President Joe Biden signed a National Security Memorandum (NSM) on “Improving Cybersecurity for Critical Infrastructure Control Systems” that established an Industrial Control Systems (ICS) Cybersecurity Initiative, a new program designed to help the owners and operators of industrial critical cyber infrastructure with new standards and information. This effort follows and builds upon the 100 day sprints some of the agencies with responsibility over critical infrastructure sectors have already commenced (and these are not to be confused with these 60 day cybersecurity sprints). Participation in the program would be entirely voluntary, and Biden Administration officials admitted they lack the power in many sector to compel private sector entities to comply as the Department of Homeland Security’s Transportation Security Administration recently ordered pipeline operators to do. What’s more, there is legislation that may soon get sent to the White House that pertains to ICS and could overlap with the ambit of the NSM.
The best place to start is with the background call with “senior administration officials” the day before the NSM was released. One official contextualized the new directive:
- So, first, just to kind of put in context the administration’s overall approach to cybersecurity, as I’ve talked about in the past, our approach to addressing cyber threats have three lines of effort.
- First: Modernizing our defenses. Modernizing national defenses, federal government, state and local government critical infrastructure, incentives to the broader private sector, so that they’re modern enough to meet the threat.
- Second: Rebuilding our presence on the international stage. The work we’re doing to build coalitions — for example, to counter ransomware. The outreach we’re doing, you saw in the G7, where we brought countries together — the recent attribution of the Hafnium incident, MSS, with a very large number of countries joining us. We’re really putting a focus on collective defense and on moving out together with other countries.
- And, then, finally: Ensuring the nation is postured to compete. And that deals with ensuring we have all instruments of national power needed and the policies to enable their use as needed.
This senior administration official continued:
- So, those of you who have reported on critical infrastructure know that federal cybersecurity regulation in the U.S. is sectoral. We have a patchwork of sector-specific statutes that have been adopted piecemeal, typically in response to discrete security threats in particular sectors that gained public attention.
- So, our current posture is woefully insufficient given the evolving threat we face today. We really kicked the can down the road for a long time. The administration is committed to leveraging every authority we have, though limited, and we’re also open to new approaches, both voluntary and mandatory.
- Responsible critical infrastructure owners and operators should be following voluntary guidance as well as mandatory requirements in order to ensure that the critical services the American people rely on are protected from cyber threats.
This would not be the only time on this call where a Biden Administration official admitted the executive branch lacks the authority to compel compliance with cybersecurity directives. However, the White House is not proposing to send legislation up to Capitol Hill, nor does it call for these powers with emphasis.
The White House did, however, provide more detail on the TSA’s recently issued but not publicly released security directive to pipelines:
And as we’ve said, we’re exploring everything we can do to mandate strengthening of cybersecurity standards. You saw, last week, DHS’s Transportation Security Administration announced the second Security Directive for critical pipeline owners and operators. It will require owners and operators of pipelines that transport hazardous liquids and natural gas to implement a number of urgently needed protections, including implementing specific mitigation measures to protect against ransomware attacks and other known threats, IT and OT, within prescribed timeframes; developing and implementing a cybersecurity contingency and recovery plan; conducting an annual cybersecurity architecture design review.
The official continued:
So, again, the federal government can’t do this alone, and securing our critical infrastructure requires a whole-of-nation effort. This National Security Memorandum, the ICS Cybersecurity Initiative, TSA’s Security Directives, and foundationally, the President’s Executive Order on Improving the Nation’s Cybersecurity that he signed back in May all are parts of our focused and aggressive continuing effort to address these significant threats to our nation within that first line of modernizing defense of our cybersecurity — of the administration’s cybersecurity strategy.
In summary, the White House is implicitly admitting that U.S. critical infrastructure that brings Americans electricity and water, takes away and processes wastewater and secures its chemicals have fundamental weaknesses to cyber attacks. Moreover, the U.S. government may be powerless to order the private sector companies that run these entities to implement basic cyber hygiene and security. The Administration is essentially asking these entities nicely and bringing to bear the limited pressure it can to get these companies to act in their own long-term interest, which incidentally dovetails with the public interest. Of course, short-term interests would largely argue against these companies complying in any ways that would cost them significant resources.
The senior administration official conceded among a number of sectors the U.S. government cannot order companies to institute better cybersecurity. However, there is interest in legislation changing the status quo:
So, we have a patchwork of sector-specific statutes today that really have been adapted piecemeal. And we feel that the administration — the government’s responsibility is to feel confident that critical services that the American public rely on have the modernized defenses to ensure that they can continue to deliver the critical services they do. And the current patchwork of sector-specific statutes does not enable us to say we have confidence that there is cybersecurity thresholds in place with regard to practices and with regard to technology, governance, and practices. That is something that will likely require the Hill to partner with us to address.
However, on Capitol Hill there may not be an appetite for such legislation. In response to the massive SolarWinds, Microsoft Exchange Servers, and Accellion hacks, the most significant legislation stakeholders have proposed thus far would merely mandate the reporting of cyber incidents that occur in critical cyber infrastructure.
Nonethelss, the official stressed the lack of legal means to require cybersecurity standards when she said “short of legislation, there isn’t a comprehensive way to require deployment of security technologies and practices that address, really, the threat environment that we face.”
Turning to the NSM, the White House explained that the Industrial Control Systems Cybersecurity Initiative (Initiative) is “a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems.” The Administration continued:
The primary objective of this Initiative is to defend the United States’ critical infrastructure by encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks. The goal of the Initiative is to greatly expand deployment of these technologies across priority critical infrastructure.
So, again, through either limitations on the President’s authority or a perceived or real lack of receptivity for a mandatory regime, this White House, much like the previous three, is rolling out another cybersecurity effort in which critical infrastructure owners and operators do not have to participate. Additionally, a point I’ve made many times: the U.S. already has a cyber information sharing system housed at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
The White House further claims:
The Initiative builds on, expands, and accelerates ongoing cybersecurity efforts in critical infrastructure sectors and is an important step in addressing these threats. We cannot address threats we cannot see; therefore, deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response actions to cyber threats is central to ensuring the safe operations of these critical systems. The Federal Government will work with industry to share threat information for priority control system critical infrastructure throughout the country.
The White House is planning a phased rollout among four critical sectors this year:
The Initiative began with a pilot effort with the Electricity Subsector, and is now followed by a similar effort for natural gas pipelines. Efforts for the Water and Wastewater Sector Systems and Chemical Sector will follow later this year.
But, it appears the Biden Administration is directing all sector-specific agencies and others must work with critical infrastructure owners and operators to implement better cybersecurity per the NSM:
Sector Risk Management Agencies, as defined in section 9002(a)(7) of Public Law 116-283, and other executive departments and agencies (agencies), as appropriate and consistent with applicable law, shall work with critical infrastructure stakeholders and owners and operators to implement the principles and policy outlined in this memorandum.
The White House laid out a plan to develop and ideally persuade the adoption of “cybersecurity performance goals,” a term that that is undefined in the NSM. Presumably, this would entail setting specified benchmarks and standards for critical infrastructure owners and operators to meet to ensure a baseline of security. Again, this is undefined, and one can discern what the Administration means through context.
Nonetheless, the NSM provides:
- DHS and the National Institute of Standards and Technology (NIST) “shall develop and issue cybersecurity performance goals for critical infrastructure to further a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety.”
- The NSM directs DHS to start by “issuing preliminary goals for control systems across critical infrastructure sectors no later than September 22, 2021, followed by the issuance of final cross-sector control system goals within 1 year of the date of this memorandum.”
- DHS would then “issue sector-specific critical infrastructure cybersecurity performance goals within 1 year of the date of this memorandum…[that] should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services.”
- The White House added “[t]hat effort may also include an examination of whether additional legal authorities would be beneficial to enhancing the cybersecurity of critical infrastructure, which is vital to the American people and the security of our Nation.”
It bears some emphasis that the last stage of this process is determining whether additional legal authorities are needed, which is an odd exercise given the statements made by senior administration officials about the limits to and gaps in U.S. government authority to direct private sector entities to implement certain standards.
As mentioned above, Congress may soon augment DHS and CISA’s roles and abilities to help critical infrastructure that uses or involves industrial control systems (ICS) of the sort that were nearly hacked in a Florida wastewater plant. The “DHS Industrial Control Systems Capabilities Enhancement Act of 2021” (H.R.1833/S.2349) passed the House late last month, and the chairs of the Senate Homeland Security and Governmental Affairs and Senate Intelligence Committees introduced a companion measure in the other body.
In terms of what type of infrastructure uses ICS, NIST explained in NIST SP 800-82, Rev. 2, “Guide to Industrial Control Systems (ICS) Security:”
ICS are found in many industries such as electric, water and wastewater, oil and natural gas, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods).
Consequently, the bill would expand the statutory mandate for CISA’s National Cybersecurity and Communications Integration Center (NCCIC) (that may have undergone a rebranding as CISA Central—unfortunately DHS’s messaging is not clear on this point) over ICS:
The Director shall maintain capabilities to identify and address threats and vulnerabilities to products and technologies intended for use in the automated control of critical infrastructure processes. In carrying out this subsection, the Director shall—
(1) lead Federal Government efforts, in consultation with Sector Risk Management Agencies, as appropriate, to identify and mitigate cybersecurity threats to industrial control systems, including supervisory control and data acquisition systems;
(2) maintain threat hunting and incident response capabilities to respond to industrial control system cybersecurity risks and incidents;
(3) provide cybersecurity technical assistance to industry end-users, product manufacturers, Sector Risk Management Agencies, other Federal agencies, and other industrial control system stakeholders to identify, evaluate, assess, and mitigate vulnerabilities;
(4) collect, coordinate, and provide vulnerability information to the industrial control systems community by, as appropriate, working closely with security researchers, industry end-users, product manufacturers, Sector Risk Management Agencies, other Federal agencies, and other industrial control systems stakeholders; and
(5) conduct such other efforts and assistance as the Secretary determines appropriate.
And yet, as has often been the case, the bill neither authorizes more funding nor appropriates more funding, meaning that the agency will either have to do more with the funding it gets (a common outcome) or, just as likely, the bill’s sponsors will press both the Administration and the Appropriations Committees for additional funding.
As to the substance of what CISA would do, its list of responsibilities is fairly standard. It would use its presumably superior detection abilities to identify and track threats to ICS systems that owners and operators could then be altered about. CISA would offer guidance, know how, and help in the event an ICS system is attacked or compromised. CISA would also serve as a clearinghouse for cyber threat information providing it on demand to entities with ICS. CISA would also have to work with other agencies with responsibilities over such systems like the Department of Energy, Environmental Protection Agency, and others.
And, should this bill be enacted as written, CISA and NIST’s initiative under the NSM would likely inform and change the types of assistance and guidance NCCIC/CISA Central would provide to entities with critical ICS.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.