Legislation awaits the president's signature that would finally mandate that U.S. critical infrastructure owners and operators—the vast majority of which are in the private sector—report significant cybersecurity incidents and ransomware payments to the Department of Homeland Security.
After numerous proposals and trips through Congress in the wake of last year's ransomware attacks against oil & gas provider Colonial Pipeline, food distributor JBS Foods, and companies in other critical infrastructure sectors, the Senate last week approved the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The act is part of a $1.5 trillion spending bill passed by the House a day earlier.
Some of the key points of the legislation include:
Organizations that suffer significant cyber incidents must report them to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.
Any ransomware payments that are made to attackers must be reported within 24 hours.
CISA has been designated as the incident reporting clearinghouse responsible for receiving, analyzing, and sharing information on incidents with private sector owners and operators and the intelligence community.
"Information systems" have been redefined to include industrial control systems, SCADA systems, distributed control systems, and programmable logic controllers.
These critical operational technology assets impact the physical world and are prominent across industries such as manufacturing sites, water treatment plants, or bulk energy producers.
Broadening this scope ensures the cyber-physical systems that critical infrastructure owners and operators rely on to protect public safety are covered.
Game-Changing Legislation
Claroty, which counts among its customers and partners some of the world's largest critical infrastructure providers, has previously endorsed proposed legislation that hinged on these key points. Claroty's relationship with large providers and partners across many of the 16 critical infrastructure sectors allows us to understand the balance necessary to adequately support the role of diverse private-sector ownership with the need for information-sharing and visibility into threat intelligence filtered down from CISA across sectors.
In order for CISA to be fully effective at managing cyber risk to the nation's critical infrastructure, it needs situational awareness of cyber attacks that threaten public safety. This legislation compels critical infrastructure companies to provide the U.S. government with that insight.
While compelling organizations to report on covered cyber attacks may feel burdensome, it serves two important purposes: to ensure cyber security is top of mind for critical infrastructure operators and, more importantly, to strengthen the collective defense of the nation's visibility of and response to serious cyber threats.
CISA, meanwhile, said that it will use data and information shared from private sector owners to build adversarial profiles, understand their tactics, fill information gaps between sectors, and quickly provide incident response assistance.
"Put plainly, this legislation is a game-changer," said CISA Director Jen Easterly in a statement last week. "Today marks a critical step forward in the collective cybersecurity of our nation."
Compelling Organizations to Notify When Breached
Easterly's office will also have the ability to compel disclosure through a subpoena to any covered entity it believes has suffered an incident or made a ransom payment and failed to report it within the allotted time frame. A covered entity that ignores the subpoena could face civil action from the Attorney General, the legislation says.
Previously proposed legislation also threatened to bar organizations failing to report ransomware payments, for example, from doing business with the federal government. Claroty had previously asked legislators to strengthen disincentives for failing to notify for incident reporting. Private sector decision makers had worked for so long to quietly fix problems, and had been reticent to share information on incidents with third parties for fear of further exposure or being put at a competitive disadvantage.
Given the risk to national and economic security, it was crucial to ensure organizations were compelled to notify. We believe that now Boards of Directors will govern and manage cyber risk, and will drive funding and action through the organization more effectively.
Ransomware, meanwhile, became part of the industrial cybersecurity lexicon a year ago as attacks against IT systems at Colonial Pipeline and JBS Foods forced those organizations to shut down processes. Both companies also reportedly paid millions to meet ransom demands and restore affected systems.
Victimized companies are in a bind, facing massive losses during a ransomware attack while systems are unavailable, and yet facing pressure from law enforcement and security experts who caution against paying ransoms. Not only would such payments fund a criminal's or adversary-state's efforts, but experts caution there is no guarantee that payment results in full system recovery.
The stakes are likely to be higher in the coming weeks as the war in Ukraine continues, and the threat of cyberattacks being carried out in parallel with kinetic attacks looms. Prior to Russia's invasion of Ukraine nearly three weeks ago, wiper malware in the guise of ransomware was used to take down critical systems inside numerous Ukrainian state agencies.
Understanding when ransom payments are made and to whom provides the government with better information as to understand the true scope of ransomware targeting critical infrastructure operators, as well as which entities may be behind those attacks.
From Claroty's perspective, this legislation is a critical step toward not only securing critical infrastructure from malicious activity, but also facilitating the sharing of actionable information from the private sector in order to reach that end.
