A Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems has been signed by US President Joe Biden.
The order in the wake of growing high profile attacks such as Solar Winds and Colonial Pipeline is intended to ensure further protection of critical infrastructure such as the electricity networks from ransomware and general cyberattacks.
The order has two key elements. One is to direct the Cybersecurity and Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST), in collaboration with other agencies, to develop a baseline set of cybersecurity performance goals for critical infrastructure.
As a first step, the Department of Homeland Security is required to issue preliminary goals by September 22, 2021, with the sector-specific goals due to be completed within one year.
Second, it formally establishes the Industrial Control System Cybersecurity Initiative, a voluntary, collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections and warnings.
The initiative was launched in mid-April with an electricity subsector pilot, in which already over 150 electricity utilities representing almost 90 million residential customers are either deploying or have agreed to deploy control system cybersecurity technologies.
Such technologies, had they been in place, would have blocked what occurred at Colonial Pipeline in that they connect the operational technology side of the network to the IT side of the network.
The action plan for natural gas pipelines is underway. Additional initiatives for other critical infrastructure sectors including water and wastewater – another experiencing growing cyber threats – should follow later this year.
In support of this initiative, the US Department of Energy has released an updated version of its Cybersecurity Capability Maturity Model, which is designed to help industries assess and improve the cybersecurity of their energy systems.
Commenting on the memorandum, Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, says it highlights the importance of both detecting threats but also having the ability to measure threat activity against cybersecurity performance goals.
“Specifically, an assumption should be made that attacks are always possible and that measuring threat activity requires a baseline from which to distinguish normal from abnormal.”
He advises that organisations that have performed threat models on their operations, but who haven’t defined processes to monitor for attempts to subvert compensating controls, should take this opportunity to update their threat models.