Aug 13 2021

White House Aims to Enhance Cybersecurity for Critical Infrastructure Operators

The Biden administration has asked two federal agencies to develop cybersecurity performance goals for critical infrastructure sector entities and utilities.

After a spate of high-profile cyberattacks on water treatment plantspipelines and other critical infrastructure providers this year, the Biden administration made a formal move late last month to bolster the cybersecurity of the critical infrastructure sector.

The administration released a national security memorandum on July 28, in which President Joe Biden directed the Department of Homeland Security and the National Institute of Standards and Technology to “develop and issue cybersecurity performance goals for critical infrastructure to further a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety.”

The cybersecurity performance goals are purely voluntary, though NPR reports that, according to an unnamed senior Biden administration official, the administration “may pursue legislative options, with help from Congress, to require the kind of technological improvements that would defend against such cyberattacks.”

A White House fact sheet says that the goals are likely to apply to those entities responsible “for providing essential services like power, water, and transportation to strengthen their cybersecurity.”

New Protections for Industrial Control Systems

The memo also outlines a program to boost the cybersecurity of industrial control systems. The administration has already started a program around ICS cybersecurity focused on the electricity subsector, and now has one in place for pipelines, with plans for initiatives around water and wastewater and chemicals to follow later this year.

An unnamed senior administration official briefing reporters on the memo said that “patchwork of sector-specific statutes does not enable us to say we have confidence that there are cybersecurity thresholds in place with regard to technology, governance, and practices,” Federal News Network reports.

According to the memo, CISA and NIST are required to develop preliminary cybersecurity goals for control systems across critical infrastructure sectors no later than Sept. 22, 2021, followed by the issuance of final cross-sector control system goals by July 28, 2022.

Additionally, following consultations with relevant agencies, the Secretary of Homeland Security is required to released sector-specific critical infrastructure cybersecurity performance goals by July 28, 2022.

“These performance goals should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services,” the memo states. “That effort may also include an examination of whether additional legal authorities would be beneficial to enhancing the cybersecurity of critical infrastructure, which is vital to the American people and the security of our Nation.”

The memo establishes an Industrial Control Systems Cybersecurity Initiative, which it describes as a “voluntary, collaborative effort” between the federal government and the critical infrastructure community to “significantly improve the cybersecurity of these critical systems.”

The primary goal of this program is ramp up defenses for critical infrastructure providers by “encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks.” The initiative aims to “greatly expand deployment of these technologies across priority critical infrastructure.”

A key goal of the initiative, it seems, is to help critical infrastructure providers avoid attacks in which IT systems are compromised and used to meddle with operational technology that controls things like chemicals in water systems.

“These are the technologies that, had they been in place, would have blocked what occurred at Colonial Pipeline in that they connect the operational technology side of the network to the IT side of the network,” senior administration official said, according to Federal News Network. “The action plan for natural gas pipelines is underway, and additional initiatives for other sectors will follow later this year.”

According to the memo, the key goal the administration wants to meet is “deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response actions to cyber threats.”

RELATED: What are the best practices for critical infrastructure cybersecurity?

TerryJ/Getty Images