On Wednesday, July 28, 2021, the President signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. The National Security Memorandum establishes a voluntary initiative intended to drive collaboration between the Federal Government and the critical infrastructure community to improve cybersecurity of control systems. It instructs the Department of Homeland Security (DHS) to lead the development of preliminary cross-sector control system cybersecurity performance goals as well as sector-specific performance goals within one year of the date of the National Security Memorandum. These goals are intended to provide a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety.
“Today, we are delivering on the first step of the President’s National Security Memorandum (NSM) objectives to strengthen the cybersecurity of our Nation’s critical infrastructure control systems,” Secretary of Homeland Security Alejandro N. Mayorkas and Secretary of Commerce Gina Raimondo said a joint statement. “DHS’s Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the Department of Commerce’s National Institute of Standards and Technology (NIST), developed preliminary cybersecurity performance goals based on nine categories of best practices. These goals are part of a long overdue, whole-of-government effort to meet the scale and severity of the cybersecurity threats facing our country. It is vital that critical infrastructure owners and operators immediately take steps to strengthen their cybersecurity posture toward these high-level goals. The safety and security of the American people relies on the resilience of the companies that provide essential services such as power, water, and transportation. We look forward to further engaging with key industry stakeholders to promote these efforts to protect our national and economic security.”
To inform the development of the cross-sector performance goals, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) conducted an initial crosswalk of available control system resources and recommended practices that were produced by the government and the private sector. The crosswalk focused on the following documents:
- CISA Cyber Essentials (https://www.cisa.gov/cyber-essentials)
- CISA Cybersecurity Best Practices for Industrial Control Systems (https://www.cisa.gov/publication/cybersecurity-best-practices-for-industrial-control-systems)
- CISA Pipeline Cyber Risk Mitigation Infographic (https://www.cisa.gov/publication/pci-cyber-risk-infographic)
- CISA Recommended Practice: Defense in Depth (https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_CONTROL SYSTEM-CERT_Defense_in_Depth_2016_S508C.pdf)
- Chemical Facility Anti-Terrorism Standards (CFATS) Risk-Based Performance Standards Guidance (https://www.cisa.gov/publication/cfats-rbps-guidance)
- NRC Draft Regulatory Guidance (DG)-5061, “Cyber Security Programs for Nuclear Power Reactors.” (https://www.nrc.gov/docs/ML1801/ML18016A129.pdf)
- NIST SP 800-82, Rev 2, “Guide to Industrial Control Systems (ICS) Security.” (https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final)
- NISTIR 8183, Rev 1, “Cybersecurity Framework Version 1.1 Manufacturing Profile.” (https://csrc.nist.gov/publications/detail/nistir/8183/rev-1/final)
After reviewing the documents listed above, CISA and NIST identified nine categories of recommended cybersecurity practices and used these categories as the foundation for preliminary control system cybersecurity performance goals. Each of the nine goals includes specific objectives that support the deployment and operation of secure control systems that are further organized into baseline and enhanced objectives.
Baseline objectives represent recommended practices for all control system operators while the enhanced objectives include practices for critical infrastructure supporting national defense; critical lifeline sectors (i.e. energy, communications, transportation, and water); or where failure of control systems could have impacts to safety. DHS will coordinate with its interagency and private sector partners to determine the applicability of the enhanced objectives within each sector. In addition to the objectives, Example Evidence of Implementation is provided for each objective to demonstrate what successful implementation of an objective might entail for an organization. Successfully implementing all baseline objectives would equate to successful implementation of a goal.
It is important to note that while all of the goals outlined in this document are foundational activities for effective risk management, they represent high-level cybersecurity best practices. Implementation of the goals and objectives listed here is not an exhaustive guide to all facets of an effective cybersecurity program. These preliminary goals and objectives were developed and refined with as much interagency and industry input as practical for the initial timeline using existing coordinating bodies. DHS expects to conduct much more extensive stakeholder engagement as the goals are finalized in the coming months.