New Protections for Industrial Control Systems
The memo also outlines a program to boost the cybersecurity of industrial control systems. The administration has already started a program around ICS cybersecurity focused on the electricity subsector, and now has one in place for pipelines, with plans for initiatives around water and wastewater and chemicals to follow later this year.
An unnamed senior administration official briefing reporters on the memo said that “patchwork of sector-specific statutes does not enable us to say we have confidence that there are cybersecurity thresholds in place with regard to technology, governance, and practices,” Federal News Network reports.
According to the memo, CISA and NIST are required to develop preliminary cybersecurity goals for control systems across critical infrastructure sectors no later than Sept. 22, 2021, followed by the issuance of final cross-sector control system goals by July 28, 2022.
Additionally, following consultations with relevant agencies, the Secretary of Homeland Security is required to released sector-specific critical infrastructure cybersecurity performance goals by July 28, 2022.
“These performance goals should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services,” the memo states. “That effort may also include an examination of whether additional legal authorities would be beneficial to enhancing the cybersecurity of critical infrastructure, which is vital to the American people and the security of our Nation.”
The memo establishes an Industrial Control Systems Cybersecurity Initiative, which it describes as a “voluntary, collaborative effort” between the federal government and the critical infrastructure community to “significantly improve the cybersecurity of these critical systems.”
The primary goal of this program is ramp up defenses for critical infrastructure providers by “encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks.” The initiative aims to “greatly expand deployment of these technologies across priority critical infrastructure.”
A key goal of the initiative, it seems, is to help critical infrastructure providers avoid attacks in which IT systems are compromised and used to meddle with operational technology that controls things like chemicals in water systems.
“These are the technologies that, had they been in place, would have blocked what occurred at Colonial Pipeline in that they connect the operational technology side of the network to the IT side of the network,” senior administration official said, according to Federal News Network. “The action plan for natural gas pipelines is underway, and additional initiatives for other sectors will follow later this year.”
According to the memo, the key goal the administration wants to meet is “deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response actions to cyber threats.”