President Biden today signed a national security memorandum, "Improving Cybersecurity for Critical Infrastructure Control Systems," that signals the coming end of piecemeal, sector-specific cybersecurity regulations prevalent among critical industries, 90% of which are privately owned.
The memorandum directs NIST and CISA to develop preliminary performance goals by the end of September that cover all critical infrastructure. These goals will establish a threshold that private critical infrastructure operators will be expected to meet.
And while the language in the memorandum stresses public-private partnerships and voluntary cooperation, between the lines, the message is clear: The status quo has done little to abate ransomware attacks and probes of critical infrastructure, bringing us to the brink of the government—through NIST and CISA—establishing new societal norms and a new governance expectation for cybersecurity.
"We're saying that the absence of a strategic, coordinated requirement to the cybersecurity of critical infrastructure and the absence of mandated cybersecurity requirements for critical infrastructure is what, in many ways, has brought us to the level of vulnerability we have today," a senior administration official said.
Here's what you need to know about the national security memorandum:
The Industrial Control Systems Cybersecurity Initiative
The memorandum establishes the Industrial Control Systems Cybersecurity Initiative, which is described as a "voluntary, collaborative effort" between the federal government and private operators.
The initiative encourages modernization of industrial control systems' cybersecurity capabilities through the wide deployment of security technologies that provide threat visibility, threat detection, threat intelligence and indicators of compromise, and alerts that can improve incident response activities. The government also promises to share threat information relative to control system threats and risks.
A pilot of this initiative has been underway since April in the electricity subsector. More than 150 utilities serving 90 million residential customers have deployed, or agreed to deploy, control system cybersecurity technology. A similar effort has begun for natural gas pipelines, and water and wastewater and chemical sectors will follow thereafter.
NIST, CISA Cybersecurity Performance Goals
Control systems across critical infrastructure will have preliminary performance goals from NIST and CISA by Sept. 22, the memorandum says, with final cross-sector goals expected within one year.
A senior administration official said during a press conference Tuesday that "responsible owners and operators" are expected to meet these goals and implement these technologies that bring visibility and detection capabilities to control systems.
Owners and operators, however, are likely to push back against these mandates, citing a lack of resources and expertise, especially within smaller utilities.
The recent Water Sector Coordinating Council Cybersecurity State of the Industry report is a good representation of reality for many smaller owners and operators. The survey identified a number of challenges affecting community water and wastewater systems, primary among them were significant economic shortcomings to comply with safe and clean water regulations, in addition to a lack of cybersecurity expertise. The survey results identified four primary needs in the industry: cybersecurity training, technical assistance and tools, threat intelligence, and federal loans and grants. The government has acknowledged it will have to help in order to accelerate voluntary adoption of these technologies by incentivizing owners and operators through grants, tax credits, and other performance incentives.
Conclusion
For many years, nation states and profit-motivated threat actors have conducted cyber operations with impunity because the U.S. has not established red lines of acceptable and unacceptable behavior.
Recent events and this new initiative demonstrate that the U.S. government is taking proactive measures to ensure that the public and private sectors are working together to make progress on ICS security.
While at first glance, some of the administration's initiatives may appear only voluntary, but in reality, the government is establishing new societal norms for cybersecurity standards. As the administration mentions, there's a patchwork of sector-specific, state, local, and federal guidelines that may be confusing to follow. Establishing an industry-wide set of standards wipes the board clean and sets clearer expectations.
As a senior administration official said: "We're starting with voluntary, as much as we can, because we want to do this in full partnership. But we're also pursuing all options we have in order to make the rapid progress we need."
