The Biden Administration continues to take steps to safeguard U.S. critical infrastructure from growing, persistent, and sophisticated cyber threats. Recent high-profile attacks on critical infrastructure around the world, including the ransomware attacks on the Colonial Pipeline and JBS Foods in the United States, demonstrate that significant cyber vulnerabilities exist across U.S. critical infrastructure, which is largely owned and operated by the private sector.
As we have seen, the degradation, destruction, or malfunction of systems that control this infrastructure can have cascading physical consequences that could have a debilitating effect on national security, economic security, and the public health and safety of the American people.
Currently, federal cybersecurity regulation in the United States is sectoral. We have a patchwork of sector-specific statutes that have been adopted piecemeal, as data security threats in particular sectors have gained public attention. Given the evolving threat we face today, we must consider new approaches, both voluntary and mandatory. We look to responsible critical infrastructure owners and operators to follow voluntary guidance as well as mandatory requirements in order to ensure that the critical services the American people rely on are protected from cyber threats.
Today, President Biden is signing a National Security Memorandum (NSM) on “Improving Cybersecurity for Critical Infrastructure Control Systems,” which addresses cybersecurity for critical infrastructure and implements long overdue efforts to meet the threats we face. The NSM:
Directs the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Commerce’s National Institute of Standards and Technology (NIST), in collaboration with other agencies, to develop cybersecurity performance goals for critical infrastructure. We expect those standards will assist companies responsible for providing essential services like power, water, and transportation to strengthen their cybersecurity.
Formally establishes the President’s Industrial Control System Cybersecurity (ICS) Initiative. The ICS initiative is a voluntary, collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections, and warnings. The Initiative began in mid-April with an Electricity Subsector pilot, and already over 150 electricity utilities representing almost 90 million residential customers are either deploying or have agreed to deploy control system cybersecurity technologies. The action plan for natural gas pipelines is underway, and additional initiatives for other sectors will follow later this year.
Last week, the Department of Homeland Security’s Transportation Security Administration (TSA) announced a second Security Directive for critical pipeline owners and operators. Following the ransomware attack on a major petroleum pipeline in May 2021, TSA issued an initial Security Directive requiring critical pipeline owners and operators to report cybersecurity incidents, designate a Cybersecurity Coordinator, and conduct a review of their current cybersecurity practices. This second Security Directive will require owners and operators of pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections, including:
Implementing specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems within prescribed timeframes.
Developing and implementing a cybersecurity contingency and recovery plan.
Conducting an annual cybersecurity architecture design review.
The Federal Government cannot do this alone and securing our critical infrastructure requires a whole-of-nation effort. This NSM, the ICS Cybersecurity Initiative, TSA’s Security Directives and the President’s Executive Order on Improving the Nation’s Cybersecurity are parts of a focused and aggressive continuing effort to address these significant threats to our nation.