Experts warn Oregon lawmakers that cyber attacks threaten energy, food, transport and education systems
Loading...
Summary
A committee informational session heard private‑sector and higher‑education representatives describe ransomware, supply‑chain and operational risks to Oregon’s critical infrastructure sectors, and urged stronger coordination, workforce investment and continued federal‑state collaboration on threat intelligence.
The Joint Committee on Information Management and Technology heard an informational presentation on May 2 about cyber risks to Oregon’s critical infrastructure, including energy, food and agriculture, transportation, finance and education.
Witnesses described daily and escalating cyber threats that target both operational technology and business systems, warned that loss of federal threat‑sharing resources would reduce defensive capacity, and urged investment in workforce development and interagency coordination.
Andre Leduc, vice president and chief resilience officer at the University of Oregon, told the committee that higher‑education institutions host extensive network infrastructure and research assets that are often targets of ransomware and other intrusions. “Many universities have legacy systems that are undermaintained, and that can be exploited,” Leduc said, then urged that protecting backbone and middle‑mile connectivity hosted by campuses be part of statewide resilience planning.
Don Lynn, director of crisis and business continuity management for Albertsons Companies, described how cyber incidents can cascade through food supply chains and retail operations — affecting distribution automation, pharmacy systems and e‑commerce — and cited recent incidents that disrupted pharmacy payment processing and inventory replenishment. Lynn emphasized that indirect victims in the supply chain often receive inadequate information during an event and called for trusted information sharing to speed recovery.
Rick Holmes, chief security officer for Union Pacific Railroad, outlined a risk‑based approach the rail operator uses to prioritize cybersecurity investments: identify critical systems tied to the company’s mission (for example, train dispatch and crew management), map attacker tactics (using MITRE ATT&CK), evaluate controls (using the Center for Internet Security and NIST frameworks) and test incident plans through tabletop and red‑team exercises. Holmes said Union Pacific met Transportation Security Administration cybersecurity directive requirements in 2024 and had no areas of noncompliance identified by TSA.
Representatives from the financial and energy sectors said national threat‑sharing and federal partnerships are critical. Jeff Prell, chief risk officer at First Tech Federal Credit Union, said his organization relies on agencies such as the Cybersecurity and Infrastructure Security Agency and the National Credit Union Administration for intelligence and coordination, and expressed concern about staffing reductions at federal cybersecurity entities. Jeffrey Baumgartner, chief security officer at Berkshire Hathaway Energy (parent of Pacific Power), described sector mechanisms including the Electricity Information Sharing and Analysis Center and the Energy Threat Analysis Center, and said those networks help utilities track adversary tactics and coordinate mitigations.
Panelists repeatedly warned that cyber events can present as operational disruptions rather than classic IT breaches — for example, loss of power or automation can create food‑safety and logistics crises — and urged the committee to consider both prevention and resilience. Several presenters recommended state‑level actions to support smaller organizations that lack dedicated security teams, including shared threat intelligence, training, and incentives for infrastructure investment.
Committee members asked presenters about contingency plans if federal threat‑sharing capacity is reduced. Panelists said many organizations rely on CISA, ISACs and other federal resources and that losing those capabilities would require buying commercial intelligence feeds or building new state‑level coordination. Witnesses also stressed workforce development at Oregon’s colleges and universities to expand cyber talent.
The informational meeting closed after representatives from education, food and agriculture, transportation, finance and energy answered committee questions. Committee members said they would continue to examine potential policy responses, including workforce and coordination measures.
