Department of War (DoW) installations in the United States are heavily dependent for electricity, natural gas, drinking water and wastewater treatment, telecommunications, and rail transportation on critical infrastructure owned and operated by contractors, whether inside or outside the fence. The availability of these services is controlled by operational technology (OT) that is uniquely vulnerable to cyberattack. The regulatory structure for U.S. critical infrastructure cybersecurity is spotty, with jurisdiction divided among federal, state, and local governments. Assets inside-the-fence fall outside the utility regulatory structure entirely. DoW can use its procurement power, through contract clauses or requirements, to improve the cybersecurity of the OT in the critical infrastructures it depends on. However, there is no contract clause for the OT of utilities outside the fence, and the standard that DoW currently relies on for utilities inside the fence was not designed for OT. Key questions need to be addressed by senior leadership, beginning with a survey of the OT of utilities to identify internet-capable products or configurations, the presence of China-made equipment, and the use of OT devices with known security vulnerabilities. The DoW needs to accelerate the development of contract clauses or requirements that specify a set of prioritized controls for OT.
READ THE FULL ARTICLE HERE