U.S. President Joe Biden has set up a voluntary industrial control systems (ICS) initiative that envisages collaboration between the federal government and the critical infrastructure community to significantly improve the security of the critical systems. The White House has also signed a national security memorandum that will enhance security for critical infrastructure control systems, focused on building cybersecurity and resilience of these systems.
The key purpose of the initiative is to defend the nation’s critical infrastructure community by encouraging and facilitating the deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and enabling response capabilities for cybersecurity in essential control systems and operational technology (OT) networks. It also aims to expand the deployment of these technologies across priority critical infrastructure.
In line with the new guidelines, the Secretary of Homeland Security, in coordination with the Secretary of Commerce, through the director of the National Institute of Standards and Technology (NIST) and other agencies, as appropriate, shall develop and issue cybersecurity performance goals for the critical infrastructure community to further a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety.
The measure shall begin with the Secretary of Homeland Security issuing preliminary goals for control systems across the critical infrastructure community no later than Sept. 22 this year, followed by the issuance of final cross-sector control system goals within one year of the date of the president’s memorandum.
Apart from this, after consultations with relevant agencies, the Secretary of Homeland Security shall issue sector-specific critical infrastructure cybersecurity performance goals within one year of the date of this memorandum. These performance goals should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services. That effort may also include an examination of whether additional legal authorities would be beneficial to enhancing the cybersecurity of critical infrastructure, which is vital to the American people and the security of the country.
“We cannot address threats we cannot see; therefore, deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response actions to cyber threats is central to ensuring the safe operations of these critical systems. The Federal Government will work with industry to share threat information for priority control system critical infrastructure throughout the country,” President Biden said in the memorandum.
National critical functions are typically the responsibility of the government at the federal, state, local, tribal, and territorial levels and of the owners and operators of that infrastructure. Critical functions are typically defined as those functions of government and the private sector that are so vital to the U.S. that their disruption, corruption, or dysfunction would have a debilitating effect on national security, economic security, public health or safety, or any combination thereof.
Cybersecurity needs vary among critical infrastructure sectors, as do cybersecurity practices. However, there is a need for baseline cybersecurity goals that are consistent across all critical infrastructure sectors, as well as a need for security controls for select critical infrastructure that is dependent on control systems.
The latest move by the U.S. administration follows months of cybersecurity attacks on the nation’s critical infrastructure community, including the SolarWinds supply chain attack, hack of a Florida water treatment facility, and the ransomware attack on Colonial Pipeline.
The U.S. government had in April announced a 100-day plan to modernize critical electric infrastructure using cybersecurity defenses with aggressive milestones, and assist owners and operators to deliver better detection, mitigation, and forensic capabilities. The plan will help meet cybersecurity threats faced by the nation’s electric system, apart from seeking feedback from stakeholders on protecting the critical electric infrastructure.
Commenting on the announcement, cybersecurity expert Joe Weiss pointed out that the effort between the federal government and the critical infrastructure community is a network-based approach specific to cyber threats. “On the other hand, control system field devices such as pressure, level, flow, temperature, and voltage sensors (often not considered part of OT) are inherently insecure and generally not designed to be connected to IP networks. The President’s ICS Initiative is not addressing this problem,” he added in a blog post.
Welcoming the government initiative, Robert Lee, founder and CEO at Dragos, wrote in a LinkedIn post, “Good to see the White House talk about ICS security and the need for ICS visibility, detection, and response technologies. They also talk about the electric sector-focused 100-day plan which was a huge success and thanks to leaders in the electric sector we saw massive shifts in the OT/ICS security posture/visibility in a short amount of time,” Lee added.
Tim Erlin, VP, product management and strategy at cybersecurity company Tripwire, said in an emailed statement that a focus on ‘cybersecurity and resilience’ emphasizes the balance between prevention and preparation. Critical infrastructure needs to be both secure and resilient to operate effectively in the world today.
“With the Executive Order on cybersecurity, the 100-day sprint to secure critical infrastructure, and now this memorandum, the administration is laying the groundwork for an extended and important focus on securing our nation’s infrastructure,” according to Erlin.
“Every business understands the importance of setting measurable goals to achieving meaningful progress, and cybersecurity is no different. A clear understanding of the baseline requirements, and measurement of performance to those requirements, is a critical step in raising the bar for critical infrastructure security,” he added.
“The federal government is casting a wide net with its recent security directive for critical infrastructure,” Duncan Greatwood, Xage CEO, said in an emailed statement. “It’s defining critical functions as not just national security, but also economic security, public health, and public safety. In doing so, it’s serving as a larger wake-up call to organizations that have escaped cyber regulation in the past; they have to prepare for future directives that ask for more than voluntary compliance and mandate a strengthened cybersecurity posture,” Greatwood added.
“Implementing better cybersecurity guidelines within organizations, especially the ones managing critical infrastructure, is a necessity,” Toshihiro Koike, CEO of Cyber Security Cloud (CSC), a cyber threat intelligence and AI-driven web security company, said in an emailed statement. “It’s smart for President Biden to generate a sense of urgency around cybersecurity policies and order CISA and NIST to establish benchmarks. Every company is vulnerable to a cybersecurity attack; now is the time to take action.”