The Biden Administration continues to take steps to safeguard U.S. critical infrastructure from growing, persistent and sophisticated cyber threats. Recent high-profile attacks on critical infrastructure around the world, including the ransomware attacks on the Colonial Pipeline and JBS Foods in the United States, demonstrate that significant cyber vulnerabilities exist across U.S. critical infrastructure, which is largely owned and operated by the private sector.
Currently, federal cybersecurity regulation in the United States is sectoral, with a patchwork of sector-specific statutes that have been adopted piecemeal, as data security threats in particular sectors have gained public attention.
President Biden recently announced plans to sign a National Security Memorandum (NSM) on “Improving Cybersecurity for Critical Infrastructure Control Systems,” which addresses cybersecurity for critical infrastructure and implements long efforts to meet the threats we face. The NSM:
- Directs the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Commerce’s National Institute of Standards and Technology (NIST), in collaboration with other agencies, to develop cybersecurity performance goals for critical infrastructure. The administration expects those standards will assist companies responsible for providing essential services like power, water, and transportation to strengthen their cybersecurity.
- Formally establishes the President’s Industrial Control System Cybersecurity (ICS) Initiative. The ICS initiative is a voluntary, collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections and warnings. The Initiative began in mid-April with an Electricity Subsector pilot, and already over 150 electricity utilities representing almost 90 million residential customers are either deploying or have agreed to deploy control system cybersecurity technologies. The action plan for natural gas pipelines is underway, and additional initiatives for other sectors will follow later this year.
Last week, the Department of Homeland Security’s Transportation Security Administration (TSA) announced a second Security Directive for critical pipeline owners and operators. Following the ransomware attack on a major petroleum pipeline in May 2021, TSA issued an initial Security Directive requiring critical pipeline owners and operators to report cybersecurity incidents, designate a Cybersecurity Coordinator, and conduct a review of their current cybersecurity practices. This second Security Directive will require owners and operators of pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections, including:
- Implementing specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems within prescribed timeframes.
- Developing and implementing a cybersecurity contingency and recovery plan.
- Conducting an annual cybersecurity architecture design review.