The US administration continues to take steps to safeguard US critical infrastructure from growing, persistent, and sophisticated cyber threats. President Biden has signed a National Security Memorandum (NSM) on “Improving Cybersecurity for Critical Infrastructure Control Systems,” which addresses cybersecurity for critical infrastructure and implements long-overdue efforts to meet the threats.
The NSM comes within hours after the President gave a statement during his visit to the Office of the Director of National Intelligence. “I think it’s more than likely we’re going to end up if we end up in a war — a real shooting war with a major power — it’s going to be as a consequence of a cyber breach of great consequence, and it’s increasing exponentially,” Biden said.
Details of NSM
The memorandum primarily establishes the Industrial Control Systems (ICS) Cybersecurity Initiative, a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems.
The main objective of this Initiative is to defend the United States’ critical infrastructure by encouraging and facilitating the deployment of technologies and systems that provide threat visibility, indications, detection, and warnings and that facilitate response capabilities for cybersecurity in essential control systems and operational technology networks. The main points of the Initiative are:
- The Initiative began with a pilot effort with the Electricity Subsector and is now followed by a similar effort for natural gas pipelines. Efforts for the Water and Wastewater Sector Systems and Chemical Sector will follow later this year.
- Sector Risk Management Agencies and other executive departments and agencies will work with critical infrastructure stakeholders and owners and operators to implement the principles and policy.
- The Secretary of Homeland Security, in coordination with the Secretary of Commerce (through the Director of the National Institute of Standards and Technology) and other agencies, will develop and issue cybersecurity performance goals for critical infrastructure to further a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety.
Role of Pentagon
ICS cyberattacks have also become an increasing concern for the Pentagon. Though the NSM is not targeted at the Department of Defense, the infrastructure required to support a military base, such as power and water, often comes from public utilities that have proven to be easy targets for threat actors. Pentagon planners have acknowledged fears of situations where planes can’t scramble because the doors to their hangars are locked or that US military personals are poisoned by hacked water supplies.
Current state of affairs
At present, federal cybersecurity regulation in the United States is sectoral. “We have a patchwork of sector-specific statutes that have been adopted piecemeal, as data security threats in particular sectors have gained public attention. Given the evolving threat we face today, we must consider new approaches, both voluntary and mandatory. We look to responsible critical infrastructure owners and operators to follow voluntary guidance as well as mandatory requirements to ensure that the critical services the American people rely on are protected from cyber threats,” said the White House statement.
A large part of US critical infrastructure is owned and operated by the private sector. The private sector has traditionally been hesitant to allow government authorities to monitor their networks; this complicates the US government’s attempts to secure the critical infrastructure. For this reason, the statement says, “The Federal Government cannot do this alone, and securing our critical infrastructure requires a ‘whole-of-nation effort.”
Another obstacle is the timely cyber information sharing among the private sector and the government. Last week a host of Senators introduced a bipartisan bill that, if passed, will require federal agencies and critical infrastructure owners and operators — as well as government contractors and subcontractors to report cyber incidents to Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of discovery.
Recent threats
There have been high-profile attacks on critical infrastructure over the past two years, including the ransomware attacks on the Colonial Pipeline, SolarWinds, and the Microsoft Exchange server hacks. The latter, of which the government formally attributed to China on July 19. These attacks exhibit significant cyber vulnerabilities of US critical infrastructure. The NSM is the latest effort by the Biden administration to shore up national cybersecurity.
