CISA’s critical infrastructure performance goals win praise, but questions remain about effectiveness
Washington policymakers have lamented for years that the mostly private critical infrastructure sectors need to do more to protect vital services from hackers, but whether newly issued guidance lives up to initial praise and finds widespread adoption is another question.
The Cybersecurity and Infrastructure Security Agency released long-awaited cross-sector cybersecurity performance goals on Thursday for critical infrastructure to provide owners and operators a quick-start guide on baseline priorities.
Those goals come after years of growing concern about the threat to critical infrastructure and more recent warnings that Russia could target the U.S. grid to retaliate for Washington’s support of Kyiv in the Ukraine war. Additionally, high-profile cyberattacks against critical infrastructure operators such as Colonial Pipeline showed just how quickly incidents targeting essential industries can quickly have ripple effects across the entire economy.
While CISA’s performance goals are voluntary, and success depends on industry buy-in, experts suspect they could be overshadowed by incoming mandates.
Already, critical infrastructure operators will be required to report significant cyberattacks within 72 hours and the White House said that new cybersecurity rules for the water sector and health sector are coming soon. What’s more, the soon-to-be-released national cybersecurity strategy is expected to have a stronger federal approach to cybersecurity.
When she introduced the goals, CISA Director Jen Easterly said that regulatory agencies may choose to adopt some of the goals.
Overall, cybersecurity experts who focus on industrial security said the performance goals could have a positive impact, especially for smaller operators with smaller cybersecurity budgets.
“It’s the smaller shops, the ones that maybe are a regional hospital and not a major chain or others that are going to be able to look at this and say, ‘gee, we should be doing it,’ ” said Bill Bernard, area vice president of security strategy at the cybersecurity firm Deepwatch.
Bernard said that the messaging will play a large roll for adoption. He pointed out that companies with enough “forward thinking” might see that additional rules are coming, such as the cyber incident reporting law and requirements from cyber insurance companies.
CISA is also planning on adding additional sector-specific goals in the coming months that could also serve as a preview for any upcoming regulations. Those incoming goals will take a closer look at the unique needs of each of the 16 critical infrastructure sectors.
While the goals are aimed at helping organizations across the critical infrastructure gamut, the addition of operational technology cybersecurity defenses earned praise from industry experts.
“CISA took extensive input and feedback from industry stakeholders and this updated guidance reflects that they were listening closely, providing actionable but not overly prescriptive guidance — exactly the type of support the community has been requesting,” Robert M. Lee, CEO of the industrial cybersecurity firm Dragos, said in a statement.
The goals point out many aspects needed for a robust OT cybersecurity defense, Lee said, pointing out that the CPG details “an incident response plan, a defensible architecture, visibility and monitoring, secure remote access, and key vulnerability management.”
“This guidance can help lift industrial cybersecurity standards across the board to better protect our nation’s critical infrastructure. CISA’s continued focus on OT cybersecurity as foundational to national security, and distinct from IT cybersecurity, is an important contribution to the community’s advancement,” Lee said.
Danielle Jablanski, an OT cybersecurity strategist at cybersecurity firm Nozomi Networks, noted that the goals are “extremely accessible” and allows an organization to choose how to adopt the practices without a sort of formalized mandate.
“There’s a lot of things that are out of [asset owners] control and I think this document brings them in and focuses in on what is in their control what’s in their power and what’s in their capability to get done,” she said.
Additionally, Jablanski noted that the voluntary nature of the goal have an added benefit: Strict cybersecurity mandates could run small and medium-sized businesses out of business. “CISA really realizes that there’s this potential for strict cybersecurity regulation to price small and medium businesses out of operation and they’ve been very careful with what to mandate to avoid that kind of scenario.”
Jablanski also noted that the CISA avoided common regulatory pitfalls and “didn’t recreate the wheel” and instead used the CPG to build on the National Institute of Standards and Technology’s Cybersecurity Framework.
Notably CISA also called out the long-standing cultural gap between the information technology and operational technology space. One of CISA’s checklists as part of the goals pointed out that “poor working relationships and a lack of mutual understanding between IT and OT cybersecurity can often result in increased risk for OT cybersecurity.”
Bridgette Bourge, senior director of cybersecurity at American Public Power Association, said the accompanying checklist with the goals is a good starting for smaller entities. “I’m not sure if they realize just how much of a good gold nugget that might be,” Bourge said.
Bourge also said that the incoming sector-specific goals are more likely to be utilized by the energy sector as it will be tailored to the specific needs of the energy sector.