On July 28, 2021, President Biden issued a Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. The Memo recognizes that the protection of the nation’s critical infrastructure lies not only with government, i.e., at the federal, state, local, tribal, and territorial levels, but with critical infrastructure owners and operators. In addition, the Memo states that cybersecurity threats to critical infrastructure, and the systems that control and operate it, “are among the most significant and growing issues confronting our Nation…[and] the degradation, destruction, or malfunction of systems that control this infrastructure could cause significant harm to the national and economic security of the United States.” While Section 1 of the Memo provides a skeletal outline of the Administration’s policy concerns regarding safeguarding critical infrastructure, Sections 2-4 put the meat on the bones.
Section 2 establishes a voluntary effort, the Industrial Control Systems Cybersecurity Initiative (“Initiative”), between the Federal Government and the critical infrastructure community, aimed at improving critical infrastructure cybersecurity. According to the Memo, the Initiative seeks to defend critical infrastructure by expanding the deployment of systems that increase threat visibility, detection and warning. The Initiative would also focus on technologies that enhance cybersecurity response capabilities in both control and operational settings.
In Section 3, the Memo calls on the Federal Government, in collaboration with industry stakeholders, to address cybersecurity threats by calling for the deployment of technologies capable of detecting malicious activity within in control functions. It emphasizes enhancing owners and operators’ ability to take responsive actions to cyber threats. The Memo states that the “Federal Government will work with industry to share threat information for priority control system critical infrastructure throughout the country.” According to the Memo, a pilot program is already in play in the electricity industry, which will be followed by action in the natural gas pipeline sector; further action in the water and chemical sectors will follow later this year. Section 3 also mandates that sector risk management agencies, as defined by federal law, along with other executive departments and agencies, “work with critical infrastructure stakeholders and owners and operators to implement the principles and policy outlined” in the Memo.
Recognizing that cybersecurity measures and practices may not be consistent across critical infrastructure sectors, Section 4 promotes the importance of adopting “baseline cybersecurity goals.” Not only would these baselines be consistent across all critical infrastructure sectors, but they would also include baseline security controls for any critical infrastructure whose operations are dependent on control systems. According to the Memo, these performance goals should “serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services.”
Based on authority previously established in Executive Order 13636 of February 12, 2013, Section 4 of the Memo requires the Secretary of Homeland Security, in coordination with the Secretary of Commerce and other agencies, to develop and issue cybersecurity performance goals for critical infrastructure to further a common understanding of the baseline security practices for critical infrastructure owners and operators. The Memo requires that these preliminary goals for control systems across critical infrastructure sectors be developed no later than September 22, 2021. It further requires that the issuance of final cross-sector control system goals within one year of the Memo’s issuance.
Finally, the Memo mandates that, after consulting with relevant agencies, the Secretary of Homeland Security must issue sector-specific critical infrastructure cybersecurity performance goals, also within one year of the date of the Memo.
The Administration’s issuance of the Memo is the latest effort at the federal level to address ever-growing concerns regarding cyberattacks aimed at the nation’s critical infrastructure. These concerns have moved from speculative to actual based on recent highly-publicized ransomware attacks on critical infrastructure. While well-intentioned, the Memo, unfortunately, fails to address the existing segmented and patchwork of oversight at the federal level, particularly in the energy sector; nor does it provide any comprehensive directive to consolidate oversight in a single, lead agency. Until Congress takes the bull by the horns and addresses the cybersecurity leadership void, cyber criminals will continue to exploit the vacuum.