Dealing with the Critical Infrastructure Compliance Environment in the New Year
2021 is coming to an end with major news on the security of critical infrastructure front. The Australian Parliament recently passed the Security Legislation Amendment (Critical Infrastructure) Bill 2021 (SOCI Bill), amending the 2018 Security of Critical Infrastructure Act. But that’s not the only thing governments around the world are doing in the face of escalating threats to their key assets. So, what will the critical infrastructure protection compliance environment look like in the new year, and how should asset owners react?
Major changes to the critical infrastructure protection compliance environment in 2021
Well, the US Department of the Justice has elevated ransomware attacks to the same priority level as terrorism.
That’s not all. The Biden Administration also introduced the National Security Memorandum (NSM) on “Improving Cybersecurity for Critical Infrastructure Control Systems,” which led to the following measures:
- The Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Commerce’s National Institute of Standards and Technology (NIST), in collaboration with other agencies, developing cybersecurity performance goals for critical infrastructure.
- The establishment of the President’s Industrial Control System Cybersecurity (ICS) Initiative, a voluntary, collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections, and warnings.
The EU, for its part, launched the European Programme for Critical Infrastructure Protection (ECIP), a package of measures aimed at improving the protection of critical infrastructure in Europe, across all EU States, and in all relevant sectors of economic activity.
A related EU initiative, Critical Information Infrastructure Protection (CIIP), seeks to strengthen the security and resilience of vital Information and Communication Technology (ICT) infrastructures.
Technology investments to address the changing critical infrastructure protection compliance environment
Many of these measures put the onus on asset owners and operators to enhance the quality of their security processes (physical, cyber, personnel, and supply chain). What, then, can be done to meet the demands of regulators, policymakers, as well as customers in this changing critical infrastructure protection compliance environment?
Investing in dedicated critical infrastructure protection technologies must be part of the calculus.
What are the benefits? Well, asset owners and/or operators using these technologies can more easily demonstrate their compliance with affirmative security obligations, requiring critical infrastructure asset owners and operators to (1) adopt and maintain an all-hazards critical infrastructure risk management program, (2) report serious cyber security incidents, and (3) provide ownership and operation information.
What else? Advanced critical infrastructure protection technologies come equipped with the following relevant capabilities to address the changing critical infrastructure protection compliance environment:
- Maintains key details of assets and stakeholder contacts. Operators need functionality to help them maintain details about the assets under their management. These features (e.g., overviews, mapping, assessment tables, collaboration tools, etc.) help asset owners and operators to comply with statutory requirements to identify and understand risks to their assets, mitigate those risks to prevent incidents, and implement effective governance and oversight processes to ensure continuous improvement.
- Conduct various threat assessments and inspections. A security threat assessment tool to enable operators to perform an assessment based on available information, e.g., incident data, news reports, police reports, etc. This feature-set is crucial to determining how vulnerable the critical infrastructure asset is to potential threats, such as terrorism, civil disorder, and insider crime.
- Disseminates notifications and products to prepare for and/or respond to planned events or incidents. This notice feature enables operators to publish (required) materials to stakeholders of the critical infrastructure asset, pursuant to regulatory requirements. These notices often provide required situational awareness updates of activities that may impact the asset or any new guidelines or regulations likely to be relevant to the asset under management.
Finally, 2021 is coming to an end with a flurry of activity in the critical infrastructure protection sphere. Asset owners and operators have their work cut out for them in the new year if they are to get on top of the changing critical infrastructure protection compliance environment. For more digital technology procurement strategies to ensure compliance and constant improvement, download our Buyer’s Guide to Critical Infrastructure Protection Software.