By Grant Geyer | Sept. 1, 2021

This year’s spree of cyberattacks impacting critical infrastructure and the delivery of services vital to the public well-being awoke the U.S. federal government to the critical importance of strong protections against these threats. In rapid-fire succession, we’ve seen executive orders, national security memorandums, and industry-specific directives set the stage for legislation that will replace the lighter touch government has had on industrial cybersecurity.

Today, the government took the next step on that journey with the introduction of a bipartisan proposal that would establish the Cyber Incident Review Office within the Cybersecurity and Infrastructure Security Agency (CISA). This newly created office would receive and act on cybersecurity incident reports from covered entities in the public and private sectors. With CISA having oversight, the office would be an ​​important step toward building a future where the federal government obtains more actionable information from the private sector on cyber incidents so that the Internet ecosystem can be made more secure.

From Claroty’s perspective, this proposed bill is an important step toward preventing disruptive attacks in the future and enabling the intelligence sharing between the private and public sector that has been missing. Our perspective comes from a clear understanding of the role of the diverse private-sector ownership of critical infrastructure, as well as the need for the government to garner better visibility into operational technology networks vital to the country’s economic and national security. Claroty serves some of the world’s largest energy, water, oil and gas, pipelines, food and beverage, pharmaceutical, and critical manufacturing companies, strategizing alongside those entities to not only improve our products, but also the security posture of the industrial domain.

Click here to read Claroty’s full letter to the committee.

Given our informed perspective on industrial cybersecurity, we’d like to share our insights and opinions on the following facets of today’s proposed legislation, which was introduced today during a House Committee on Homeland Security hearing.

CISA as the Cyber Incident Reporting Clearinghouse

Officially designating CISA as the single entity responsible for receiving, analyzing, and reporting on all significant cyber incidents would provide a common understanding of situational awareness that could ensure U.S. national interests are effectively secured and accomplished.

Regardless of an adversary’s sophistication or motivations, having an overarching situational awareness is a massive advantage over fragmented departmental views. Attackers will play to their strengths of only needing to be right once, while defenders need to be right every time. As defenders of critical infrastructure, we need to play to our strengths: enabling a unified understanding of cyber situational awareness to ensure we can gain insights and provide actionable recommendations.

Industry-Specific Requirements at the Forefront

We are encouraged that the proposed legislation recognizes risks to industrial enterprises and includes them for assessment by the CISA director as a covered incident alongside IT security events that impact the standard CIA Triad of confidentiality, integrity, and availability.

Not only are sophisticated attacks that threaten sensitive company data or personally identifiable information within scope, but also any incident that potentially impacts on industrial control systems, including SCADA and distributed control systems, and programmable logic controllers responsible for field-level processes.

It’s a landmark time for the industrial domain to see proposed legislation that singles out threats to the safety and resiliency of OT systems and processes by name. This broader scope ensures a more expansive view of safety risk in addition to digital risks, and this is crucial as more industrial devices and networks are converged with IT networks and managed centrally by diverse teams of security professionals.

72-Hour Cyber Incident Notification Period

The draft legislation establishes an initial reporting period of no earlier than 72 hours for victims of a cyber incident. While still a short window, it falls in line with the general expectation brought forth through GDPR, for example. It’s important that legislators understand the frantic early hours after detection of a significant cyber incident. Organizations are trying to understand the breadth of a cyber incident, determine the scope, how company and personal data may have been impacted, and align legal teams and communications to customers. While large enterprises may be able to rapidly accomplish this, smaller or less well-funded organizations may need to enlist the support of third parties to effectively conduct these activities. An initial 72 hour reporting period is an effective benchmark most organizations use as a standard. A shorter notification period would run the risk of creating too many “false positives,” which would not be an effective use of federal government resources.

Disincentives for Failure to Notify

The one area that we believe the proposed legislation can go further is in the area of the creation of disincentives for a failure to notify CISA of a significant cyber incident. We also think that it may be necessary to create disincentives for organizations failing to notify, such as imposing fines or penalties. Right now, organizations are open to substantial brand and reputational risk for reporting on a cyber incident. The executive decision is therefore tipped all too frequently in favor of not reporting cyber incidents and working to quietly fix them behind the scenes. While focused on privacy, GDPR has driven substantial adoption of its obligations worldwide due to the high fines for violating (€20M or 4% of global revenue – whichever is higher) the breach notification provision.

Of note, until the financial penalties were enacted in the latest version of GDPR, compliance was half-hearted. At present, many organizations view reporting as having a reputational and brand impact, and without penalties will decide not to report incidents. Claroty believes that given the risk to U.S. national security and interest, we must tip the financial calculus in favor of notification, that must be done through stiff penalties and enforcement for organizations that are clearly in violation. We also believe that this new set of risks will drive Boards of Directors to govern and manage cyber risk, which will drive funding and action through the organization more effectively. By creating effective and material economic disincentives for organizations who do not comply with the expected outcomes, we tip the scale in favor of reporting.