The Biden administration is moving to add more safeguards to the nation’s critical infrastructure by establishing a new voluntary public-private collaboration that will focus wholly on industrial control systems (ICS) cybersecurity.
The administration formally launched the “Industrial Control Systems Cybersecurity Initiative” in the “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems” signed by President Biden on July 28.
The collaboration between the federal government and the critical infrastructure community will work to defend the nation’s critical infrastructure—including its power plants and electric grid facilities—by “encouraging and facilitating the deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks,” the memo says. “The goal of the Initiative is to greatly expand deployment of these technologies across priority critical infrastructure.”
The memorandum’s issuance is the federal government’s latest attempt to mitigate an ever-expanding landscape of cybersecurity attacks, but its cross-sectoral focus on critical infrastructure is notable because federal cybersecurity regulation in the U.S. has so far been sector-specific. Last week, for example, the Department of Homeland Security’s (DHS’s) Transportation Security Administration (TSA) announced a second security directive for critical pipeline owners and operators in response to the Colonial Pipeline Co. ransomware attack.
While TSA’s first directive, issued this May, required pipeline owners and operators to report confirmed and potential cybersecurity to the Cybersecurity and Infrastructure Security Agency (CISA), the second directive mandates that they implement cybersecurity mitigation measures; develop a Cybersecurity Contingency Response Plan in the event of an incident; and undergo an annual cybersecurity architecture design review, among other things.
“We have a patchwork of sector-specific statutes that have been adopted piecemeal, as data security threats in particular sectors have gained public attention,” the White House said on Wednesday. “Given the evolving threat we face today, we must consider new approaches, both voluntary and mandatory.”
Power Sector Led ICS Cybersecurity Pilot
The new memorandum is also significant because it marks the end of the administration’s “100-day” plan, an initiative launched on April 20 to help owners and operators of ICS systems across the power sector to “identify and deploy” technologies and systems that could enable “near real-time” situational awareness and response capabilities in critical ICS operational technology (OT) networks.
While the Department of Energy (DOE) has provided scant details about what the “plan” specifically achieved during its rollout period, it suggested the power industry worked with the DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) and the Cybersecurity and Infrastructure Security Agency (CISA).
Shedding more details on the 100-day efforts, the White House on Wednesday revealed that 150 electricity utilities have so far “either began deploying or have agreed to deploy control system cybersecurity technologies” to provide enhanced visibility into ICS and OT network vulnerabilities.
The Edison Electric Institute (EEI), a trade group that represents all U.S. investor-owned power companies, confirmed that more than 85% of its member companies that own and operate “prioritized control systems” are already participating. It also suggested that the deployment of sensors was a key facet of the electric subsector’s effort. “While individual companies monitor [ICS] systems, deploying sensors across the electric power sector will provide additional insights and enhance the government-industry partnership,” EEI said.
The newly established ICS initiative will now follow the electricity subsector pilot with “similar efforts” for natural gas pipelines, the White House said. The water and wastewater sector, and the chemical sector, will also deploy similar efforts later this year, it said.
“We cannot address threats we cannot see; therefore, deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response actions to cyber threats is central to ensuring the safe operations of these critical systems,” the White House said. “The Federal Government will work with industry to share threat information for priority control system critical infrastructure throughout the country.”
DHS to Issue Cybersecurity Performance Goals for Control Systems
Wednesday’s National Memorandum also directs the secretaries of Homeland Security, Commerce (through the National Institute of Standards and Technology), and other agencies to develop and issue cybersecurity performance goals for critical infrastructure. These measures will “further a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety,” it said.
DHS will kick off the effort by issuing preliminary goals for control systems across all critical infrastructure sectors by Sept. 22, 2021. That will be followed by final cross-sector control system goals (and if necessary, sector-specific goals) by August 2022.
“These performance goals should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services,” the memorandum reads. “That effort may also include an examination of whether additional legal authorities would be beneficial to enhancing the cybersecurity of critical infrastructure, which is vital to the American people and the security of our Nation.”
The new initiative has so far received industry support. “With the performance guidelines, we’re developing some actionable ideas on [bulk electric system] security and security for all critical infrastructure sectors. It’s a challenge to develop clear performance goals, but I think when done well—like many of the North American Reliability Corp.’s Critical Infrastructure Protection (CIP) Standards—they can be very effective,” Tobias Whitney, vice president of Industry Relations and Regulatory Affairs at Fortress Information Security, told POWER.
However, as Whitney noted, much remains undetermined. “It will be very interesting to see with chemicals, water, pipelines, and how those sectors respond,” he said. “Will the guidelines be sector-specific or more general? And if they are general, will the electric industry’s guidelines be the model? I think they should be sector-specific, but there is a lot each sector can learn from the work that the energy companies have done to secure themselves.”
—Sonal Patel is a POWER senior associate editor (@sonalcpatel, @POWERmagazine)