Print 🖨

The Senate Select Committee on Cybersecurity met on March 21 to hear invited and public testimony regarding the state of cybersecurity in Texas.

 

Opening Remarks

  • Discussed news headlines regarding attempted cyber-attacks on infrastructure

 

Invited Testimony

Brandy Marquez, Public Utility Commission

  • Most important thing is securing the grid
  • Public utilities attacks can affect the community differently than an individual
  • An attack on the grid could be a potential act of war
  • Cybersecurity issues are different than other issues that the PUC oversees
  • North American Electric Reliability Corporation (NERC)
    • All states are regulated by this federal entity
    • Texas reliability entity conducts annual audits to ensure quality and regulations
    • Penalties could be as high as $1 million per day
  • Overregulating could be a challenge because the threat changes daily
  • Working with ERCOT to help develop working groups for best practices and available resources for individual operators
  • Campbell- do we depend on NERC protocols or does Texas have its own?
    • Texas has the expectation that providers provide reliable service
    • NERC provides protocols
  • Campbell- best practices are based on the NERC Protocols?
    • Those are determined through monthly discussions with ERCOT
  • Burton- what challenges do you have with co-ops?
    • Typically, because they are a smaller utility without a substation they do not fall under NERC standards
    • ERCOT reaches out to these providers
    • SB 735 (85th) will include smaller utilities into additional oversight/transparency
  • Nelson- Texas can implement a higher standard than NERC, correct?
    • The issue is that the time it takes to implement rules will allow for the threat to grow past those standards
    • The NERC standards are simply a floor or baseline standard
    • Want companies to build to the threat instead of a state standard
  • Nelson- have any facilities in Texas been breached?
    • There have been administrative breaches but no operational breaches
  • Nelson- How are you alerted to that?
    • We have an emergency response division
    • Alerted within minutes
  • Nelson- how do we know the electric industry is making appropriate investments in cybersecurity?
    • Recommendation to include a line item for physical and cybersecurity on expenditures without making the plan public
  • Nelson- what percentage do electric companies spend on cybersecurity?
    • Comparable to financial institutions (roughly 10%)
  • Nelson- what can the legislature do to PUC or ERCOT to assist in efforts to protect systems?
    • The expectation is not dependent on additional resources
    • Additional funds will help, could employ more people
    • There are questions about what can be talked about and when, language in statute would be very helpful for clarification
  • Nelson- there are some specifics which should be stated publicly, and we need to make sure that protections are being put in place
  • Nelson- how is information regarding an attack shared with other providers?
    • The information is immediately provided to NERC
    • As quickly as possible
  • Nelson- if there is a breach into one infrastructure, is that information shared with others?
    • ERCOT is a member of a broader information sharing system, and is transmitted as quickly as possible
  • Nelson- some hackers work through third parties, what protections are there for those?
    • Anybody involved has to follow the same protocols
  • Nelson- what protects are there regarding personal data held or transmitted by providers?
    • The PUC has set a list of rules to protect that information
  • Nelson- have you seen breaches of those rules?
    • No, but will provide additional information
    • In that event would provide that information to law enforcement
  • Campbell- NERC is the floor of expectation, why wouldn’t we want a better floor than what the federal government requires?
    • That is intentionally left from the federal government
    • Do not want to encourage companies to build to the rules instead of the threat
  • Campbell- then who is watching over the small coops as a huge vulnerability? And what regulations are provided for them?
    • They are members of ERCOT
    • Do not have regulations for them because they are not connected to the larger grid
    • There are statewide regulations that they would be under
    • The PUC does not have the legal authority to add additional regulations
  • Nelson- could the legislature give the PUC the legal authority to create regulations?
    • Yes
  • Campbell- need a plan going forward to shore up cybersecurity
  • Campbell- need to be sure that the PUC is managing or plan for smaller vulnerabilities

 

 

Dr. Gregory White, University of Texas San Antonio

  • Presented written testimony
  • Computer networks which are involved in critical infrastructure are vulnerable and will need to be protected from continually changing threats
  • Have been involved in conducting cybersecurity training and modeling across the state and nation
  • Recommendation for adopting specific model has not been acted on
  • Sharing cybersecurity information within and between sectors is extremely important to adapting
  • HB 8 (85th) creates Information Sharing and Analysis Center (ISAC) but it has not been established yet
  • Issue is that majority of systems are not owned by the state, requiring productive private/public partnerships
  • Nelson- listed critical infrastructure listed by DHS, how many are there, and what kinds of partnerships are there?
    • 16 areas listed by DHS
    • ISACs do not like regulation because it limits growth and slows progress of security
    • The partnerships help address current and changing needs
  • Nelson- there are minimum standards that everybody agree on, are there higher minimum standards that should be in place?
    • Would prefer to create best practices by sector because they can be changed much faster
  • Need for many more cybersecurity professionals in the workforce
  • It is everybody’s responsibility to help prevent these threats, and a culture of cybersecurity needs to be established
    • The state could take a leadership role
  • Nelson- how are best practices enforced?
    • Ultimately you cannot enforce best practices
  • Nelson- what is the difference between an ISAC and an Information Sharing and Analysis Organization (ISAO)?
    • There is no difference, and can call themselves either
  • Hughes- can you explain why an attack on single sectors is difficult to identify?
    • They are just very easy to overlook without putting them into context

 

Richard Corbell, Legislative Budget Board

  • Gave presentation
  • Texas Department of Information Resources (DIR) provides statewide leadership and oversight for management of government information and communications technology as well as cybersecurity controls
  • Texas Cybersecurity Strategic Plan created by DIR
    • appropriated $21.5 million
    • Provides a monthly online Cybersecurity Newsletter
    • Hosts the Information Security Forum
    • Established governance security standards for agencies
  • Discussed cybersecurity costs embedded in various components of the budget: State agency staff (FTEs), Data Center Services (DCS), Centralized Accounting and Payroll/Personnel System (CAPPS), etc.
  • $8 million in expended on agency employees whose responsibilities are primarily related to cybersecurity
  • 16-17 FY, $17.7 million appropriated to agencies for new cybersecurity projects
  • In addition to the $21.5 million appropriation to DIR for on-going cybersecurity services, in FY 2018-19 other agencies received $24.0 million for new cybersecurity projects and initiatives
  • Discussed annual cybersecurity costs
  • Quality Assurance Team (QAT) is overseeing 79 major information resources projects with current estimated costs of $1.5 billion over the life of the projects
    • All projects have a cybersecurity component
    • May not be a dedicated cybersecurity project
  • SB 533 (85th) requires a state agency assessment of proposed technical architecture for project to ensure agency is using industry accepted architecture standards in planning for implementation
  • In FY 2013, the Health & Human Services Commission reported $2.3 million of staffing costs to respond to and recover from 1,948 security incidents
  • Nelson- is that the latest information we have?
    • At this time yes
  • In FY 2016, the Department of State Health Services reported security incident costs of approximately $1.9 million.
  • Discussed other potential impacts (Slide 11)
  • Nelson- refencing annual agency expenditures on cybersecurity, how can we get more precise numbers?
    • Recommend having identifiable line items that would be reportable
  • Hughes- do we have a sense of what other states are spending on cybersecurity?
    • DIR will provide that information
  • Nelson- how were projects prioritized for funding?
    • There were identifying factors that created a need, can provide more information in private
  • Nelson- what are agencies spending their money?
    • The majority is hardware and software

 

Ryan Harkins, Microsoft

  • State needs to ask themselves:
    • Do you have a comprehensive policy based on framework that covers all state assets?
    • Have technologies kept pace with threats?
    • Do you have a comprehensive view of all of the threats facing agencies?
    • What are the procurement policies? Will they meet regulatory obligations?
  • Technology needs to be designed and build for expected threats
  • Microsoft spends over $1 billion on cybersecurity each year
  • Every state employee should have to go through mandatory training
  • Workforce development: facing a huge computer skills gap
    • Should be creating k-12 computer science standards
    • Fund teacher training programs for computer science
  • Campbell- requested testimony be provided to the committee for reference
    • Will provide a one-pager

 

Will Payne, VMware

  • Every breach would have been reduced if fundamental cyber-hygiene principles had been used
  • Upgrading security postures within the system to each device and the cloud will dramatically increase effectiveness
  • Principles
    • Least privilege: Users should be allowed only the minimum necessary access needed to perform their job and nothing more
    • Micro-segmentation: The whole IT environment should be divided into small parts to make it more manageable to protect
    • Encryption
    • Multi-factor authentication
    • Patching: Any critical system that is out of date is a meaningful security risk
  • Nelson- cyber-hygiene critical controls used by agencies, how do your principles fit into that?
    • The idea is that attackers are going to get in but limiting access to sensitive or critical information
  • Nelson- how much more expensive is it to control access to each application compared to the system as a whole?
    • Usually spending the same money differently or more efficiently
    • Promoting good practices as opposed to chasing bad actors
  • Campbell- your software is on 80% of the state’s devices?
    • 80% of systems
  • Campbell- do you monitor that?
    • Will speak to it offline
  • Hughes-  does the state have arrangements for industry partners to have some liability to threats or attacks
    • Mark Ryland- cyber insurance is a common way of solving this problem. Big concern is that people do not use the product correctly.

 

Peter Romness, Cisco Systems

  • Works with state local and education agencies
  • Public-private sharing can be a very effective tool
    • Easier to envision than execute
  • Effective sharing can be difficult because of the amount of information
  • Consider automation of cybersecurity
    • Threat intelligence is difficult to develop, automating would limit the amount of development needed
  • Need to share through trusted mechanism
  • All organization should work with sharing organizations
  • Nelson- highlighted challenge of finding workforce, what recommendations for increasing the pipeline?
    • Need to start early with students and get them into the STEM programs
  • Nelson- what can the legislature do to promote information sharing?
    • ISACs are one example
    • Need to highlight automation of threat intelligence
    • Harkins- participating in the day of code and help spreading the word
  • Hughes- mention cyber patriots program, what is that?
    • It is a school program comprised of teams competing on Cybersecurity
  • Campbell- requested list of recommendations
    • Will provide that information

 

Mark Ryland, Amazon

  • Presented written testimony
  • In the middle of a paradigm shift with less cost for more security
  • Commercial cloud security is very different from personal
    • Improves security by decreasing number of things to be concerned about
    • Focused on application level security
    • Inventory is built into platform
    • Segmented security provides additional levels of security
  • Basic hygiene is very often overlooked and the cause of breaches
  • Modernizing systems will be cheaper and more efficient in the long run with an easier ability to update
  • Nelson- you have used “agile cloud services”, what is that?
    • Keeps up with changing requirements
    • Dynamic creation with developers
  • Hughes- pros and cons between multivendor or single vendor cloud based?
    • Many different ways of creating a plan
    • Single vendor simplifies the plan and maintenance
  • Campbell- considered a bill requiring all agencies to have a cloud first policy, how about the federal level?
    • Many agencies at the federal level has a cloud first policy, but there are many areas that should not be considered, and many others with peak loads on a cyclical system (like voting) that there is a huge cost involved that would benefit from dynamic cloud storage
    • Harkins- risk based strategies allow for moving some agencies/items that should be moved without moving everything to the cloud
  • Nelson- are there other states that have done this?
    • Harkins- Ohio has done this but will provide the information to the committee

 

Steve Gottwals, Adobe

  • Principle of “assume the breach” allows for better security
  • Trend of migration from network-based security to the individual data leads to an “assume the leak” protection idea of data
  • Discussed enterprise Digital Resource Management (DRM) in terms of encryption and authority over the data
  • Should add data level protections to the Texas Strategic Cybersecurity Plan