On Wednesday, President Biden signed a National Security Memorandum that aims to improve national cybersecurity.
It directs the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Commerce’s National Institute of Standards and Technology (NIST) to collaborate with other agencies to develop cybersecurity performance standards for companies across the US that provide essential services like power, water, and transportation. When systems that control these vital infrastructures malfunction or are interrupted because of an incident such as a ransomware attack, it can jeopardize national security, economic security, as well as public health and safety.
The memorandum also formally establishes the President’s Industrial Control System Cybersecurity (ICS) Initiative, which is a voluntary, collaborative effort between the federal government and the critical infrastructure community to establish systems that can detect cyberthreats and send timely alerts. The ICS Initiative kicked off in mid-April with an Electricity Subsector pilot, in which the Department of Energy worked with over 150 electricity utilities to plan and deploy cybersecurity tech for their control systems. Officials also gathered a number of utility and pipeline CEOs to brief them on cybersecurity threats.
The Department of Homeland Security’s Transportation Security Administration (TSA) rolled out a directive earlier this year requiring critical pipeline owners and operators to report cybersecurity incidents as well as have their current practices reviewed by a designated Cybersecurity Coordinator after a major petroleum pipeline was attacked by ransomware in May.
[Related: How a ransomware attack shut down a major US fuel pipeline]
And last week, the TSA issued a second directive which requires owners and operators of pipelines that transport hazardous liquids and natural gas to instate measures that can protect against ransomware and other cyber attacks. They also require the development of a recovery plan. Owners will have to review their cybersecurity design every year.
“Recent high-profile attacks on critical infrastructure around the world, including the ransomware attacks on the Colonial Pipeline and JBS Foods in the United States, demonstrate that significant cyber vulnerabilities exist across U.S. critical infrastructure, which is largely owned and operated by the private sector,” a senior administration official said in a press call on Tuesday evening, according to a transcript of the discussion.
The National Security Memorandum, the Industrial Control System Cybersecurity Initiative, and the Transportation Security Administration’s Security Directives all feed into the administration’s continuing effort to modernize the national cybersecurity defense. The administration has also been in talks with other countries about building a collective defense.
[Related: What Biden’s big executive order means for the internet, air travel, and more]
However, as of today, there’s no strategic, coordinated requirement for the cybersecurity of critical infrastructure in the US. The senior administration official noted in the call that mandatory cybersecurity requirements are either sector-specific (in the case of finance and chemical), regulated by state or local law (like for electricity), or they’re limited and piecemeal (like for water and bulk electricity).
“Securing our critical infrastructure requires a whole-of-nation effort, and industry has to do their part. These may be voluntary, but we hope and expect that all responsible critical infrastructure owners and operators will apply them,” the senior official said. “We can’t stress it enough that they owe that to the Americans that they serve for these critical services to have more resilience… We’re starting with voluntary, as much as we can, because we want to do this in full partnership. But we’re also pursuing all options we have in order to make the rapid progress we need.”