Attacks targeting critical infrastructure have been on the rise in recent years. Back in 2019, for instance, 56% of utility professionals responsible for overseeing risk in their organizations’ operational technology (OT) assets told Siemens and the Ponemon Institute that they experience at least one shutdown or operational data loss event a year. That’s about the same proportion (54%) of survey respondents who said they expected to see an attack on critical infrastructure in the next 12 months, reported HSToday.
The Biden Administration Responds
These critical infrastructure security events could explain why the Biden Administration has taken several steps in 2021 to help protect industrial control systems serving critical national infrastructure. Here’s an overview of three of those initiatives:
- The 100-day sprint for electrical infrastructure: Earlier in the year, the Biden Administration announced a 100-day sprint to identify weaknesses within the United States’ electrical infrastructure. It also announced a Request for Information (RFI) from the U.S. Department of Energy to help to address supply chain risks in the U.S. electric system. (Tripwire’s response to that RFI is available here.)
- The Executive Order on Improving the Nation’s Cybersecurity: In mid-May, the Administration published an Executive Order around strengthening the nation’s cybersecurity. The directive came with several measures for helping Federal Civilian Executive Branch (FCEB) agencies within the U.S. government to defend against supply chain attacks. It also included a section on removing barriers that would prevent information technology (IT) and OT service providers sharing threat intelligence information with FBI and similar entities.
- Revised security guidelines for pipeline owners: Following a high-profile ransomware attack involving a U.S. pipeline company, the Transportation Security Agency (TSA) issued a directive that discusses new security requirements for pipeline operators. Those obligations include the need for all pipeline companies to disclose all security incidents to the TSA and the Cybersecurity & Infrastructure Security Agency (CISA) going forward.
The Biden Administration isn’t done for the year, either. In July, it released its “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.” The purpose of this memo is to “defend the United States’ critical infrastructure by encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks. The goal of the Initiative is to greatly expand deployment of these technologies across priority critical infrastructure.”
Towards that end, the memo will work to create new avenues for collaboration between public and private sector entities. One such opportunity has already taken shape in the electricity subsector, the memo noted, with similar efforts to follow in the natural gas pipeline, water and wastewater, and chemical sectors later in 2021. Those programs will bring relevant government agencies together with critical infrastructure stakeholders, owners, and operators for the purpose of implementing the principles and policies discussed in the memo.
Simultaneously, the Secretary of Homeland Security will work with other agency heads to develop and issue cybersecurity performance goals for critical infrastructure organizations. The purpose is to use those goals to identify baseline security practices that organizations in every sector can use to defend themselves against common digital risks. Once they’ve created those principles, the agency heads will then work on developing subsector-specific recommendations.
Tim Erlin, VP strategy at Tripwire, feels this newest action will help to lay some important groundwork for the future of critical infrastructure security.
“Every business understands the importance of setting measurable goals to achieve meaningful progress, and cybersecurity is no different,” he said. “A clear understanding of the baseline requirements, and measurement of performance to those requirements, is a critical step in raising the bar for critical infrastructure security.”
“A focus on ‘cybersecurity and resilience’ emphasizes the balance between prevention and preparation, with the understanding that critical infrastructure needs to be both secure and resilient to operate effectively in the world today,” he added.
Where This Leaves Critical Infrastructure Organizations
Critical infrastructure organizations can get started on implementing the memo’s principles by first gaining network visibility of their industrial environments. To do this, they need to discover and profile all their network assets as well as set up automated alerts so that they can quickly resolve security issues. From there, those organizations can monitor their network and systems for potential problems and use secure baselines along with vulnerability management to harden the security of those assets on an ongoing basis.