Last month, the Biden administration issued the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. Given the recent increase in attacks on industrial operations that could impact the nation's manufacturing capabilities, this is a much-needed step to protect US critical infrastructure from cyber-attacks. This move comes on the heels of the Cybersecurity and Infrastructure Security Agency (CISA) guidance on Ransomware for OT issued in June 2021.
In the July 28 memorandum, the White House called for a "whole-of-nation" effort to secure critical infrastructure from "growing, persistent, and sophisticated cyber-threats" that could have "cascading physical consequences [and]…a debilitating effect on national security, economic security, and the public health and safety of the American people."
The memorandum and the earlier CISA guidance on ransomware for OT are critical steps needed to establish standards for preparing, mitigating and responding to cyber-attacks that target critical infrastructure. With increasingly complex IT and OT systems playing a pivotal role in manufacturing everything from semiconductors to personal protective equipment to the food we eat, the attack surface of critical infrastructure has expanded well beyond these once isolated systems.
The memorandum calls for the creation of cyber-performance goals for critical-infrastructure companies, including the establishment of baseline cybersecurity performance standards consistent across all critical-infrastructure sectors. As OT environments have become increasingly more complex and dynamic to improve the efficiency and reliability of operations, so too have the cybersecurity risks. By establishing consistent, baseline cybersecurity standards, manufacturers can begin to address this risk holistically.
CISA and the US government should take an open, technology-neutral, standards-based approach in developing these goals that help manufacturers gain deep situational awareness across their converged IT/OT environments, as well as improve security and control. This isn’t an easy task, but through a strong, continuous-monitoring program, it is possible. The truth is that the old way of assessing your digital security—snapshots of the risks and vulnerabilities present in these systems on an annual basis—isn’t enough. Organizations need to continuously evaluate their security posture and risk in real-time.
Another substantive push of these government actions is establishing the Industrial Control Systems (ICS) Cybersecurity Initiative. The ICS Initiative is a voluntary, collaborative effort between the federal government and the critical-infrastructure community to protect US critical infrastructure "by encouraging and facilitating the deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks," with a primary goal of "greatly expand[ing] deployment of these technologies across priority critical infrastructure."
The initiative began in mid-April with an electricity-subsector pilot; launching a similar program for manufacturing companies is a smart, easily achievable goal. The program would bring together companies to share threat information and best practices on how to best secure their connected OT equipment. This whole-of-government initiative must build on the previous industrial-control systems security efforts that are already in place by various departments and agencies, such as the Control Systems Working Group that I currently co-chair with CISA.
Last month's National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems was an important step toward improving the cybersecurity posture of our critical infrastructure. Manufacturers should take note of the guidelines and recommendations set forth to ensure their operations are as safe and secure as possible.
By Marty Edwards, vice president of OT security, Tenable
