From the U.S. Government Accountability Office, www.gao.gov

Transcript for: Critical Infrastructure Cybersecurity: Watchdog Report
Deep Dig Edition

Description: In this Deep Dig edition of the Watchdog Report, GAO
experts talk about why cybersecurity is crucial for the nation's
critical infrastructure sectors; who's involved, what role the federal
government plays, and what can be done to make these areas safer.

Released: April 2020

[Music]

>> Matt Oldham: Cyber Security. It's not just limited to your phone or
PC. As more systems and services become more connected, things like
banks, the electric grid, or the pipelines of our country become bigger
targets for cyber attacks. Welcome to this Deep Dig edition of the
Watchdog Report. A different podcast focusing on larger issues. We're
going to hear from the people behind the work at GAO, their efforts and
their experiences. You know, things we could dig deeper on. And for this
episode, we take a look at cybersecurity protection for the nation's
critical infrastructure.

[ Music ]

In 2013 hackers attacked a flood control dam in upstate New York. They
also targeted the New York Stock Exchange, banks, and other critical
infrastructure areas. And while they weren't able to fully access the
dam's controls, it certainly serves as an example for other areas of
everyday life that are also vulnerable to cyber attacks. Like the
electric grid we rely on for power, or pipelines carrying oil or natural
gas for our cars and homes. And with me to talk about critical
infrastructure cybersecurity protection are Bill Russell, Neela
Lakhmani, and Kaelin Kuhn. Thanks for joining me.

>> Bill Russell: Thank for having me.

>> Neela Lakhmani: Thank you.

>> Matt Oldham: Kaelin, you work on electric grid issues. Can you tell
us a little bit about the nature of the vulnerabilities there? What are
they? Where are they? 

>> Kaelin Kuhn: Absolutely. So although there are some great components
that are vulnerable to cyber attacks, it's unclear what impact cyber
attacks will actually have on the electric grid here in the US. So
starting with vulnerabilities, the electric grid is vulnerable to cyber
attacks, particularly on industrial control systems. So what are those
systems? They look a lot like IT systems. They're used to support the
control of electric power generation, transmission, and distribution.
And these systems they were once isolated from the Internet, but now
they're increasingly connected. And this increases the risk of cyber
attacks on the systems moving forward. But right now the biggest unknown
is the impact of such a cyber attack on the grid. So for starters, there
haven't been any cyber security incidents that have resulted in a power
outage here in the US. That said, we do know of one cyber attack, or at
least one cyber attack on foreign industrial control systems that have
resulted in power outages. Specifically in December 2015, malicious
actors that Ukraine linked to the Russian government conducted cyber
attacks on three Ukrainian utilities. And this actually resulted in a
three-hour loss of power for more than 200,000 customers.

>> Matt Oldham: So we haven't seen a cyber attack yet here in the US.
How do agencies like the Department of Energy determine what the impact
may be?

>> Kaelin Kuhn: Federal assessments of the potential impacts of such an
attack have had some pretty significant limitations that make it unclear
what the impact of such an attack would be. So, for example, in 2017 the
Department of Energy developed an assessment that identified the
potential range of electricity load loss from a cyber attack on the
electric grid. However, after we spoke with Department of Energy
officials about this assessment, we learned that the assessment only
reviewed potential cyber attacks on the Western interconnection, which
is one of the three grids that exists here in the continental US. And it
actually used a reduced model of the interconnection as it existed in
the early 1980s. And that actually represented less than a quarter of
the interconnection's actual capacity as it exists today. So as a
result, we really can't rely on this assessment for an accurate picture
of what impact a cyber attack would have here on the grid.

>> Matt Oldham: And just because it hasn't happened doesn't mean we're
immune to attack, right?

>> Kaelin Kuhn: Absolutely. We're still vulnerable. And we certainly
still need to take some steps to make sure that we're addressing those
potential threats.

>> Matt Oldham: I'd like to move to pipeline infrastructure now. Bill,
this is an area that you're an expert in. Could you talk about
pipelines? Are they as far-reaching across the country as something like
the electric grid is?

>> Bill Russell: They're over 2.7 million miles of pipelines across the
US transporting everything from natural gas, oil, other hazardous
materials.

>> Matt Oldham: And do you see some of the same issues that Kaelin had
mentioned when he was talking about the electric grid?

>> Bill Russell: Just recently, as Kaelin mentioned there, the pipeline
networks also have these industrial control systems. One of the pipeline
operators came under cyber attack just recently in which they lost
partial visibility into reading some of the data from those controls.
And as a result had to shut down their system to try to ensure that
there wasn't an accident or another bad outcome from that.

>> Matt Oldham: So I can easily picture what it would look like if there
was an attack on the electric grid, and it resulted in a loss of power.
But I had to ask, Bill, what would a cyber attack on the pipeline look
like?

>> Bill Russell: Those sorts of disruptions could increase the price of
natural gas and oil. It could be one economic impact. A lot of these
pipelines run through urban areas, densely populated areas. So to the
extent that it caused a physical rupture in a pipe or some other
circumstance, you know, there could be damage there as well, not to
mention just shortages in the entire energy network.

>> Matt Oldham: So could a cyber attack result in something that could
threaten life or property?

>> Bill Russell: That's the potential, so if you can hack into some of
the key pressurization controls, some of those industrial control
systems then there is the potential that you could cause a physical
rupture in the pipe or some other explosion, depending on where it would
occur, obviously could cause harm to that community. That is one of the
risks to contend with.

>> Matt Oldham: Neela, up to now we have been talking about two specific
areas, the electric grid and the pipeline, and you've worked on a
national security framework. What concerns you about the prospect of
keeping these critical infrastructures secure from cyber attacks?

>> Neela Lakhmani: Well, just to step back for some of our listeners in
terms of the framework, so the National Institute of Standards and
Technology developed this voluntary framework of cybersecurity standards
and procedures to better address some of these cyber threats that we've
been discussing across the critical infrastructure sectors, such as
financial institutions, health care, energy, just to name a few. And
what the framework does it helps organizations better manage their
cybersecurity risks. Now, during the course of our recent review we met
with the agencies that have the lead roles in protecting the critical
infrastructure. And just trying to get an understanding whether they
knew the extent to which the framework had been adopted by the sectors.
And what we found is that they, you know, they're facilitating and
encouraging the use of the framework, but they didn't really know who
was using it and how it was being used.

>> Matt Oldham: That sounds like it could be a little problematic. Did
GAO raise this issue about the use of the framework?

>> Neela Lakhmani: So we not only met with the agencies, we also reached
out to a few private organizations within a few of the sectors, and we
asked them, you know, if you're using the framework, you know, have you
realized any improvements from that, and what those could be? And again,
here, we found that they've realized some improvements, you know, such
as identifying risks. You know, they've been a been able to implement,
you know, common standards and guidelines within their organizations.
But most of them raised a few concerns to us, you know, in terms of how
they go about, you know, measuring these improvements. And these
concerns were also shared by the agencies we spoke with, so it included,
you know, not having precise measurements of improvement that it doesn't
exist, according to them. And there was no centralized information
sharing mechanism that they could use to share some of that information.

>> Matt Oldham: And did any other issues come up?

>> Neela Lakhmani: They also raised the issue of the nature of the
framework itself being voluntary. So that was, you know, they're not
compelled to do it, they have a lot of existing regulations. And, you
know, they want guidance that they have to follow. A lot of the
practices that's in the framework, they feel they're already addressing
it within their own, you know, whatever they're implementing in terms of
regulations that they have ongoing right now. And then we spoke to small
and medium organizations and they added to the list. They also
mentioned, you know, they didn't have the technical expertise, you know,
no resources to be able to implement guidelines such as the framework,
you know, within the sector so that they can help, you know, better
manage cyber security risks.

>> Matt Oldham: So for many of our podcasts, and GAO reports, for that
matter, a lot is talked about the relationship among and between federal
agencies. But you're talking a lot about private companies and industry.
Do the companies seem to have the same interests as the federal
government does regarding this framework?

>> Neela Lakhmani: I think the issue here is the sharing of information
that would be important across sectors. So not just within your sector,
but share that across sectors. And, you know, there are ongoing
initiatives right now within the Department of Homeland Security, as
well as with the National Institute of Standards and Technology that
could alleviate some of these concerns that the organizations have. So
it's important for the agencies to work across, you know, their
respective sector partners. And you have a number of different entities
out there with various rules to fill. You know, so an example is a
Sector Coordinating Council, which is this group of non-federal
organizations that basically serve as the voice for the sector, and they
are the principal entryway for the government to coordinate with the
sector. So you have all these organizations out there. They just need to
find a way to work together to share information with their sectors. You
know, identify certain threats, you know, being able to push that out,
you know, if they've identified certain best practices, share that
across others that could also use similar ways to address some of the
cyber threats that we have.

>> Bill Russell: And then just to build on what Neela was saying, I know
from the operator standpoint there is a real hunger for information
about, especially cyber security and how they can best protect their
networks. So having that good dialogue with some of the key federal
agencies and getting up to date information is really, really critical.

>> Matt Oldham: And, Kaelin, have you seen something similar on the
electric grid side?

>> Kaelin Kuhn: Absolutely. And, you know, most of the grid is actually
owned and operated by private industry. So these organizations do most
of the heavy lifting when it comes to implementing these cyber security
practices. And Neela mentioned information-sharing just a moment ago as
well. It's obviously very important as these organizations share
information about the threats that they're seeing. The Department of
Energy stood up a program they refer to as the Cybersecurity Risk
Information Sharing Program, and that actually uses sensors at the
borders of utilities networks to monitor and compare the traffic that's
coming in and out of those networks to classified and unclassified
threats. And that allows DOE to warn utilities of potential attacks.

>> Matt Oldham: So is there anything that can make all this more secure?

>> Neela Lakhmani: Well, I think from, you know, just as a broad -- I
think there's a need to promote basic cyber hygiene across, and also to
promote some of these programs that some of these agencies have
underway, and how that can serve as avenues for supporting, improving
defenses across the sectors.

>> Bill Russell: Also having a workforce that's well versed in cyber
security issues, and trained on how to do that on top of their normal
specialty. For example, pipeline security, and then to make sure that
some of the key documents that, for example, how you're going to respond
to an incident? You know, does industry report to Homeland Security,
vice versa, sharing of alerts, is that clear, and is that up to date?
And folks are knowledgeable about what to do?

>> Neela Lakhmani: And also if they knew who to turn to, if something
happens.

>> Bill Russell: Exactly.

>> Neela Lakhmani: You know, how will they respond?

>> Kaelin Kuhn: I think two of the biggest challenges, and I think, you
know, my colleagues have already hit on them already, that we saw on
electric grid work, you know, we're sharing of threat information and
making sure that you have cybersecurity professionals with the knowledge
and skills needed to address the threats, [Music] which is particularly
challenging when you're dealing with industrial control systems.

>> Matt Oldham: So up to this point, we've talked a lot about
vulnerabilities, risks of attack on the electric grid, the pipelines,
but we haven't yet talked about the part of this equation that is
perhaps more unknown, and that is, who are these bad actors? And what
type of attacks are we talking about?

>> Kaelin Kuhn: China and Russia actually have the ability to launch
cyber attacks that could cause localized temporary disruptive effects on
critical infrastructure.

>> Matt Oldham: We'll discuss more after the break.

[ Music ]

>> Interested in learning more from the US Government Accountability
Office? Be our friend and like us on Facebook. Our Facebook page has the
latest information on our reports, blog posts, podcasts, videos, photos,
interactive graphics and much, much more. That's facebook.com/usgao.
That's facebook.com/usgao.

[ Music ]

>> Bill Russell: The intelligence community in 2019 assessed that nation
states criminal groups and terrorists pose the most significant cyber
threats to critical infrastructure. So, for example, in terms of nation
states, they stated that China and Russia actually have the ability to
launch cyber attacks that could cause localized temporary disruptive
effects on critical infrastructure.

>> Matt Oldham: So then, Kaelin, can you give an example of a cyber
attack?

>> Kaelin Kuhn: Criminal organizations, these organizations, especially
as of late they're often using ransomware, which is malicious software
used to hold systems or data hostage until a ransom has been paid. And
the Department of Homeland Security actually just put out an alert of
ransomware being used to target industrial control systems supporting
critical infrastructure.

>> Bill Russell: Right. That recent attack that I spoke of earlier, it
was a ransomware attack against the pipeline operator.

>> Matt Oldham: And the problem with an attack like this, as you said,
is people are left to wonder, was it just a ransomware attack? Was there
anything else happening while they're vulnerable?

>> Bill Russell: Just in terms of the threat, so it really is all of the
above.

>> Matt Oldham: Right.

>> Bill Russell: And it's just a matter of the scale. Obviously, a
nation state can, you know, probably do more sophisticated attacks than
a hacker, but you need to worry about all of them.

>> Matt Oldham: So do we know what the ransom was?

>> Bill Russell: Right now we don't know. It's very recent, and so what
really is known is that there is an alert that went out from Department
of Homeland Security to the other pipeline operators, to let them know
this happened so they can start to take precautions. But in terms of the
details of what happened and when I don't think we know yet.

>> Matt Oldham: So while you're working on audits of the electric grid,
or the pipeline, or the national framework, what really stood out to
you?

>> Kaelin Kuhn: So I think for me the biggest thing that has surprised
me is the threat landscape is always changing. So threat actors are
always identifying new cyber attack techniques. So obviously, it's very
important for utilities and agencies to stay on top of them. I think the
other thing that struck me is, you know, you no longer need a great
amount of skill to compromise these systems, because the availability of
open source attack tools is actually prevalent right now.

>> Matt Oldham: When you say open source attack tools, this is something
that I can look up online and find myself?

>> Kaelin Kuhn: Absolutely. It might take a little bit of digging, but
it is available for sure.

>> Neela Lakhmani: I mean, in terms of what I've seen from the report
that we did, you know, like I mentioned, you know, you have all of these
entities within the federal government. And as well, both federal and
non-federal partners out there. Each one have their own role to fill.
Beyond some of the ones that have already mentioned, you also have this
group called the Information Sharing and Analysis Centers, and what
their role is to - their role is to communicate critical information and
maintain situational awareness within the sector. So that's what their
role is. So you have all of those, all of these entities out there
trying to do something, but I think what I've seen is that there just
really isn't that coordination and sharing that I mentioned earlier that
needs to happen to basically to help the sectors, you know, better
respond to a cyber attack.

>> Matt Oldham: So is one of the concerns here that some of these
threats can change so rapidly that it would make it difficult to find
solutions before it's too late?

>> Kaelin Kuhn: I mean, potentially. So we talked a little bit about the
ransomware attack that impacted the pipeline a few moments ago. That's
one of the first cases where we've actually seen ransomware attack
industrial control systems that are used for critical infrastructure. So
that's certainly a case where agencies and industry are going to have to
think about what countermeasures are needed to address that threat
moving forward, and they're gonna have to do so very quickly.

>> Bill Russell: The NIST framework, the National Institute for
Standards Technology, there's a basic level of hygiene that even though
you're not, it wouldn't make you immune to any threat, it can at least
increase the level of protection that some of these operators have in
place to better ward off some attacks.

>> Matt Oldham: What agencies are we talking about when it comes to the
pipeline?

>> Bill Russell: Within Department of Homeland Security, the
Transportation Security Administration, TSA, has oversight
responsibility for pipeline security and cyber ecurity. And they do that
through voluntary reviews of some of the pipeline operators where they
go out and look at their corporate policies, look at some of the
facilities, and then make recommendations where those operations could
be improved.

>> Neela Lakhmani: I mean, all the agencies that have the lead roles in
protecting critical infrastructure and there's nine of them responsible
for the 16 sectors. And there's some that are shared, so you have co--
you know, agencies working together.

>> Kaelin Kuhn: And as far as the electric grid is concerned, DOE, the
Department of Energy is responsible for providing cyber security
services to industry. And then the Federal Energy Regulatory Commission
is the federal regulator for much of the electric grid to include cyber
security issues.

>> Matt Oldham: And this is something they do by committee, or is this
just something they all agree to meet and talk about?

>> Neela Lakhmani: I think this was set up by - it is established in
federal policy. So federal policy established the agencies that have the
lead roles.

>> Matt Oldham: Is there anything that the agencies involved with
electric grid could do, or should do, or are doing that's outside of
this framework, or that's in addition to this framework?

>> Kaelin Kuhn: Absolutely. So the Federal Energy Regulatory Commission,
or FERC, which is the federal regulator for much of the electric grid,
they've approved cyber security standards that are mandatory for much of
the utilities responsible for generating electricity, and then
transmitting that electricity to more local distribution networks. And
they actually require cyber systems with a generation capacity of 1,500
megawatts, or more, to comply with all of these standards. However, as
of December of 2017, only about 20% of the nation's generation capacity
came from power plants that met this threshold. And actually in setting
that threshold, FERC didn't evaluate the potential risk of a coordinated
cyber attack on geographically-distributed targets. So such a cyber
attack target, for example, a combination of systems that are below that
1,500 megawatt threshold, that don't have to comply with the cyber
security standards, and then as such may not have implemented important
security controls. So to help address that weakness in our August 2019
report, we recommended that FERC evaluate the potential risks of such an
attack, and make changes to their cybersecurity standards based on the
results of that evaluation.

>> Neela Lakhmani: You know, in our report we basically - we made
recommendations to some things that I already mentioned. You know, we
made a recommendation to the National Institute of Standards and
Technology to set timeframes for some of the initiatives that they have
that would help agencies in terms of using those tools to measure
improvements across their sectors. And then we also made some
recommendations to all the sector-specific agencies to coordinate with
their sector partners across, as appropriate, so that they can go out
there, collect and report on improvements that they are seeing across
their sectors.

>> Bill Russell: Right. And then for our work, we've made a number of
recommendations to Department of Homeland Security as well as
Transportation Security Administration just to better update some of the
pipeline security guidelines. Some of the things I mentioned earlier,
having a good strategic plan to do workforce planning that would include
having staff trained to do cybersecurity assessments, updating risk
assessments of the pipeline operators to inform how they do their
oversight reviews. And then finally, a number of recommendations to
better monitor how pipeline operators make progress implementing some of
the recommendations and action items that come from those oversight
reviews.

>> Matt Oldham: Bill, what would you say is the bottom line here?

>> Bill Russell: The bottom line is more needs to be done. I think this
is a really important issue as-- from the recent attack. These are real
world things happening right now. And the more, both TSA and DHS and
other agencies can get ahead and be proactive in helping build up cyber
hygiene across the energy grid, the better off we'll be.

>> Neela Lakhmani: And I would echo what Bill said. I think, you know,
definitely more needs to be done. We have a lot of good work that's out
there right now. And I just think that they need to see that further
out.

>> Kaelin Kuhn: In terms of the electric grid I think the threat
landscape is only getting worse. I think we're becoming a little bit
more vulnerable as well. So it's just very important that agencies and
utilities [Music] take this very seriously and do everything that they
can to address these threats.

>> Matt Oldham: If the landscape is getting worse, I think it's safe to
say the threat is not going away. And the work GAO has done, and will
continue to do, helping federal agencies curtail this threat, is a vital
element in protecting infrastructure. A huge thank you to Kaelin Kuhn,
Neela Lakhmani, and Bill Russell for taking the time to talk about their
work in this area. You can find GAO reports on cybersecurity, critical
infrastructure, or just about anything else at gao.gov. and thank you
for listening to this Watchdog Report: Deep Dig edition. To hear more
podcasts, subscribe to us and Apple podcasts. Make sure you leave a
rating and review to let others know about the work we're doing. And for
all things GAO, visit us at gao.gov. 

[Music]