware of how those 
operations work. Region by region, it's just resourced so 
differently that it's disparate.
    Ms. Lee. Dr. Clancy, what is your experience or perspective 
on that subject?
    Mr. Clancy. I think there's something like 180,000 water 
utilities. You probably know the number, something like that. 
Right? So there's just so many of them, and many of them are 
tiny, and they just don't have--as you talk about the ability 
to apply for some CISA program, it's not even remotely on their 
radar. Right? They're just trying to keep their one tiny 
pumping station running. So I think the larger, better-
resourced organizations are the ones that have the capacity to 
even engage in these programs, and they're perhaps the ones 
that don't need as much help. So I think that's the asymmetry 
we have.
    Ms. Lee. What would be your thoughts on how we get these 
programs and supports down to those smaller ones who, you know, 
I understand often, in other sectors, too, other critical 
infrastructure sectors, often are the ones that need the help 
the most?
    Mr. Clancy. Well, I think there's a couple different 
approaches. Certainly Rob's suggestion that we better engage 
the private sector, who is providing much of the support to 
them already, would be one avenue. I think there's also sort-of 
these mentorship-type programs where you can have the larger 
operators be resourced to work more closely with the smaller 
operators within their communities as a way to work across.
    Ms. Lee. Thank you, Mr. Chairman. I yield back.
    Chairman Garbarino. The gentlelady yields back.
    We are now going to do a second round of questions for 
Members who want.
    I now recognize the gentleman from Florida, Mr. Gimenez, 
for his second round of 5 minutes of questions.
    Mr. Gimenez. Thank you. I need to go back to what my 
premise was in the beginning, but I am going to. What if I told 
you that we rely on a lot of systems that use GPS and that now 
GPS is becoming less and less--well, it is almost becoming 
useless to the point that it's being jammed? So now we have to 
go back in time again to other systems for our weapon systems, 
like inertial navigation and magnetic navigation.
    So, you know, my first round was, hey, you have got this 
threat coming. It is called quantum computing, attached to AI. 
It is going to make all your efforts--it could make all your 
efforts fruitless. So, you know, I was thinking about, OK, you 
know, do we go back to manual? I touched on that, but instead 
of relying on the internet, wouldn't it be smarter for us to 
rely more on intranet, to have those systems that are vital to 
us, unplug them from the internet so they can't be attacked 
from the outside? It is just a closed loop. They can have all 
the efficiencies of, you know, IT or operational technology, et 
cetera, but they can't be attacked from the outside because 
it's a closed loop.
    What if I were to tell you that the Chinese are already 
doing that, that they have established a vast network of 
intranet, not internet? It is not connected to anything. They 
are only connected to each other. That is it. You can't get to 
it from the outside.
    Would that make sense to protect our vital infrastructure, 
like energy? Like you said, energy, if they attack our energy 
sector, they will eventually get to everything else because our 
water systems run on energy, all that. So would it make sense 
for the United States to start investing in an intranet of 
vital operating systems?
    Mr. Lee. So, sir, I would generally say that I very much 
prefer the American infrastructure services provided than the 
ones the Chinese provide to their citizens, and it's because of 
that that we have digitization and connectivity. You can't go 
back.
    But to your point, I think it's spot-on for what are our 
strategic sites? What are the ones that we want to be able to 
have that capability? Because to do it at scale across the 
50,000-plus water companies cannot be resourced, especially 
when we're still dealing with the trillion dollars' worth of 
infrastructure upgrades we just need for clean water.
    Mr. Gimenez. But, sir, I am giving you Murphy's law, and 
you are denying it. You are saying it is OK. Well, you know, I 
mean, we resource it, which means, to me, you need more people, 
you need more money. What if I were to tell you that for every 
one person that we have working on the Chinese issue or the 
CCP, they have 50? You will never be able to out resource them. 
OK?
    Mr. Lee. Sure.
    Mr. Gimenez. So shouldn't we develop walls that are really 
hard to penetrate? If you are somehow attached to the internet, 
you are bound to fail. We are bound to fail.
    Mr. Lee. Yes, sir.
    Mr. Gimenez. So, go ahead.
    Mr. Lee. I'm an Air Force and NSA alum, sir. I would take 1 
of ours for 50 of theirs any day.
    But to your point, when you look at these systems, if we 
pick out the strategic sites and do a lot of what you're 
talking about, I think it's a great idea. We just cannot scale 
it across the entirety of the country, especially when a lot of 
water infrastructure companies share one IT contractor amongst 
6 companies, you're talking about 20 more engineers per 
company. It's not in the resourcing capabilities of our 
country. But to pick up the strategic sites, I think you're 
spot-on.
    It also goes back to what the Department of Energy is doing 
with the cyber-informed engineering. Here's key sites on like a 
crank path to restore the electric system if it goes down. 
Let's make sure those have the ability to do that. That makes a 
lot of sense.
    Mr. Gimenez. No, what I am saying, like the vulnerability 
comes from the fact you are tied to the internet. Anybody can 
attack you from anywhere in the world. If you have a closed 
system, intranet, they can't attack you from anywhere in the 
world because you are a closed system.
    Mr. Lee. We could not operate it.
    Mr. Gimenez. You what?
    Mr. Lee. We could not operate it. When you look at the 
operation portfolio, when you look at the OEMs, the original 
equipment manufacturers, and how they build these systems and 
how we work with them, you can no longer operate manually, 
disconnected, or in an intranet. Unfortunately, that's just a 
reality. We have to set it at a technical level. So then it's 
risk management beyond that about what do we do about it?
    Mr. Gimenez. Should we develop that capability?
    Mr. Lee. I think there are more efficient ways to get to a 
more resilient system than trying to do that again.
    Mr. Gimenez. I guess I am a little bit more pessimistic 
knowing what is coming. I think we should be investing in a 
ways to defeat what is coming. Not what is here, what is 
coming. Because at the end, if what I am hearing is true, you 
won't be able to defeat it. The quantum computing attached to 
AI will be able to penetrate any system anytime.
    So, OK, thank you very much. Appreciate it.
    Yield back.
    Chairman Garbarino. The gentleman yields back. He is still 
fired up today. I like it. But someone is going to give me some 
nightmares, some of these doomsday scenarios you are talking 
about.
    I now recognize Mr. Menendez from New Jersey for a second 
round of questions.
    Mr. Menendez. Thank you, Chairman.
    Chairman Garbarino. Yep.
    Mr. Menendez. As part of the Biden administration's efforts 
to strengthen OT ICS cybersecurity, it launched a series of 
sector-specific sprints, including for the water sector, 
reflecting the administration's desire to make OT cybersecurity 
a priority and better defend critical infrastructure from our 
adversaries. To any of the witnesses, what results did you see 
from these efforts?
    Mr. Morley. So I think in terms of the water sector in that 
sprint, I think some of the resources and focus was on some 
very specific technology solutions that honestly were a bit 
beyond the reach of many utilities in terms of maturity. But 
there are important awareness activities that have evolved from 
that, such as focusing on some of the more fundamentals, like 
vulnerability scanning services, that would address some of the 
vulnerabilities that we've seen exposed in water utilities 
recently.
    Mr. Menendez. How can the Federal Government ensure that 
such sprints turn into sustained actions in the future?
    Mr. Lee. Yes, I would say it goes back to the direct 
resourcing of those infrastructure providers. I think, you 
know, this goes back to the previous question. When we looked 
at the electric sector, that same kind of initiative was go out 
and do whatever you think is best, and you already have the 
capabilities and the rate structure to be able to get the 
resources to go do this. When it got to the water sector, they 
were pushed very strongly to a Government-specific answer that 
didn't actually meet a lot of what they were trying to 
accomplish with no resourcing behind it.
    So more optionality and expertise from the asset owners and 
operators with more direct lines of resourcing, and you can 
achieve those outcomes.
    Mr. Menendez. Good. Appropriators are currently working to 
negotiate a final fiscal year 2024 appropriations package. 
Fortunately, last year the House rejected an effort by some 
Republicans to cut CISA's budget by 25 percent. I am hopeful 
that appropriators will reach an agreement that adequately 
funds CISA's needs, including with regard to OT security. To 
any of the witnesses, how important is adequate CISA funding to 
maintaining its support for OT security and the water sector?
    Mr. Edwards. Yes, I can take that one. A little bit of my 
previous role as director of the Industrial Control Systems' 
cert, which is now part of CISA, you know, I think that 
appropriate level of funding is imperative in this area. You 
know, cyber, the threat landscape continues to expand at 
unbelievable rates, and we must scale our defensive postures 
accordingly.
    So I think it's very easy within CISA sometimes to, you 
know, I guess not fund an OT-specific initiative if they have 
another compelling initiative to secure the IT systems in the 
Federal Government, for example. Those are very tough 
decisions, and continuing to expand to the appropriate levels 
of funding would alleviate some of those challenges.
    Mr. Menendez. Decision making that they have to do in terms 
of looking at priorities----
    Mr. Edwards. Absolutely.
    Mr. Menendez [continuing]. And being able to fully 
implement a cohesive strategy, a comprehensive strategy that 
takes care of both of IT and OT.
    Mr. Edwards. Absolutely. I think that CISA needs to have a 
lot more external advertising, for lack of a better term, to 
the initiatives that they have existing in OT, and essentially 
bring that into a cohesive series of programs rather than they 
continue to kind-of reorganize and move them around. Right? 
Some of that is as a result of having to deal with funding 
shortfalls.
    Mr. Menendez. Sure. Just picking up off of that because you 
are sort-of alluding to prioritizing, what programs are most in 
need of strong funding in the coming fiscal year, in your 
opinion?
    Mr. Edwards. Oh, wow. CISA has a very broad remit----
    Mr. Menendez. Sure.
    Mr. Edwards [continuing]. And this is a hearing on 
operational technology security, and it's also a passion of 
mine. So I think that anything to do with industrial control 
system critical infrastructure should be right at the top of 
that pile.
    Mr. Menendez. Appreciate that.
    With that, since I do have time, I yield back.
    Chairman Garbarino. The gentleman yields back. Thank you.
    I now recognize myself for 5 minutes of questions for the 
second round.
    Dr. Clancy, we have learned that a common hurdle in 
securing OT is having the personnel necessary to prioritize and 
implement guidance. Small and medium organizations and the 
Federal Government alike face challenges in hiring and 
retaining cybersecurity personnel in every part of it, but 
specifically amongst OT experts. How can CISA help build 
baseline OT expertise internally and at each Sector Risk 
Management Agency?
    Mr. Clancy. Zooming out to the macro perspective, we have a 
huge cybersecurity work force gap in the country. I think 
something like 37 percent of cyber vacancies Nation-wide are 
unfilled. There's, I think, 300,000 empty cyber jobs because we 
just don't have the cyber work force capacity writ large across 
the country. This becomes even more challenging for small 
utilities, for the Federal Government, where their salaries 
just aren't competitive enough to attract and retain any of the 
top cyber talent.
    So I think there needs to be broad efforts to just one on 
the front end, increase the supply of cybersecurity talent into 
the broader work force so that you have the capacity necessary 
to even fill some of these jobs. Then you need to find ways 
to--first off, there's very few university programs that have 
any focus on OT, particularly industrial control systems, that 
just does not exist in current university curriculum. I think 
NSA's Center for Academic Excellence Program, for example, 
could be expanded, it's something they operate currently 
jointly with DHS, to include an OT cybersecurity focus and be 
able to really broaden university curriculum in this area. That 
would help, I think, with the front-end capacity. I don't know, 
there's probably lots of things we could do on the back end to 
retain them in those jobs as well, but a lot of that comes down 
to compensation and other things.
    Chairman Garbarino. I appreciate that. Actually we are 
working, we are going to be working on some work force 
legislation. So if any of you have, you know, detailed thoughts 
and ideas, please share them with the committee staff, because 
there is something we are going to try to move before the end 
of Congress this session.
    Mr. Lee, I understand some in the industry have discussed 
potentially expanding CISA's Secure by Design guidance to 
include a Secure by Operation type of guidance for OT. How 
could something like this help OT vendors and operators?
    Mr. Lee. Yes, I think, again, the increased focus on this 
is the right area. I would say that at a higher level kind-of 
cross industry, it really needs to be based more on principles 
than specifics.
    But also we have a lot of ability to have a point of view 
and sometimes we don't have it. What I mean by that in terms of 
soft power, if CISA even came out and said, look, here's some 
basic requirements of the next generation PLC, or here's what 
we think good looks like, most asset owners would staple that 
to an RFP out to their vendors and it'd be in the market 
tomorrow. The problem is then, though, that says it gets angry 
letter from a vendor, some lawyer gets involved, and they back 
off. So we got to empower them to have points of view on 
national security and be protected from perception to be able 
to do what you're looking for.
    Chairman Garbarino. I appreciate that answer. That is 
actually a great idea.
    So expanding on my JCDC question earlier, I sent a letter 
last year to ask CISA for details about how the JCDC will 
coordinate with similar information-sharing efforts in the 
private sector, like the ARC, and similar efforts in the 
Federal Government, like ETAC at DOE. It is important that 
whatever the structure is, OT should be a priority.
    This is for both Mr. Lee and Mr. Edwards, since you are 
both members of the JCDC. As CISA continues to refine the 
structure of the JCDC, do you think that they should organize 
these spokes on a sector-by-sector basis or by IT versus OT or 
something else?
    Mr. Lee. Yes, I would take for a shot and say that there 
needs to be the IT versus OT separation at the macro level, 
which they have done. There is an ICS or OT-specific JCDC. But 
then in that spoke aspect, it's spot-on. If you look at the 
ETAC as an example, it's a very promising model, but it really 
comes down to all these groups want to share information, but 
very few want to produce it. So we have to have the experts in 
the room using the unique data sources of the governments to 
produce the insights and then share versus waiting on the 
vendors to give them information and then echoing it out.
    Chairman Garbarino. Mr. Edwards.
    Mr. Edwards. Yes, I agree with my colleague. I also would 
add that when it comes to the separation of IT and OT, you 
know, I think we've talked many, many times during this hearing 
that that convergence issue really, we have to address both 
simultaneously, right? You can no longer secure OT without 
securing your IT and vice versa. So although some focus groups, 
I think are a great idea, I think it's also beneficial to have 
that cross-sector and cross-discipline, cross-domain 
pollination, which I think that the JCDC is well-constructed to 
do.
    I would also add that they should build those connections 
into other information-sharing programs. I think we have to 
continue to break these silos down.
    Chairman Garbarino. Thank you very much. All right.
    Mr. Swalwell. Unanimous consent request briefly.
    Chairman Garbarino. Proceed, OK.
    Mr. Swalwell. Mr. Chairman, I ask unanimous consent to 
insert into the record a question for the record from my 
colleague, Mr. Garcia of Long Beach; a statement for the record 
from Open Policy; a joint statement for the record from the 
National Association of Clean Water Agencies and the Water 
Environment Federation; and a statement for the record from the 
Association of Metropolitan Water Agencies.
    Chairman Garbarino. Without objection, so ordered.
    [The information follows:]

                    Question From Rep. Robert Garcia
                            February 6, 2024
    Since the Bioterrorism Preparedness Act of 2001, water systems 
serving more than 3,300 persons have been required to conduct a 
vulnerability assessment and prepare an emergency response plan, which 
was directed to include cybersecurity threats. Then, in 2014 under 
Executive Order 13636: Improving Critical Infrastructure Cybersecurity, 
the National Institute of Standards and Technology created a framework, 
and AWWA issued guidance that provided actionable steps to improve 
cybersecurity. Now 10 years later we are still seeing water systems 
facing increased cyber threats.
    The EPA has now withdrawn their March 2023 cybersecurity rule 
mandating that cybersecurity audits be part of the sanitary surveys; 
how would the witnesses suggest the Government provide water systems 
with the support, both financially and systematically, needed to 
address the cybersecurity challenges immediately facing water systems?
                                 ______
                                 
  Joint Statement of Dr. Amit Elazari, J.S.D., CEO and Co-Founder of 
    OpenPolicy, ISO/IEC 27402 Co-Editor and Lucian Niemeyer, CEO of 
                      Building Cyber Security.org
              Tuesday, February 6, 2024, 10 o'clock AM ET
    Dear Chairman Garbarino, Ranking Member Swalwell, and distinguished 
Members of the subcommittee, thank you for the opportunity to provide 
this written testimony for the record. We appreciate your leadership 
and attention to these critical matters, as well as oversight on the 
key role CISA plays in this domain. My name is Dr. Amit Elazari, and 
I'm the CEO and co-founder of OpenPolicy. I'm the former head of 
cybersecurity policy at Intel Corp. and served as a co-editor of an 
international standard on IoT Security, ISO/IEC 27402 (2023) for 
Security Baseline Requirements. I am joined by the Honorable Lucian 
Niemeyer, who served 11 years on the Senate Armed Services Committee 
professional staff, and then as a Senate-confirmed assistant secretary 
of defense responsible for the management of the Department of 
Defense's facility, energy, and environmental programs. He also served 
in the White House Office of Management and Budget. Based on his work 
in DoD mitigating cyber threats to operational technologies in defense 
assets, he currently runs a national non-profit organization, 
BuildingCyberSecurity.org, committed to enhancing human cybersecurity 
and physical safety in the built environment through the implementation 
of performance frameworks tailored for critical infrastructure sectors.
    By way of background, OpenPolicy is the world's first policy 
intelligence and engagement technology platform, aiming to democratize 
access to policy engagement for entities of all sizes, by leveraging 
scale and technology. OpenPolicy collaborates with, and represents 
leading innovative companies that develop cutting-edge technologies for 
cybersecurity and AI. Members of OpenPolicy include some of the world's 
leading IoT, OT, bot-net prevention and supply chain security companies 
such as Armis, Human Security, FiniteState, Cybeats, and more.
    OpenPolicy engages extensively on product, internet of things 
(``IoT''), and Operational Technology (``OT'') cybersecurity policy 
issues, globally, including on related efforts such as the FCC IoT 
Cyber Trust Mark,\1\ OHS CISA Secure by Design, NIST security 
guidelines development, the European Cybersecurity Resilience Act, and 
more. We are also engaged in standards development initiatives. In 
these engagements, we aim to represent the voice of innovative 
companies that stand at the forefront of developing solutions to 
address emerging threats, and we strive to focus on actionable policy 
recommendations to advance our collective goal to secure and protect 
the Nation.
---------------------------------------------------------------------------
    \1\ See, OpenPolicy, News and events, https://openpolicygroup.com/
news-and-press-release. See also OpenPolicy statement at the launch 
event, at https://www.youtube.com/watch?v=OMXQMsKSOXw.
---------------------------------------------------------------------------
    As extensive hearings and reporting, including in front of your 
subcommittee showcased--we are at an unprecedented level of risk to our 
way of life from cyber threats. The threats on the OT environment, 
including on the critical infrastructure sectors of water, grid, ports, 
hospitals, and transportation systems have been broadly documented, and 
the threat landscape--fueled by the use of AI by the adversaries--
expands each day exponentially.\2\ We must take action now to address 
the threats of OT, IoT, and unsecure assets pose to our Nation. The 
unique challenges of risk to the operational technologies in our 
national infrastructure poses a direct threat to the lives, safety, and 
health of every American. A catastrophic cyber attack to a water system 
can be carried out from a keyboard anywhere in the world on a moment's 
notice. We cannot continue to treat this threat similar to the manner 
we address data breach risk or attacks. Attacks to OT can kill people.
---------------------------------------------------------------------------
    \2\ See Armis, https://www.armis.com/anatomy-of-cybersecurity, 
recent report showing that cybersecurity attacks more than doubled in 
2023, and utilities were the most at-risk industry, with attacks 
increasing over 200 percent. See also Human Security, https://
www.darkreading.com/vulnerabilities-threats/badbox-operation-targets-
android-devices-in-fraud-schemes (surveying recent threats in IoT 
devices).
---------------------------------------------------------------------------
    The President's National Security Telecommunications Advisory 
Committee, ``Information Technology and Operational Technology 
Convergence Report,''\3\ described such threats, alongside the detailed 
reporting and testimonies of security experts to this committee.\4\ 
These testimonies elaborated on the urgent need to consider the threats 
on OT, in conjunction with the broader IoT and unmanaged asset risk,\5\ 
at the core of this threat convergence moment. Industry leaders 
articulated, at length, the need to move forward from legacy (from a 
solution or threat landscape)-focused guidelines and programs to more 
holistic policies for comprehensive contextual mitigation, that scale 
beyond IT.\6\ Recently, Federal Guidance of OMB and FISMA 2024 \7\ 
priorities, building on the IoT Cybersecurity Improvement Act, 
prioritized holistic IoT and OT inventory asset and intelligence, and 
actions to increase IoT device security protection, for Federal 
agencies. Leading experts testifying today have provided extensive 
evidence on the record on the threats posed specifically for the Water 
System and in OT environments, and the current inability of the Water 
Sector to address such threats.
---------------------------------------------------------------------------
    \3\ See, NSTAC report to the President, ``Information Technology 
and Operational Technology Convergence'' https://www.cisa.gov/sites/
default/files/publications/NSTAC%201T-OT%- 20Convergence%20Report 
508%20Compliant_O.pdf (NSTAC report).
    \4\ See Dragos's testimony for the Subcommittee on Cybersecurity 
and Infrastructure Protection entitled, ``Securing Operational 
Technology: A Deep Dive into the Water Sector'', under the section 
``The Cyber Threat Landscape for OT Has Shifted Irreversibly'', https:/
/homeland.house.gov /wp-content/uploads/2024/02/2024-02-06-CIP-HRG-
Testimony.pdf.
    \5\ See Armis's testimony for the Subcommittee on Cybersecurity and 
Infrastructure Protection hearing entitled ``Evaluating CISA's Federal 
Civilian Executive Branch Cybersecurity Programs'' regarding automated 
threats from US adversaries, https://homeland.house.gov/wp-content/
uploads/2023/09/2023-09-19-CIP-HRG-Testimony.pdf.
    \6\ Stated in Armis's testimony, id., ``[t]he introduction of 
unmanaged devices and operational technologies present challenges that 
cannot be addressed with legacy models and legacy technology. Present-
day challenges and national security threats are now implementing AI 
and automated capabilities to identify the weakest link in the chain. 
Automated threats from U.S. adversaries requires automation and 
scalability delivering prioritization of cyber defense operators.''
    \7\ See OMB's ``Fiscal Year 2024 Guidance on Federal Information 
Security and Privacy Management Requirements'' under the section of 
``IoT Inventory'' https://www.whitehouse.gov/wp-content/uploads/2023/
12/M-24-04-FY24-FISMA-Guidance.pdf (referring to NIST SP guidance 800-
213A, requiring a broad array of on-device and process controls).
---------------------------------------------------------------------------
    Last week, the Nation's cybersecurity Government leadership further 
testified at length on Chinese threats and their effective infiltration 
of critical infrastructure we collectively rely on, an active and 
actionable threat to many U.S. human lives. They elaborated that any 
path to mitigation requires a holistic, resourced, collective effort of 
industry and Government. In the words of the director of the Federal 
Bureau of Investigation, Christopher Wray, ``[l]et's be clear: Cyber 
threats to our critical infrastructure represent real world threats to 
our physical safety.'' The director of CISA, Ms. Jen Easterly further 
added, ``Imagine . . . [people] start getting sick from polluted water 
. . . an everything, everywhere all at once scenario''.\8\
---------------------------------------------------------------------------
    \8\ See FBI Director Christopher A. Wray testimony in front of the 
House Select Committee on the Chinese Communist Party's hearing 
regarding Chinese cyber attacks against the U.S. https://
www.youtube.com/watch?v=W-MpWmGg5Kw.
---------------------------------------------------------------------------
    The threats are clear and immediate--immediate Congressional action 
paving the path to OT, IoT and Critical Infrastructure resilience--
building on public-private partnership, but equipped with resources, 
measurements, and accountability is needed. Specifically, because OT--
IT convergence creates technology and threat complexity, we believe a 
thoughtful, streamlined, and simple approach for policy making and 
guidelines development is needed. With this in mind, we would like to 
offer several policy recommendations for this honorable subcommittee 
consideration:
   Cyber risk to IOT, OT, and their connected IT in water 
        systems must be considered by both commercial and public 
        entities as a national human safety issue. Programs and 
        investments to protect water systems from cyber threats can no 
        longer be optional. Just as we address safety in the design and 
        operation of mechanical and electrical systems in water 
        systems, cyber safety must be formally established as an 
        engineering Standard of Care. All water quality safeguards and 
        standards must include cyber protections at the IT/OT 
        interface, the OT/water interface, and be evaluated with new 
        technologies to ensure the water leaving a treatment facility 
        is safe for consumption.
   Critical Infrastructure sector guidelines for cybersecurity 
        must adopt thoughtful incentives to increase measures adoption, 
        focus on mitigation beyond visibility and promote consistency 
        with comprehensive programs for IoT, OT, and product security 
        threat mitigation such as, the implementation of the IoT 
        Cybersecurity Improvement Act (``IoT Law''), FISMA 2024 
        guidance, and CISA ``Secure-by-Design'' effort. The NSTAC 
        report outlined at great length how the adoption of such 
        measures can take shape, and we agree with Tenable's prior 
        testimony on the matter, that broader incentives are required 
        to increase the adoption of security baseline measures, and 
        that these must align with NIST and agency guidelines, but also 
        be adapted to address the threat (OT and IoT).\9\
---------------------------------------------------------------------------
    \9\ See, Tenable testimony for the Subcommittee on Cybersecurity 
and Infrastructure Protection hearing ``Securing Operational 
Technology: A Deep Dive into the Water Sector'', under policy 
recommendations, ``[e]stablish baseline cybersecurity requirements or 
standards of care for critical infrastructure that align with CISA's 
Cross-Sector Cybersecurity Performance Goals, international standards, 
and the NIST CSF, based on effective cyber hygiene and preventive 
security practices.'' https://homeland.house.gov/wp-content/uploads/
2024/02/2024-02-06-CIP-HRG-Testimony.pdf.
---------------------------------------------------------------------------
   Despite the on-going release of ``guidance'' for OT and IoT 
        security, additional measures are needed to promote private 
        sector, Federal agencies and critical sector operators' 
        adoption of solutions, accountability, and resilience. These 
        can be done via thoughtful procurement incentives that further 
        reduce regulatory duplicity, similar to the IoT Law. For 
        example, funds allocated to technology modernization, 
        procurement, and grants should be accompanied by robust 
        measurements of security control adoption (and on-going 
        adherence), that prioritize innovative solutions that address 
        the current threats. Any further investment into the Water 
        sector (and other critical infrastructure sectors) should 
        reduce, not increase the growing security OT and IoT technical 
        vulnerability debt. This approach is also recognized in other 
        efforts, such as the CHIPS Act, where funding and grants 
        require illustration of approaches to address cybersecurity 
        threats.
   Pilot programs combining solutions with run-time threat 
        intelligence monitoring, can support control adoption, 
        compliance, and scale public-private partnership as well as 
        regulatory adherence. We elaborated on how such a program can 
        support the voluntary ``IoT cyber trust mark'' and believe a 
        similar, technology-first, governance program can be used in 
        this context.\10\
---------------------------------------------------------------------------
    \10\ See Open Policy Ex Parte, IoT Cyber Trust Mark, from Jan. 30, 
2024 https://www.fcc.gov/ecfs/document/10202218608991/1.
---------------------------------------------------------------------------
   Existing Binding Operational Directives and programs such as 
        BOD 23-01, the TMF, and COM program, need be adapted to 
        comprehend holistic unmanaged assets threats and the nature of 
        OT/IoT convergence, to allow faster deployment of innovative 
        solutions. This direction is further consistent with agency 
        requirements to address IoT on-device threats and prior 
        recommendations made on the record as well as the NSTAC 
        proposal. CISA should have proper resources to support such 
        adjustments to the programs, and to manage them.
   More broadly, the holistic threat of OT and IoT should also 
        be addressed as part of any key cyber risk mitigation effort 
        supported by the Government, including controls required under 
        procurement guidance.\11\ Examples of such guidance include the 
        revision of the NIST Cyber Security Framework (CSF 2.0), the 
        CMMC 2.0 effort, and requirements under the Cyber EO (14028) 
        including the ZTA framework itself, which currently do not 
        address OT/IoT threat mitigation controls in a comprehensive 
        (or partial) manner.\12\ Such efforts tend to outline 
        enterprise, cloud, and IT protection controls in isolation from 
        OT/IoT. While forging coherence between OT, IoT, and IT risk 
        and mitigation in key guidance documents applicable to the 
        Federal sector, critical infrastructure operators and the 
        private sector, is a difficult and complex task--we must start 
        paving that path instead of furthering the OT-IT divide--
        especially in regulatory and policy guidance, and given action 
        taken globally (see, e.g., The EU Cyber Resilience Act). In 
        support of broad industry adoption and innovation development, 
        guidelines and control development must remain outcome-focused 
        and vendor/technology agnostic, and follow consensus-based, 
        transparent, stakeholder engagement processes to develop 
        requirements (even in cases of requirements that are not 
        developed by NIST).
---------------------------------------------------------------------------
    \11\ As CISA recognized in its Water security guidance, A key 
challenge to the cyber resilience of the Water Sector, and arguably 
additional OT sectors, is ``governance and regulation [which involves] 
a mix of Federal and State, local, Tribal, and territorial 
authorities''. See also NSTAC report, supra. Notably, while we agree 
with the recommendation for ``enhanced OT specific cybersecurity 
procurement language and ensure all USG OT procurements include 
cybersecurity provisions'' we believe it must be accompanied with ample 
funding and take an holistic approach to OT and IoT threats as we 
describe above.
    \12\ See also NSTAC Report, supra, ``Recommendation: Extend 
existing Federal zero trust guidance into OT where applicable''.
---------------------------------------------------------------------------
   Requirements for SBOM and asset inventory production already 
        exist, under both IoT and IT guidelines, such as the IoT 
        Cybersecurity Improvement Act and the Cyber EO (14028). Such 
        SBOM requirements and accompanying supply chain risk mitigation 
        must be prioritized, consistent with MITRE recommendations.\13\ 
        Supply chain mitigations can be implemented through tailored 
        adoption of the the IEC/ISA standard 62443 and ISASecure \14\ 
        developed by the manufacturers of operational technologies for 
        global adoption, among others.
---------------------------------------------------------------------------
    \13\ See MITRE, testimony, supra note 4.
    \14\ ISASecure--IEC 62443 Conformance Certification--Official Site.
---------------------------------------------------------------------------
   While efforts to create a regulatory EPA regime to support 
        cybersecurity adequacy for controls progress, a voluntary pilot 
        program, with CISA and industry, scaled by the latest 
        technologies can shed light on the state of the adoption of 
        measures under the Water Sector Action Plan and state of 
        adoption of measures. The program can support threat-
        information sharing and run-time intelligence gathering on IoT 
        and OT threats posed in these environments, taking a holistic 
        approach as we described above, building on existing efforts 
        outlined by MITRE and Dragos on the record. This pilot can 
        further support on-going Government initiatives such as the IoT 
        Cybersecurity Improvement Act implementation.
   Higher levels of grant funding need to be allocated to 
        prioritize IoT and OT Security measures adoption and such pilot 
        programs, and participation thereof can be valued as part of 
        grant/modernization fund allocation. This approach mirrors the 
        policy approach taken in the IoT Cyber Trust Mark--where 
        voluntary incentives allow for gradual adoption of baseline 
        security measures while fostering accountability and 
        transparency.
   The establishment of an independent oversight and regulatory 
        agency for the water sector security and safety must be 
        informed by an holistic assessment of the effectiveness, 
        timeliness, and responsiveness of Critical Infrastructure 
        Standards \15\ (CIP) implemented by the North American Electric 
        Reliability Corporation (NERC) development. A new agency would 
        need to have the flexibility to quickly respond to emerging OT 
        cyber threat advisories issued by CISA and to translate into 
        affordable and effective direction to the water industry. NERC 
        CIP standards do not currently have that flexibility and 
        revisions are under way to credit utilities for their own 
        implementation of protections above and beyond CIP guidance. An 
        existing water association or standards/framework organization 
        would have the ability to bring the water industry and 
        Government agencies together to develop and implement effective 
        measures for both large and small water systems that are 
        consistently informed by the evolving cyber threat.
---------------------------------------------------------------------------
    \15\ Reliability Standards (nerc.com).
---------------------------------------------------------------------------
    We urge the honorable subcommittee to take comprehensive action 
now, so we do not allow the adversaries to seize any further advantage 
due to programmatic gaps--either in approach, resources, scope, or 
budget.
    While we must continue and survey threats and increase visibility, 
action is needed to drive resilience and mitigation. Building on the 
existing DHS CISA agency work, the body of policy recommendations on 
the record, and founded on persistent public-private partnership--a 
more holistic path toward enhancing the adoption of OT and IoT 
protection measures, increasing measurements and governance, and 
outlining a flexible, vendor-neutral cohesive policy roadmap--with 
accompanying resources--is needed to protect the Nation.
    We thank you again for your leadership and consideration.
                                 ______
                                 
                           Statement of NACWA
                                   Febuary 6, 2024.
The Honorable Andrew Garbarino,
Chairman, Subcommittee on Cybersecurity and Infrastructure Protection, 
        Committee on Homeland Security, U.S. House of Represenatives, 
        Washington, DC 20515.
The Honorable Eric Swalwell,
Ranking Member, Subcomittee on Cybersecurity and lnfrastruture 
        Protection, Committee on Homeland Security, U.S. House of 
        Representatives, Washington, DC 20515.

RE: Perspectives of Public Clean Water Agencies and Professionals on 
Securing the Operational Technology of America's Water Sector Utilities

    Dear Chairman Garbarino and Ranking Member Swalwell: On behalf of 
the National Association of Clean Water Agencies (NACWA) and the Water 
Environment Federation (WEF), we thank you for holding today's hearing 
of the House Homeland Security's Cybersecurity and Infrastructure 
Protection Subcommittee on Securing Operational Technology: A Deep Dive 
into the Water Sector.
    NACWA represents public wastewater and stormwater agencies of all 
sizes nationwide, with more than 350 public agency members. WEF serves 
as the not-for-profit technical and educational organization of 35,000 
individual members and 75 affiliated Member Associations representing 
water quality professionals worldwide.
    Properly treated and managed wastewater and stormwater are 
essential in protecting both public health and the environment. With 
more than 16,000 publicly-owned treatment works (POTWs) throughout the 
Nation that treat more than 75 percent of America's wastewater, public 
clean water agencies play a prominent role in protecting the public by 
treating billions of gallons of the nation's wastewater. To ensure 
continuity of treatment while cyber threats continue to target 
America's critical infrastructure, efforts must be made to provide 
public utilities with robust voluntary resources to better protect 
themselves from cyber attacks.
    Many utilities have taken proactive steps to improve their 
cybersecurity, investing their limited ratepayer funds to protect their 
infrastructure and operations. NACWA and WEF are very appreciative of 
the extensive resources that already exist at the Federal level:
   The Cybersecurity and Infrastructure Security Agency (CISA) 
        provides free vulnerability scanning services for utilities and 
        resources, such as guidance on best practices, the Cyber 
        Security Evaluation Tool, and vulnerability alerts and updates.
   The U.S. Environmental Protection Agency (EPA) provides free 
        technical assistance and cybersecurity assessment resources.
   The National Institute of Standards and Technology (NIST) 
        provides many best practice resources, including the NIST 
        Cybersecurity Framework.
    In addition to these resources, several water sector organizations 
have developed additional tools for utilities to better prepare against 
cyber threats:
   The Water Information Sharing and Analysis Center 
        (WaterISAC), a non-profit organization comprised of water and 
        wastewater utility managers and administrators, provides up-to-
        date alerts, information, and analysis specifically for the 
        water sector and is managed by the Association of Metropolitan 
        Water Agencies (AMWA).
   The American Water Works Association (AWWA) has developed a 
        Cybersecurity Assessment Tool and Guidance, which assists water 
        sector utility operators on how best to implement applicable 
        cyber controls based on the NIST Cybersecurity Framework that 
        can significantly reduce a utility's vulnerability to a cyber 
        attack.
    Congress can help support clean water agencies in their efforts to 
leverage existing resources and improve cybersecurity in a variety of 
ways, including:
   The Energy and Commerce Committee should act favorably on 
        H.R. 1367, the Water System Threat Preparedness and Resilience 
        Act of 2023, to offset the cost of WaterISAC membership for 
        eligible utilities and help water systems be more aware and 
        prepared for cyber attacks.
   Congress can require wastewater utilities to conduct risk 
        and resilience assessments, including cyber vulnerability 
        assessments, like those required for drinking water utilities 
        under America's Water Infrastructure Act (AWIA) of 2018, and 
        provide funds for small- and medium-sized utilities to conduct 
        these assessments.
    In addition, Federal agencies should be encouraged to work with 
utilities and water sector associations to improve cybersecurity in a 
variety of ways that include:
   EPA, CISA, and WaterISAC should work with the vendors and 
        contractors supplying equipment to the clean water sector to 
        ensure that their products and services are set up and 
        maintained appropriately to ensure that they are secure, 
        including communicating to and training utility staff on best 
        practices.
   EPA and CISA should continue providing Federal support to 
        help prevent attacks through training, cybersecurity services, 
        technical assessments, and pre-attack planning and continue 
        providing an incident response to assist the sector in reducing 
        the scale and duration of impacts if attacked. The agencies 
        should consider collaborating with NACWA and WEF to develop 
        additional guidance documents and resources to help clean water 
        utilities understand and implement cybersecurity best 
        practices.
   Speed, flexibility, and responsiveness are critical in the 
        rapidly-evolving world of cybersecurity. Encouraging public 
        utilities to use existing tools, resources, and best practices 
        will improve resilience to cyber attacks faster than cumbersome 
        regulatory structures enacted by Federal agencies or a third-
        party entity.
    Last, as many clean water utilities are already fully engaged in 
improving and maintaining existing cybersecurity protocols, NACWA and 
WEF firmly believe that allowing clean water utilities to improve their 
cybersecurity voluntarily, rather than implementing a direct or third-
party quasi-regulatory system, is the best approach for wastewater 
utilities for a variety of reasons that include:
   Developing a regulatory approach for clean water utilities, 
        such as third-party oversight within EPA, will take years, and 
        a one-size-fits-all approach to cybersecurity will not provide 
        for innovative, collaborative, cross-sector approaches for 
        developing, designing, and implementing successful 
        cybersecurity programs in the sector.
   Clean water utilities can leverage existing resources 
        immediately rather than waiting to see what regulations are 
        finalized to avoid taking measures that may be duplicative or 
        not meet the requirements of potential regulations.
   Since clean water utilities may be part of city or county 
        government that are already subject to State cybersecurity 
        requirements, a voluntary approach to cybersecurity allows 
        flexibility for utilities to develop cybersecurity approaches 
        and practices that meet their needs and that can be developed 
        in line with best practices from other brother/sister utilities 
        and city/county departments.
    NACWA and WEF thank the subcommittee for the opportunity to submit 
comments. We look forward to working with your members on Federal 
policies that maintain and provide clean water utilities with resources 
that will provide speed, flexibility, and responsiveness to adapt to 
cybersecurity threats. Encouraging public utilities to use existing 
tools, resources, and best practices will improve resilience to cyber 
attacks.
    If you have any questions, please have your staff contact Matt 
McKenna (mmckenna@nacwa.org) or Steve Dye (sdye@wef.org).
            Sincerely,
                                    Nathan Gardner-Andrews,
    Chief Advocacy & Policy Officer, National Association of Clean 
                                                    Water Agencies.
                                                 Steve Dye,
 Senior Director, Government Affairs, Water Environment Federation.
                                 ______
                                 
         Letter From Association of Metropolitan Water Agencies
                                  February 6, 2024.
The Honorable Andrew Garbarino,
Chairman, Subcommittee on Cybersecurity and Infrastructure Protection, 
        U.S. House of Representatives, Washington, DC 20515.
The Honorable Eric Swalwell,
Ranking Member, Subcommittee on Cybersecurity and Infrastructure 
        Protection, U.S. House of Representatives, Washington, DC 
        20515.
    Dear Chairman Garbarino and Ranking Member Swalwell: The 
Association of Metropolitan Water Agencies (AMWA) appreciates the 
opportunity to submit this statement for the record of today's hearing 
on ``Securing Operational Technology: A Deep Dive into the Water 
Sector.'' AMWA's members provide quality drinking water to more than 
160 million Americans from coast to coast, and the threat of cyber 
intrusions and malicious attacks is a growing concern to these water 
systems as well as other critical infrastructure owners and operators. 
We commend the subcommittee for looking into this important issue.
    As we recently testified before the House Subcommittee on 
Environment, Manufacturing, and Critical Materials,\1\ drinking water 
systems represent an attractive target for cyber attackers, and a 
successful attack could not only threaten water quality and public 
health, but also undermine Americans' confidence in their drinking 
water nationwide. The recent breach of an industrial control system 
device at Pennsylvania's Municipal Water Authority of Aliquippa,\2\ 
along with those at several other water systems, was just the latest 
example of why utilities of all sizes must remain on guard against 
cyber intrusions.
---------------------------------------------------------------------------
    \1\ https://www.amwa.net/testimonycomments/amwa-testimony-house-
subcommittee-hearing-cybersecurity.
    \2\ https://industrialcyber.co/industrial-cyber-attacks/iranian-
hacker-group-cyberav3ngers-allegedly-breach-municipal-water-authority-
of-aliquippa/.
---------------------------------------------------------------------------
    Given the complexity of the issue, it is essential that 
stakeholders and the Federal Government maintain open lines of 
communication and pursue cooperative approaches to closing cyber gaps. 
While drinking water systems will primarily work through EPA in its 
capacity as the Sector Risk Management Agency for the Water and 
Wastewater Systems Sector, our members also value the guidance and 
tools offered by Cybersecurity and Infrastructure Security Agency 
(CISA) to help water systems remain cyber-secure.
    As members of this subcommittee, along with their colleagues in 
Congress, explore ways to help water systems improve their cyber 
posture, AMWA believes it would be especially valuable to focus efforts 
on expanding participation in existing resources like WaterISAC, and 
leveraging sector-based expertise to expose water systems to 
appropriate cyber best practices.
       promote participation in existing resources like waterisac
    The Water Information Sharing and Analysis Center, or WaterISAC, 
was established in 2002 with seed money from the Federal Government and 
subsequent congressional appropriations. One of two dozen ISACs 
operating across the nation's critical infrastructure sectors, 
WaterISAC annually issues hundreds of advisories, maintains a portal 
for water utility members, and hosts webinars and threat briefings. The 
center also receives incident reports and conducts threat analyses to 
help water and wastewater utilities stay ahead of the threat curve. 
AMWA has a management agreement through which it operates WaterISAC on 
behalf of the water sector.
    WaterISAC's membership is comprised of water and wastewater 
utilities that serve about 60 percent of the U.S. population. The 
center is funded exclusively through member dues, and although these 
dues are structured on a sliding scale based on system size--with the 
smallest water and wastewater systems able to join for little more than 
$100 annually--WaterISAC faces challenges in connecting with the 
thousands of water and wastewater systems across the country. At 
present, only about 400 of the nation's nearly 50,000 community water 
systems and 16,000 wastewater systems are WaterISAC members that enjoy 
full access to the complete library of threat and vulnerability alerts, 
subject matter expertise, and other information. Lacking access to 
these essential resources could prove detrimental to a water system in 
a time of crisis.
    In recent years Congress has recognized the value of expanding 
access to ISACs serving other critical infrastructure sectors. For 
example, the Infrastructure Investment and Jobs Act of 2021 authorized 
a new Energy Department program to expand bulk power systems' access to 
the ISAC serving the Electric Sector.\3\ AMWA has endorsed legislation 
that would direct EPA to similarly support water systems' access to 
WaterISAC,\4\ but we would be eager to explore if there could be a role 
for the Department of Homeland Security to help raise awareness of, and 
offer support for, participation of the ISACs serving water and other 
critical infrastructure sectors.
---------------------------------------------------------------------------
    \3\ P.L. 117-58, Section 40125(c).
    \4\ https://www.amwa.net/letter/letter-support-water-system-threat-
preparedness-and-resilience-act.
---------------------------------------------------------------------------
leverage sector-based expertise to expose water systems to appropriate 
                          cyber best practices
    Currently there is a wealth of information available to water 
systems aiming to improve their cyber defenses. For example, 
WaterISAC's free 15 Cybersecurity Fundamentals for Water and Wastewater 
Utilities is a menu of best practices for the protection of information 
technology and industrial control systems. First published in 2012 and 
most recently updated in 2019, the 15 Fundamentals recommend 
straightforward but sometimes overlooked tasks like enforcing user 
access controls and performing asset inventories. Other recommendations 
in the guide address vulnerability management and creating a 
cybersecurity culture.\5\
---------------------------------------------------------------------------
    \5\ The complete list of 15 water sector cybersecurity 
fundamentals, available at waterisac.org/fundamentals, consists of: 1. 
Performing Asset Inventories, 2. Assessing Risks, 3. Minimizing Control 
System Exposure, 4. Enforcing User Access Controls, 5. Safeguarding 
from Unauthorized Physical Access, 6. Installing Independent Cyber-
Physical Safety Systems, 7. Embracing Vulnerability Management, 8. 
Creating a Cybersecurity Culture, 9. Developing and Enforce 
Cybersecurity Policies and Procedures, 10. Implementing Threat 
Detection and Monitoring, 11. Planning for Incidents, Emergencies, and 
Disasters, 12. Tackling Insider Threats, 13. Securing the Supply Chain, 
14. Addressing All Smart Devices, 15. Participating in Information 
Sharing and Collaboration Communities.
---------------------------------------------------------------------------
    Another key resource available to the sector is CISA's 
vulnerability scanning tool, a free service that allows utilities and 
other industrial control system operators to scan their networks for 
known vulnerabilities, weak configurations, and suboptimal security 
practices.\6\ The National Institute of Standards and Technology (NIST) 
offers a cybersecurity framework featuring an inventory of existing 
standards, guidelines, and practices for water systems and other 
network-connected organizations to manage and reduce cybersecurity 
risk.\7\
---------------------------------------------------------------------------
    \6\ https://www.cisa.gov/resources-tools/services/cisa-
vulnerability-scanning.
    \7\ https://www.nist.gov/cyberframework.
---------------------------------------------------------------------------
    Last month EPA, CISA, the FBI, and other Federal partners 
collaborated with water sector stakeholders to release the Incident 
Response Guide for the Water and Wastewater Systems (WWS) Sector.\8\ 
The document provides information about Federal support available to 
water and wastewater systems throughout the incident response process 
and features a range of measures that drinking water and wastewater 
systems may choose to adopt to improve their cyber posture.
---------------------------------------------------------------------------
    \8\ https://www.cisa.gov/resources-tools/resources/water-and-
wastewater-sector-incident-response-guide-O.
---------------------------------------------------------------------------
    Through these and other resources, water system owners and 
operators have a range of opportunities to identify cybersecurity 
strategies that can strengthen the defenses of their information 
technology and operational control systems. Unfortunately, too many of 
the nation's 50,000 community water systems lack the appropriate 
personnel to make sense of these tools or the funding to put them into 
action.
    In AMWA's testimony last month before the Environment, 
Manufacturing, and Critical Materials Subcommittee the association 
offered to work with Congress to explore ways to encourage all the 
nation's community water systems to adopt appropriate cybersecurity 
best practices through a tiered, risk-based program led by water sector 
experts, and overseen by EPA in its capacity as the Water and 
Wastewater Sector's Sector Risk Management Agency. We also urged the 
panel to avoid prescriptive, one-size-fits-all Federal mandates that 
may not lead to workable outcomes for many of the nation's thousands of 
community water systems.
    As these discussions continue, we would welcome the opportunity to 
work with you to explore how CISA may be able to support these efforts 
to connect water sector stakeholders with appropriate cyber resources.
                               conclusion
    Thank you for the opportunity to submit this statement for the 
record of today's hearing, and we look forward to working with you to 
increase the cyber preparedness and resilience of the nation's water 
systems.
            Sincerely,
                                               Tom Dobbins,
                                           Chief Executive Officer.

    Mr. Swalwell. Yield back.
    Chairman Garbarino. Thank you for the valuable testimony 
and the Members for their questions today.
    Members of the subcommittee may have some additional 
questions for witnesses, and we would ask the witnesses to 
respond to these in writing. Pursuant to committee rule VII(D) 
the hearing record will be held open for 10 days without 
objection.
    The subcommittee stands adjourned.
    [Whereupon, at 11:35 a.m., the subcommittee was adjourned.]


                            A P P E N D I X

                              ----------                              

       Questions From Chairman Andrew Garbarino for Robert M. Lee
    Question 1a. From your perspective, what more can CISA do to lead 
the way on OT security as the Sector Risk Management Agency (SRMA) for 
8 critical infrastructure sectors?
    Answer. I testified that when Government partners closely with the 
private sector and uses their expertise, we achieve better outcomes. 
CISA has an important role in bringing together industry and Government 
experts to help all sectors, including those 8 for which they are the 
SRMA, to identify and address risks to OT security. The establishment 
of the Joint Cyber Defense Collaborative (JCDC) as a center to work 
directly with industry to prioritize and address cross-sector, 
strategic threats to our critical infrastructure was an important first 
step.
    We also know that adversaries are targeting not just IT systems of 
our Nation's critical infrastructure, but also industrial control 
systems (ICS) and operational technology (OT), or the specialized 
networks that interact with the physical environment, such as a control 
system that opens a circuit breaker on an electric substation or a gas 
turbine control system that generates electricity. They are what makes 
critical infrastructure critical. So, it was important that the CISA 
also stood up an OT-specific group within the JCDC to address ICS/OT 
threats because these networks are distinct from IT networks and 
require a different approach to protecting them, including different 
controls. Analyzing threats to ICS/OT and developing mitigations also 
requires a unique set of subject-matter experts that have experience 
operating in those environments. This makes it even more essential for 
CISA and other agencies to collaborate with industry, because many of 
those experts operate critical infrastructure, or come from 
cybersecurity vendors or original equipment manufacturers (OEMs). 
However, CISA, the JCDC and its OT group must continue to evolve. The 
structures are in place; now they need to mature in how they deliver 
value and information back to industry.
    To be most effective, CISA must operate at the strategic level 
providing focused and strategic guidance to industry based on the 
scenarios and threats that are most likely, or most important. 
Organizations can't protect against everything, or invest in every 
possible control. Especially in ICS/OT environments, CISA must identify 
priorities and define what threats and scenarios organizations need to 
protect against. They must also share with industry why these are 
threats or scenarios are prioritized. Then, industry owners/operators 
can work with their vendors and suppliers to determine how to best 
implement in their environments.
    Question 1b. What more can CISA do to support the prioritization of 
OT security at SRMAs like the Department of Energy (DOE) and 
Environmental Protection Agency (EPA)?
    Answer. I testified that critical infrastructure owners and 
operators would be best served by a unified voice from government on 
priorities. CISA can work with other SRMAs, such as DOE and EPA, to 
deliver priorities and requirements to industry and a streamlined and 
unified way. Similar to the Fact Sheet on Top Cyber Actions for 
Securing Water Systems and the Incident Response Guide that CISA, DOE 
and the FBI released last month, multi-seal, coordinated documents help 
to streamline the way operators receive information. They can spend 
their time on mitigations and addressing risk, rather than sifting 
through multiple guidance documents and trying to determine priorities. 
It is also absolutely essential that these documents are informed by 
industry and not developed in a Government vacuum. Especially when it 
comes to ICS/OT, much of the subject-matter expertise lies within the 
sector owners and operators and the vendors who partner with them.
    An additional way that CISA can partner with agencies like DOE and 
EPA is on sector-specific exercises. Once organizations have incident 
response plans in place, it is important to test them under blue sky 
conditions, alongside Government and industry partners. CISA should be 
a participant in well-established sector-specific exercises, such as 
GridEx, to test how to better streamline Government interactions with 
operators during an incident. They can also work with agencies, such as 
EPA, to develop exercise capacity for the sector. Exercise design 
should include targeting of and impact to OT systems.
    Question 2a. How is information shared between the organizations 
and Federal agencies that monitor threats, and water and wastewater 
utility providers?
    Answer. Currently, cyber threat information for the water and 
wastewater sector is shared through a variety of ways. Water and 
wastewater providers provide information to a number of different 
agencies, including their FBI field office, EPA, CISA, and others. 
Organizations may also reach out to or seek information via the Water 
Information and Analysis Center (ISAC) and trade associations, as well 
as vendors, including as Dragos. Many water and wastewater providers 
are simply too small to have staff proactively engage with any of these 
organizations on a regular basis. This is an area where EPA and CISA 
regional programs can help fill a gap.
    Question 2b. Is this information meeting the sector's needs to 
respond to threats?
    Answer. Particularly when it comes to ICS/OT, it is not a matter of 
how much information is available, but instead ensuring that 
organizations have access to prioritized threat information, with 
recommended actions and mitigation measures. CISA can help by making 
sure this information is prioritized and actionable. For example, 
Dragos analyzes vulnerability advisories associated with ICS/OT 
environments and prioritizes them. In 2023, Dragos analyzed 531 
advisories and found that 74 percent of vulnerabilities had no 
mitigation when they were announced. Nineteen percent had no patch and 
no mitigation. Dragos provided missing mitigation advice for 49 percent 
of the advisories analyzed.\1\
---------------------------------------------------------------------------
    \1\ Dragos 2023 ICS/OT Year in Review.
---------------------------------------------------------------------------
    Question 2c. What processes are in place to ensure this information 
can be shared with others, when appropriate? What can be done to 
improve this flow of information?
    Answer. CISA, along with other SRMAs and ISACs, have established 
processes in place to ensure that information can be shared with 
others, when appropriate. The need now is to make sure that the 
information actually can be used by critical infrastructure 
organizations to decrease risk and address threats and vulnerabilities. 
CISA needs to be able to hire the technical expertise to contextualize 
data from multiple sources to provide threat analysis and actionable 
information to other Government partners, such as the SRMAs, and also 
back out to industry. This will be especially important as they 
implement the requirements in the Cyber Incident Reporting for Critical 
Infrastructure Act of 2022 (CIRCIA). They need to be able to take in 
all of the information reported, analyze it, and turn it back around to 
industry with actionable insights and guidance.
    Finally, those sharing information need to know that their 
information is protected when they share with CISA or other Government 
agencies. For example, Dragos' Neighborhood Keeper solution shares 
threat intelligence at machine-speed across industries and geographic 
regions. It can detect supply chain risks, vulnerabilities, and cyber 
threats that need to be identified and remediated. It also ensures the 
identities of participants are technologically irreversible from the 
data to allow anonymous and secure sharing, including with Government 
partners.
      Questions From Chairman Andrew Garbarino for Charles Clancy
    Question 1. How is information shared between the organizations and 
Federal agencies that monitor threats and water and wastewater 
utilities? Is this threat information meeting the sector's needs?
    Answer. Response was not received at the time of publication.
    Question 2. How do utilities share information about attacks they 
experience with the appropriate Federal agencies and organizations so 
that information can be shared with others? What can be done to improve 
this flow of information?
    Answer. Response was not received at the time of publication.
      Questions From Chairman Andrew Garbarino for Kevin M. Morley
    Question 1. In the first month of 2024, CISA released over 20 
Industrial Control Systems (ICS) Advisories, alerting owners and 
operators of mitigations for ICS vulnerabilities. The prevalence of 
vulnerabilities within OT systems highlights how cyber risks threaten 
the operation of U.S. critical infrastructure. Other than issuing 
advisories and guidance, how can CISA encourage owners and operators to 
build resilience into critical systems?
    Answer. CISA's effort to identify vulnerabilities is an exceptional 
value, however there are opportunities to improve uptake in the field. 
Collaboration with the owner/operators that are directly impacted by 
the vulnerability is essential to ensure that the message is properly 
contextualized for the target audience. There are few points that I 
would like to make that influence engagement on the information 
developed by CISA and provide opportunities for improvement.
   Value.--The immediate notice of product-specific 
        vulnerabilities provides a very tactical level of information 
        that is foundational to supporting mitigation. This is 
        essential to provide a clear articulation of the vulnerability 
        for specific products that are often used across multiple 
        critical infrastructure sectors.
   Unconscious competence.--The product-specific nature of many 
        advisories means they are written at highly technical level. 
        This is necessary, but as a result they typically assume a 
        fairly high-level cybersecurity competency. This means that the 
        information is only accessible to a very specialized community 
        of interest that possess the skills needed to action the 
        information provided.
   Volume and relevance.--Unfortunately because security was 
        often not a priority design consideration until the past 
        several decades or so, software vulnerabilities are constantly 
        being discovered. As a result, the sheer volume of notices and 
        advisories generated by CISA--through no fault of its own--can 
        be overwhelming. This volume becomes noise, especially for 
        entities that do not have sufficient in-house capacity to 
        monitor and assess the relevance to their operations. 
        Determining relevance is difficult absent an additional level 
        of screening that could more effectively signal the level of 
        priority for sector-specific applications that could be 
        impacted by the identified vulnerability. The latter can be 
        difficult; however the vendor/manufacture community should work 
        more closely with CISA to rate the relevance and risk of 
        various vulnerability alerts.
    Recommended Action.--Bridging the knowledge transfer gap is the 
challenge that requires a different level of collaborative engagement 
with critical infrastructure owner/operators, product and technology 
providers, and system integrators. Understanding where and how a 
specific product is used is essential to properly contextualizing the 
relevance of an advisory to various critical infrastructure sectors. 
The absence of this information places the burden of discovery on the 
end-user of the product that may or may not have in-depth understanding 
of all the components that support their operations. Again, given the 
frequency that CISA issues these notices the end-user community suffers 
from information overload absent a clear mechanism to signal relevance. 
A simple comparison would be the recall notices issued by the National 
Highway Traffic Safety Administration. If an NHTSA notice only stated 
that XYZ part was defective and omitted information about the specific 
class of vehicles that used the part the burden would be on all vehicle 
owners to determine the relevance. This would miss the safety objective 
of the NHTSA recall notice. CISA needs to work with the stakeholder 
community to provide a signal on the relevance to support the risk 
management objective of the advisories. Collectively we need to make it 
easier for the end-user to act on the mitigation guidance provided by 
CISA by signally relevance.
    Question 2. It is important to prioritize security as critical 
infrastructure owners and operators adapt to the convergence of IT and 
OT systems. As IT systems continue to modernize, what more can the 
Federal Government do to ensure the private sector can maintain the 
security of legacy OT systems that are dependent on legacy IT systems?
    Answer. The water sector lacks a dedicated funding program that is 
targeted on supporting the replacement of legacy systems that have 
inherent cybersecurity vulnerabilities. Currently authorized funding 
programs managed by the U.S. Environmental Protection Agency, as well 
as USDA, can be used for cybersecurity projects but must compete with a 
wide array of needs. The absence of a funding specifically to 
addressing cybersecurity and transformation of legacy systems means the 
digital divide will continue to widen as cyber adversaries expand their 
capabilities.
    The State and Local Cybersecurity Grant Program (SLCGP) managed by 
CISA is in the early stages of deployment. While the cybersecurity 
needs of drinking water and wastewater appear to be eligible, it 
remains to be seen if any funding is awarded by States administering 
the program to the water sector. While CISA has States that 
cybersecurity in the water sector is a high priority, the guidance 
provided for SLCGP implementation provided no such prioritization 
criteria to inform funding allocations by the State programs. 
Therefore, the effectiveness of this program in addressing some of the 
cybersecurity needs of water utilities is currently unknown.
    A key challenge for the most disadvantaged systems is their 
capacity to actually develop and submit a funding request to any of the 
available programs. Technical assistance to support applications is a 
key factor in overcoming the digital divide will continue to grow as 
utilities with legacy systems face competing priorities to satisfy new 
regulatory obligations on drinking water and wastewater operations that 
strain budgets that are 100 percent dependent on ratepayers.
    Finally, providing clearly-defined eligible criteria for 
cybersecurity activities is necessary to provide certainty on the 
viability of existing funding programs or those developed in the future 
to support implementation of various cybersecurity controls. Currently 
there is a degree of uncertainty that may inhibit the effective 
application of funding program to support cybersecurity objectives. 
EPA, USDA, and CISA should establish a workgroup with water utilities 
to examine a series of prospective cybersecurity projects necessary to 
properly address legacy systems, identify constraints with funding 
program eligibility and what authorities may need to be changed to 
support more effective application of the funds relative to water 
utility needs and overall cybersecurity risk management objectives.
    Recommended Action.--Establish dedicated funding to prioritize 
replacement of legacy systems. This includes appropriating the funding 
authorized in America's Water Infrastructure Act of 2018 that was 
intended to support the risk and resilience management efforts of 
drinking water systems.
    Question 3. How is information shared between the organizations and 
Federal agencies that monitor threats, and water and wastewater utility 
providers? Is this information meeting the sector's needs to respond to 
threats? What processes are in place to ensure this information can be 
shared with others, when appropriate? What can be done to improve this 
flow of information?
    Answer. Improved functionality and collaboration between Federal 
partners, water sector subject-matter experts via the WaterISAC is 
essential to assess the applicability and relevance of cyber threat 
information to water-sector stakeholders, including clarity on actions 
to be taken. EPA and CISA should partner with the sector to expand 
awareness of and access to these resources.
    We recommend that CISA and EPA, as the Sector Risk Management 
Agency (SRMA), work with partners like the WaterISAC and the Water 
Sector Coordinating Council to properly contextualize threat 
information prior to its release.
    Recommended Action.--Establish a standard operating procedure for 
the inclusion of subject-matter experts from the water sector community 
(owner/operators, service providers, product developers) into the 
review and development of threat alerts and advisories to ensure that 
the information transmitted to the sector is concise, actionable, and 
properly contextualized.
       Questions From Chairman Andrew Garbarino for Marty Edwards
    Question 1. Does the United States need a uniform security standard 
that applies to water and wastewater utilities?
    Answer. Response was not received at the time of publication.
    Question 2. If so, what oversight mechanisms can be used to ensure 
those standards are met?
    Answer. Response was not received at the time of publication.

                                 [all]