Industry brief: National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems
Recent activity from the Biden Administration represents a pivotal moment in the establishment of baseline cybersecurity standards for critical infrastructure.
On July 28, the Biden Administration issued the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. Also see the Press Brief for more background information and context.
The National Security Memorandum (NSM) establishes “an Industrial Control Systems Cybersecurity Initiative (Initiative), a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems.”
Key Points – What We Know Now:
Not a new law, regulation, Executive Order or standard, but instead a “voluntary collaborative initiative” – for now, it’s just a request (expectation)
Seeking baseline cybersecurity goals (controls) that are consistent across all critical infrastructure sectors
Will have some common controls with existing regulations (e.g. NERC CIP)
NIST 800-53 and 800-82 are being promoted as the control set(s), or a subset thereof [3]
Measurement will be managed by DHS Cybersecurity and Infrastructure Security Agency (CISA) and each infrastructure’s Sector Risk Management Agencies; since the initiative is voluntary, there is no known enforcement function
Unclear at this time how measurement will be performed (e.g. assessment, self report, audit); next details will be released on or before September 22, 2021
Will first apply to electricity subsector, natural gas pipelines, water, wastewater, and chemical sectors but could ultimately apply to all 16 critical infrastructure sectors
Final baseline cybersecurity goals that are consistent across all critical infrastructure sectors will be released July 28, 2022 or before
Clear and overt signaling that participation is expected, and lack of participation will very likely result in regulation
Recommended Actions
Perform a gap assessment of existing regulations or standards (e.g. NERC CIP) and any other additional cybersecurity controls already voluntarily implemented against NIST 800-53 and 800-82 in preparation of reporting position to CISA and/or DOE
Create action plan to align any control gaps and mitigation steps with 800-53/82
Begin network architecture modifications and hardware procurement to increase capabilities for network monitoring (e.g. taps, packet brokers, etc. to get security telemetry from all key network segments)
Begin process of procuring network monitoring and anomaly detection software solution with specific capabilities for industrial control environments
Establish trained/experienced security operations function, whether in-house or out-sourced, to process, analyze and respond the new security telemetry generated by new monitoring infrastructure
Potential risks of late movement or adoption of the baseline controls:
PR incentives/hit – if breached, even if only at the corporate level (IT side), this baseline set of controls will be an expectation by authorities, media, customers, and shareholders. Failure to meet the baseline controls, or conversely, the ability to defensibly state that you do meet the baseline controls, will have a direct impact (negative/positive) on perspectives from all parties. “Did you at least do the minimum?”
Cyber insurance underwriters will very likely include this set of controls as one of the minimum requirements for coverage or claim processing.
Business partnerships, upstream/downstream providers, possible mergers and acquisitions will consider the baseline controls to be good business practice and basic (expected) level of diligence.
As time passes from the initial notice, standard market forces of supply and demand will force a constrained market for consulting, professional services, integration, installation, and training. Similar impacts may be seen with specific technologies (hardware).
Earlier assessment and alignment with the baseline controls will facilitate a quick response to any requests from the oversight authority (DHS CISA) if necessary.
Proactive, incremental continuous improvement from early adoption should be less effort and lower impact to resources and budgets vs. late-stage, time-constrained, forced, and reactive efforts.
Forecast and Commentary
The use of “National Security” as the premise allows for potential reach into areas that have traditionally been reserved to state-level jurisdiction only. For example, in the electric sector, it may apply beyond the Generation and Transmission authority defined in existing regulation, possibly creeping into the Distribution space.
The NSM is one of several recent motions from the federal government, such as the 100-Day Plan to Address Cybersecurity Risks to the U.S. Electric System, the Department of Energy Request for Information on Securing Critical Electric Infrastructure, the Federal Energy Regulatory Commission Request For Information on Potential Enhancements to the Critical Infrastructure Protection Reliability Standards, Executive Order 13920 Securing the United States Bulk-Power System, and Executive Order 14028 Executive Order on Improving the Nation’s Cybersecurity – all of which have similar components:
Threat and anomaly detection, including monitoring
Incident response and recovery
Information sharing
Supply chain security
This volume of federal activity focused on cybersecurity for the critical infrastructure sectors and industrial controls systems is a strong indicator that voluntary action is expected or regulation will be the result – and may even be inevitable.
Check our website for the latest up-to-date information on events impacting the industrial security world – www.amperesec.com.
Click here to download a shareable PDF of this post (no regwall, no strings - direct download).