Threat actors have become craftier as they increasingly target critical infrastructure, including operational technology (OT) environments such as electric grids, Nate Gleason, program leader at Lawrence Livermore National Laboratory (LLNL), told regulators during a federal hearing Tuesday.
“Our adversaries see our critical infrastructure as an attractive target,” he told the US Homeland Security subcommittee on Cybersecurity and Infrastructure Protection. “These adversaries are highly capable and invest significant resources in developing capabilities to hold our infrastructure systems, and the functions that depend on them, at risk.”
Fighting back with the CyberSentry program
The security subcommittee held the hearing to discuss the evolution of attacks on critical infrastructure and OT environments in the 15 years since Stuxnet, a digital weapon designed to sabotage Iran’s nuclear program, emerged in 2010.
For example, Gleason said during his testimony, in 2022, as part of a US federal program, researchers from the LLNL in California detected internet-connected surveillance cameras stealthily built into critical infrastructure systems. They were sending information back to overseas servers operated by suspected hostile actors. LLNL quickly built a detection tool and produced playbooks to address the issue, and the Cybersecurity and Infrastructure Security Agency (CISA) issued widespread alerts to mitigate the problem.
One of the ways the US is fighting back is with the CyberSentry program, which partners CISA with private sector companies that volunteer to have their systems monitored for malicious activity. Participants are from sectors including energy, transportation, critical manufacturing, the nuclear industry, and others.
It was through this program that LLNL developed the capability to detect what it called “subtle malicious beaconing behavior” that available tools were unable to pick up on. In its Skyfall lab, Gleason’s team set up an OT environment and deployed various samples of beaconing malware to test commercial and open-source tools. They then built an advanced analytic, increasing its sensitivity to detect more subtle threats and improving selectivity to reduce false positives.
The analytic was then deployed in the CyberSentry environment — and “almost immediately” threat analysts detected anomalous beacons on a participating company’s OT network that were emanating from cameras built by Chinese manufacturer Dahua and other manufacturers, both foreign and domestic, Gleason explained. Dahua, in particular, has been identified by the Federal Communications Commission (FCC) as posing an unacceptable risk to national security.
LLNL discovered that the majority of CyberSentry participants had these cameras on their networks, in some cases in the hundreds. In addition to communications with suspected hostile servers overseas, reverse engineers were able to identify functionality that could enable back-door access to any network the devices were connected to.
“Many of these cameras were sitting on OT networks, potentially granting access to control the physical processes in our infrastructure,” said Gleason.
His team built a machine learning (ML) model to automate detection of the cameras and deployed it across participating CyberSentry partners. Federal agencies also communicated the findings widely, and the lab developed a set of playbooks published by CISA.
“The security gains derived from this partnership between a few dozen critical infrastructure asset owners and CISA reverberated widely across US critical infrastructure,” said Gleason.
IT and OT are fundamentally different
Robert M. Lee, CEO and co-founder of cybersecurity company Dragos, Inc., also spoke at the hearing, pointing out that enterprises and regulators must “recognize and account for” the differences between information technology (IT) and OT systems.
“IT and OT systems differ fundamentally in both purpose and operation,” he said. “While some traditional IT controls have been adapted for OT, the security mindset must differ.”
While IT supports how a business is managed, OT enables physical functions at an organization’s core, such as controlling pumps or chemical levels at a water facility. These two different missions should shape how risks are assessed and managed, said Lee.
“While an adversary might exploit similar vulnerabilities in IT and OT systems, the consequences and adversary behavior differ,” he said. Whereas a breach in an IT system may result in data theft, in OT it could lead to “physical disruption, equipment damage, or even loss of life.”
Despite this, infrastructure operators have been underinvesting in OT security. Based on Lee’s anecdotal experience, about 95% of cyber spend is focused on IT, and just 5% on OT. The latter also have distinct operational demands: Systems often must run continuously for years, require redundancy, and depend on precise, millisecond-level responsiveness.
Cybersecurity mindsets must account for OT’s unique physical environments, long hardware lifecycles, and evolving threats, said Lee. These dictate different practices, technologies, and policy responses. “Regulators and policymakers must recognize these critical distinctions when setting policy,” he said.
He warned: “Let’s be clear: The timeline to take action against this growing threat is short, and the consequences of failure could, and likely would, be people dying.”
The importance of CISA 2015
Ten years ago, US lawmakers passed the Cybersecurity Information Sharing Act of 2015, which encouraged the sharing of cyber threat intelligence between the government and the private sector as a means to improve cybersecurity throughout the country. However, its lifetime was finite; the Act is set to expire on September 30, 2025.
Tatyana Bolton, executive director of the Operational Technology Cybersecurity Coalition, along with many other experts, are calling for the reauthorization of the act.
“This legislation is crucial to information sharing and strengthening US collective defense,” she said at today’s hearing.
Private sector cybersecurity teams, particularly those protecting critical infrastructure, rely on information-sharing to strengthen their defenses, Bolton said, calling these communication channels “crucial” for supporting national threat awareness and allowing for rapid responses to cyber incidents.
“If the legal protections established by the Act were to lapse, this flow of information would be disrupted,” she warned.