The Senate Select Committee on Cybersecurity met on March 21 to hear invited and public testimony regarding the state of cybersecurity in Texas.
Opening Remarks
- Discussed news headlines regarding attempted cyber-attacks on infrastructure
Invited Testimony
Brandy Marquez, Public Utility Commission
- Most important thing is securing the grid
- Public utilities attacks can affect the community differently than an individual
- An attack on the grid could be a potential act of war
- Cybersecurity issues are different than other issues that the PUC oversees
- North American Electric Reliability Corporation (NERC)
- All states are regulated by this federal entity
- Texas reliability entity conducts annual audits to ensure quality and regulations
- Penalties could be as high as $1 million per day
- Overregulating could be a challenge because the threat changes daily
- Working with ERCOT to help develop working groups for best practices and available resources for individual operators
- Campbell- do we depend on NERC protocols or does Texas have its own?
- Texas has the expectation that providers provide reliable service
- NERC provides protocols
- Campbell- best practices are based on the NERC Protocols?
- Those are determined through monthly discussions with ERCOT
- Burton- what challenges do you have with co-ops?
- Typically, because they are a smaller utility without a substation they do not fall under NERC standards
- ERCOT reaches out to these providers
- SB 735 (85th) will include smaller utilities into additional oversight/transparency
- Nelson- Texas can implement a higher standard than NERC, correct?
- The issue is that the time it takes to implement rules will allow for the threat to grow past those standards
- The NERC standards are simply a floor or baseline standard
- Want companies to build to the threat instead of a state standard
- Nelson- have any facilities in Texas been breached?
- There have been administrative breaches but no operational breaches
- Nelson- How are you alerted to that?
- We have an emergency response division
- Alerted within minutes
- Nelson- how do we know the electric industry is making appropriate investments in cybersecurity?
- Recommendation to include a line item for physical and cybersecurity on expenditures without making the plan public
- Nelson- what percentage do electric companies spend on cybersecurity?
- Comparable to financial institutions (roughly 10%)
- Nelson- what can the legislature do to PUC or ERCOT to assist in efforts to protect systems?
- The expectation is not dependent on additional resources
- Additional funds will help, could employ more people
- There are questions about what can be talked about and when, language in statute would be very helpful for clarification
- Nelson- there are some specifics which should be stated publicly, and we need to make sure that protections are being put in place
- Nelson- how is information regarding an attack shared with other providers?
- The information is immediately provided to NERC
- As quickly as possible
- Nelson- if there is a breach into one infrastructure, is that information shared with others?
- ERCOT is a member of a broader information sharing system, and is transmitted as quickly as possible
- Nelson- some hackers work through third parties, what protections are there for those?
- Anybody involved has to follow the same protocols
- Nelson- what protects are there regarding personal data held or transmitted by providers?
- The PUC has set a list of rules to protect that information
- Nelson- have you seen breaches of those rules?
- No, but will provide additional information
- In that event would provide that information to law enforcement
- Campbell- NERC is the floor of expectation, why wouldn’t we want a better floor than what the federal government requires?
- That is intentionally left from the federal government
- Do not want to encourage companies to build to the rules instead of the threat
- Campbell- then who is watching over the small coops as a huge vulnerability? And what regulations are provided for them?
- They are members of ERCOT
- Do not have regulations for them because they are not connected to the larger grid
- There are statewide regulations that they would be under
- The PUC does not have the legal authority to add additional regulations
- Nelson- could the legislature give the PUC the legal authority to create regulations?
- Yes
- Campbell- need a plan going forward to shore up cybersecurity
- Campbell- need to be sure that the PUC is managing or plan for smaller vulnerabilities
Dr. Gregory White, University of Texas San Antonio
- Presented written testimony
- Computer networks which are involved in critical infrastructure are vulnerable and will need to be protected from continually changing threats
- Have been involved in conducting cybersecurity training and modeling across the state and nation
- Recommendation for adopting specific model has not been acted on
- Sharing cybersecurity information within and between sectors is extremely important to adapting
- HB 8 (85th) creates Information Sharing and Analysis Center (ISAC) but it has not been established yet
- Issue is that majority of systems are not owned by the state, requiring productive private/public partnerships
- Nelson- listed critical infrastructure listed by DHS, how many are there, and what kinds of partnerships are there?
- 16 areas listed by DHS
- ISACs do not like regulation because it limits growth and slows progress of security
- The partnerships help address current and changing needs
- Nelson- there are minimum standards that everybody agree on, are there higher minimum standards that should be in place?
- Would prefer to create best practices by sector because they can be changed much faster
- Need for many more cybersecurity professionals in the workforce
- It is everybody’s responsibility to help prevent these threats, and a culture of cybersecurity needs to be established
- The state could take a leadership role
- Nelson- how are best practices enforced?
- Ultimately you cannot enforce best practices
- Nelson- what is the difference between an ISAC and an Information Sharing and Analysis Organization (ISAO)?
- There is no difference, and can call themselves either
- Hughes- can you explain why an attack on single sectors is difficult to identify?
- They are just very easy to overlook without putting them into context
Richard Corbell, Legislative Budget Board
- Gave presentation
- Texas Department of Information Resources (DIR) provides statewide leadership and oversight for management of government information and communications technology as well as cybersecurity controls
- Texas Cybersecurity Strategic Plan created by DIR
- appropriated $21.5 million
- Provides a monthly online Cybersecurity Newsletter
- Hosts the Information Security Forum
- Established governance security standards for agencies
- Discussed cybersecurity costs embedded in various components of the budget: State agency staff (FTEs), Data Center Services (DCS), Centralized Accounting and Payroll/Personnel System (CAPPS), etc.
- $8 million in expended on agency employees whose responsibilities are primarily related to cybersecurity
- 16-17 FY, $17.7 million appropriated to agencies for new cybersecurity projects
- In addition to the $21.5 million appropriation to DIR for on-going cybersecurity services, in FY 2018-19 other agencies received $24.0 million for new cybersecurity projects and initiatives
- Discussed annual cybersecurity costs
- Quality Assurance Team (QAT) is overseeing 79 major information resources projects with current estimated costs of $1.5 billion over the life of the projects
- All projects have a cybersecurity component
- May not be a dedicated cybersecurity project
- SB 533 (85th) requires a state agency assessment of proposed technical architecture for project to ensure agency is using industry accepted architecture standards in planning for implementation
- In FY 2013, the Health & Human Services Commission reported $2.3 million of staffing costs to respond to and recover from 1,948 security incidents
- Nelson- is that the latest information we have?
- At this time yes
- In FY 2016, the Department of State Health Services reported security incident costs of approximately $1.9 million.
- Discussed other potential impacts (Slide 11)
- Nelson- refencing annual agency expenditures on cybersecurity, how can we get more precise numbers?
- Recommend having identifiable line items that would be reportable
- Hughes- do we have a sense of what other states are spending on cybersecurity?
- DIR will provide that information
- Nelson- how were projects prioritized for funding?
- There were identifying factors that created a need, can provide more information in private
- Nelson- what are agencies spending their money?
- The majority is hardware and software
Ryan Harkins, Microsoft
- State needs to ask themselves:
- Do you have a comprehensive policy based on framework that covers all state assets?
- Have technologies kept pace with threats?
- Do you have a comprehensive view of all of the threats facing agencies?
- What are the procurement policies? Will they meet regulatory obligations?
- Technology needs to be designed and build for expected threats
- Microsoft spends over $1 billion on cybersecurity each year
- Every state employee should have to go through mandatory training
- Workforce development: facing a huge computer skills gap
- Should be creating k-12 computer science standards
- Fund teacher training programs for computer science
- Campbell- requested testimony be provided to the committee for reference
- Will provide a one-pager
Will Payne, VMware
- Every breach would have been reduced if fundamental cyber-hygiene principles had been used
- Upgrading security postures within the system to each device and the cloud will dramatically increase effectiveness
- Principles
- Least privilege: Users should be allowed only the minimum necessary access needed to perform their job and nothing more
- Micro-segmentation: The whole IT environment should be divided into small parts to make it more manageable to protect
- Encryption
- Multi-factor authentication
- Patching: Any critical system that is out of date is a meaningful security risk
- Nelson- cyber-hygiene critical controls used by agencies, how do your principles fit into that?
- The idea is that attackers are going to get in but limiting access to sensitive or critical information
- Nelson- how much more expensive is it to control access to each application compared to the system as a whole?
- Usually spending the same money differently or more efficiently
- Promoting good practices as opposed to chasing bad actors
- Campbell- your software is on 80% of the state’s devices?
- 80% of systems
- Campbell- do you monitor that?
- Will speak to it offline
- Hughes- does the state have arrangements for industry partners to have some liability to threats or attacks
- Mark Ryland- cyber insurance is a common way of solving this problem. Big concern is that people do not use the product correctly.
Peter Romness, Cisco Systems
- Works with state local and education agencies
- Public-private sharing can be a very effective tool
- Easier to envision than execute
- Effective sharing can be difficult because of the amount of information
- Consider automation of cybersecurity
- Threat intelligence is difficult to develop, automating would limit the amount of development needed
- Need to share through trusted mechanism
- All organization should work with sharing organizations
- Nelson- highlighted challenge of finding workforce, what recommendations for increasing the pipeline?
- Need to start early with students and get them into the STEM programs
- Nelson- what can the legislature do to promote information sharing?
- ISACs are one example
- Need to highlight automation of threat intelligence
- Harkins- participating in the day of code and help spreading the word
- Hughes- mention cyber patriots program, what is that?
- It is a school program comprised of teams competing on Cybersecurity
- Campbell- requested list of recommendations
- Will provide that information
Mark Ryland, Amazon
- Presented written testimony
- In the middle of a paradigm shift with less cost for more security
- Commercial cloud security is very different from personal
- Improves security by decreasing number of things to be concerned about
- Focused on application level security
- Inventory is built into platform
- Segmented security provides additional levels of security
- Basic hygiene is very often overlooked and the cause of breaches
- Modernizing systems will be cheaper and more efficient in the long run with an easier ability to update
- Nelson- you have used “agile cloud services”, what is that?
- Keeps up with changing requirements
- Dynamic creation with developers
- Hughes- pros and cons between multivendor or single vendor cloud based?
- Many different ways of creating a plan
- Single vendor simplifies the plan and maintenance
- Campbell- considered a bill requiring all agencies to have a cloud first policy, how about the federal level?
- Many agencies at the federal level has a cloud first policy, but there are many areas that should not be considered, and many others with peak loads on a cyclical system (like voting) that there is a huge cost involved that would benefit from dynamic cloud storage
- Harkins- risk based strategies allow for moving some agencies/items that should be moved without moving everything to the cloud
- Nelson- are there other states that have done this?
- Harkins- Ohio has done this but will provide the information to the committee
Steve Gottwals, Adobe
- Principle of “assume the breach” allows for better security
- Trend of migration from network-based security to the individual data leads to an “assume the leak” protection idea of data
- Discussed enterprise Digital Resource Management (DRM) in terms of encryption and authority over the data
- Should add data level protections to the Texas Strategic Cybersecurity Plan