Citing recent ransomware attacks on Colonial Pipeline and JBS Foods as well as legacy “patchwork” and “piecemeal” safeguards as reasons to act with urgency, the Biden administration today released a national security memorandum to develop cybersecurity standards for critical infrastructure.
President Biden also formally established the voluntary public-private partnership Industrial Control System Cybersecurity Initiative to facilitate the development and deployment of technology to increase threat detection. The program began in April with a pilot in the electricity sector, and is now moving on to natural gas pipelines with plans to bring in chemical, water, and wastewater sectors later this year.
“Our current posture is woefully insufficient given the evolving threat we face today. We really kicked the can down the road for a long time,” a senior administration official told reporters. “The administration is committed to leveraging every authority we have, though limited, and we’re also open to new approaches, both voluntary and mandatory.”
The official said the ICS initiative technologies now deployed by more than 150 utilities “would have blocked what occurred at Colonial Pipeline in that they connect the operational technology side of the network to the IT side of the network.”
The “Improving Cybersecurity for Critical Infrastructure Control Systems” memorandum brings the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security together with the National Institute of Standards and Technology at the Commerce Department to develop cybersecurity performance goals “that set a clear, easy-to-understand security baseline,” Homeland Security Secretary Alejandro Mayorkas and Commerce Secretary Gina Raimondo said in a joint statement today.
“The safety and security of the American people rely on the resilience of the companies that provide essential services such as power, water, and transportation,” Mayorkas and Raimondo said. “The establishment of cybersecurity performance goals marks important progress toward this goal. We look to responsible critical infrastructure owners and operators to follow voluntary guidance in order to ensure that the critical services the American people rely on are protected from cyber threats, and we are committed to working closely with our partners in the private sector to promote proactive cybersecurity practices that will protect our national and economic security.”
The senior administration official said the actions stress that “the federal government can’t do this alone, and securing our critical infrastructure requires a whole-of-nation effort.”
“Short of legislation, there isn’t a comprehensive way to require deployment of security technologies and practices that address, really, the threat environment that we face,” the official said when pressed about authorities to mandate cyber protections.
The ICS initiative has “brought in a number of CEOs of utilities and pipelines to brief them on the threats so that they had the same information we had regarding the sense of urgency we feel to address the cybersecurity threat.”
“I think we’re showing a willingness to do the work we need to do, and I think we’re showing a willingness to share information in new ways, come up with voluntary ways, but also making clear that given the criticality of the threat, we need to move with urgency and we need to look at all options — voluntary and mandatory — to achieve the rapid progress we need,” the official added.
The memorandum says that the DHS and NIST collaboration will produce preliminary goals for control systems across critical infrastructure sectors before Sept. 22. Final cross-sector control system goals and sector-specific critical infrastructure cybersecurity performance goals will be released by DHS within a year from now.
“These performance goals should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services,” the memo states. “That effort may also include an examination of whether additional legal authorities would be beneficial to enhancing the cybersecurity of critical infrastructure, which is vital to the American people and the security of our nation.”
The memorandum stresses that critical infrastructure control system cyber threats “are among the most significant and growing issues confronting our nation” and warns of “significant harm” to the U.S. economy and national security if systems are compromised through malfunctions or malicious actors.
“We’ve been investing a lot of time in understanding the incentives and understanding the barriers and looking at what can be done across grants, across potential tax credits, across, potentially, you know, performance incentive mechanisms. Cyber insurance is a really interesting mechanism as well,” the senior administration official said. “So, each of those things we’re looking at and exploring — no announcements yet — but to really understand, you know, how to accelerate voluntary adoption.”