The White House has issued a national security memorandum aimed at countering cyberattacks against critical national infrastructure, which it describes as “among the most significant and growing issues confronting our Nation”.
The memo outlines the Industrial Control Systems Cybersecurity Initiative, a voluntary initiative which is aimed at improving collaboration between government and industry on matters of cybersecurity, and which repeatedly emphasises the need for specific cybersecurity technologies.
Sector Risk Management Agencies, as well as other departments and agencies where appropriate, will work with critical infrastructure stakeholders, owners and operators to implement the principles and policies outlined.
So far, the ICS Initiative has been trialled in the electricity sector, and – in response to the high-profile Colonial Pipeline ransomware attack – was followed by a similar effort for natural gas pipelines. The memo states that water and wastewater systems, and the chemical sector, will follow later this year.
While acknowledging that “cybersecurity needs vary among critical infrastructure sectors, as do cybersecurity practices”, the memo stresses the need for consistent baseline cybersecurity goals across all components of critical national infrastructure.
These goals will be developed and issued by the Secretary of Homeland Security, a position currently held by Alejandro Mayorkas, in coordination with the Secretary of Commerce (through the Director of the National Institute of Standards and Technology). Preliminary cross-sector goals are set to be issued by late September 2021, with sector-specific goals to follow by the end of July 2022.
The memo also states that there may be “an examination of whether additional legal authorities would be beneficial to enhancing the cybersecurity of critical infrastructure, which is vital to the American people and the security of our Nation”.
The memo was accompanied by a transcript of a press call with senior administration officials, who elaborated on the broader cybersecurity strategy, emphasising the need for modernisation, increased international collaboration, and policies which would allow the nation to compete.
On the call, the current state of sector-based federal cybersecurity regulation was described as “woefully inadequate”. The senior official leading the call also noted that while the Initiative laid out in the memo was voluntary, the administration is “committed to leveraging every authority we have”, and “open to new approaches, both voluntary and mandatory”.
The call also gave more detail on the pilot of the Initiative carried out in the electricity sector earlier this year, stating that over 150 electricity utilities representing almost 90 million residential customers are either deploying or have agreed to deploy control system cybersecurity technologies.
“These are the technologies that, had they been in place, would have blocked what occurred at Colonial Pipeline”, the official remarked, demonstrating the lasting impact of the incident.
Before taking questions, the call once again highlighted that the Initiative was largely focused on deploying very specific technological defences, and that – at least for now – it remained voluntary, though in the questions section it was once again hinted that regulation may follow.
“The federal government cannot do this alone,” the official said in closing. “Securing our critical infrastructure requires a whole-of-nation effort, and industry has to do their part. These may be voluntary, but we hope and expect that all responsible critical infrastructure owners and operators will apply them.”