The U.S. House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection convened a hearing to examine the vulnerabilities of the U.S. critical infrastructure. The hearing also focused on the role of cyber insurance in planning, response, and recovery efforts to ensure critical infrastructure resilience.
The witnesses of the hearing included Frank Cilluffo, director at McCrary Institute for Cyber and Critical Infrastructure Security, University of Auburn; Matthew McCabe, managing director of cyber broking at Guy Carpenter & Company; Kimberly Denbow, vice president for security and operations at the American Gas Association; and Jack Kudale, chief executive officer at Cowbell.
“The daily lives of Americans depend on stable and resilient critical infrastructure, from oil and gas pipelines to the electric grid,” Andrew Garbarino, a Republican from New York and chairman of the Subcommittee on Cybersecurity and Infrastructure Protection, said in an advisory announcing the hearing. “Given threats from the PRC-affiliated actor Volt Typhoon and opportunistic cybercriminals exploiting Americans with ransomware attacks, it’s crucial for federal civilian and private networks to be properly equipped to mitigate the cascading impacts of cyber intrusions––especially since a vast majority of our critical infrastructure is operated by the private sector.”
Garbarino added “If expectations for coverage are set, cyber insurance has the potential to be a promising aid for organizational recovery. I look forward to hearing from our witnesses on how we can help owners and operators protect the infrastructure underpinning our national security and economy, ensuring critical infrastructure entities have as much help as possible at their most vulnerable moments.”
In his opening statement on Thursday, Garbarino identified that recognizing the widespread damage that these events would cause, “our public and private sectors must be prepared to respond quickly, effectively, and collaboratively. To do this, entities must know who to go to, how much of the damage they will be responsible for covering, and what assistance will be available to them. This will help them develop a proactive recovery plan before a major attack occurs, rather than scrambling when they are at their most vulnerable point.”
He added that given the nature of threats is changing and impacts vary, “the cyber insurance industry is critical to determining how nimble we can respond. This is a challenge today because absent a major attack, our standards for coverage are still being defined.
Garbarino noted the potential benefits of clearer cyber insurance coverage expectations in mitigating risks to both individual companies and broader society. For instance, cyber insurance can offset the financial burdens of a cyberattack, similar to other insurance types. Many firms already contribute by offering cyber analytics to help covered companies identify potential vulnerabilities before an attack occurs. Additionally, some provide legal defense for compromised data, while others supply clients with best practices and recommendations for enhancing resilience.
“We are here today to dig into these issues by exploring a range of scenarios to think through the development of standards,” Garbarino outlined. “We must start with the basics by understanding what cyber insurance is and what is currently covered under a range of circumstances. This will inform our discussion about what should be covered.”
The U.S. government also plays a pivotal role in responding to major cyberattacks on our critical infrastructure. Private sector companies cannot be expected to handle the impact of nation-state attacks alone.
At the hearing, Garbarino aimed to have a robust discussion about existing federal mechanisms for incident response in a major attack. “This will help us understand where our private sector partners might need more help, and where we can strengthen and clarify our lines of communication within public-private partnerships. We have a unique opportunity to revisit incident response for critical infrastructure, given federal action that has unfolded in recent months. For example, as this subcommittee examined last month, CISA will begin to work on the final CIRCIA rule soon, which aims to create a proactive, federal standard for incident reporting,” he added.
Additionally, the recent release of National Security Memorandum-22 (NSM-22) reaffirmed the 16 critical infrastructure sectors and has now kickstarted the rewrite of Sector-Specific Plans for Sector Risk Management Agencies (SRMAs). These have not been updated in almost 10 years, despite a dramatically different threat landscape. The new Sector-Specific Plans will feed into CISA’s development of the 2025 National Infrastructure Risk Management Plan.
“Technological advances continue to make natural gas operations safer, more cost-effective, and better able to serve customers via web-based programs and tools,” Denbow detailed in her written statement. “The corollary to a more connected and more efficient industry is our attractiveness as a target for increasingly sophisticated cyber actors.”
Having said that, she detailed that America’s natural gas utilities are combating the threat daily through skilled personnel, robust cybersecurity system protections, an industry commitment to security, collaboration with other industries and associations, ongoing cybersecurity partnerships with the federal government, and interaction with the Downstream Natural Gas Information Sharing & Analysis Center (DNG-ISAC) Community for real-time awareness and action.
Denbow also flagged that in the gas utility sector’s experience, the number of insurance providers willing to write cyber insurance policies has been limited. “While capacity appears to be improving, the relatively unpredictable scale and cost of a successful cybersecurity compromise of critical operations unsurprisingly has limited the scope of coverage. Actuarial data in the industry continues to be in short supply and may be ineffective as a predictor given the rapid changes in cyber threats. As a result, some existing cyber insurance programs are unnecessarily restrictive in terms of coverage,” she added.
“Another common issue is that most insurance policies limit or eliminate coverage if the cyberattack is conducted as part of an ‘act of war’ or carried out by nation-states or their affiliates,” Denbow observed. “The terms of these exclusions vary widely and are difficult for our owners/ operators to evaluate. Some versions of these exclusions may place the owner/operator in the position of not only having to demonstrate the impact of the cyber incident but also to identify the origin and motive of the adversary–the latter action is beyond the practical scope of natural gas utility cybersecurity programs and sometimes even beyond the capability of our federal partners.”
She noted that while the threat landscape can appear similar across most critical infrastructure sectors, natural gas utility operations increasingly need to address new (and unintentional) cybersecurity risks introduced by federal and state government actions intended to address pipeline safety. “For example, because federal pipeline safety policies now mandate the installation of remotely operated valves, natural gas cyber professionals must now plan accordingly to address new cyber vulnerabilities associated with this new electronic equipment.”
Further, Denbow said that as state regulators evaluate requiring operators to make detailed pipeline operations information publicly available, consideration must be given to the potential increased risk of adversaries leveraging such information to strategically disrupt natural gas systems.
In her closing remarks, Denbow identified that America’s natural gas utilities recognize their attractiveness as a vector and target for nefarious cyber actors. “AGA member utilities combat the threat daily by leveraging a cybersecurity management portfolio of wide-ranging tools to include cybersecurity insurance, risk-based cybersecurity measures, participation in the DNG-ISAC, and active engagement in value-added public/private initiatives that advance cybersecurity.”
She added that AGA encourages the government to learn from the successes of the Transportation Security Administration (TSA) and Joint Cyber Defense Collaborative (JCDC) in their genuine collaboration with owners/operators – to earnestly work with the owners/operators to seek solutions that are risk-based, outcome-focused, and elevates security above compliance to achieve a commonly shared mission.
Additionally, harmonization of government-imposed cybersecurity requirements should not be the burden of owners/operators but rather the responsibility of the government agencies. Lastly, the federal government should hold itself to sensitive information security standards and incident reporting at least as high as required of owners/operators. This is particularly significant given the government’s aggregation of the nation’s most critical infrastructure operational information.