New Regulations to Protect Vulnerable Critical Infrastructure Assets
The COVID-19 crisis has only magnified the vulnerability of critical infrastructure in advanced economies. These assets, so important to the well-functioning of societies, have become the targets of an unprecedented wave of cyberattacks, with ransomware attacks on the Colonial Pipeline and JBS Foods only the most recent, high-profile examples. What are governments doing to protect their vulnerable critical infrastructure assets?
Sectoral regulations to safeguard critical infrastructure assets
We reported a few months ago that the Biden Administration had taken an important step to shore up critical infrastructure assets in the U.S.
In the wake of the Colonial Pipeline shutdown, the Transportation Security Administration (TSA) mandated immediate action and ongoing compliance by energy actors. The gist of the regulations requires owners and operators of hazardous liquid and natural gas pipelines or liquefied natural gas facilities to:
- Notify TSA that their pipeline systems or facilities are indeed critical
- Report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA). Reportable events can be:
- Unauthorised access to Information or Operational Technology systems
- Discovery of malicious software on an Information or Operational Technology system
- Activity resulting in a denial of service to any Information or Operational Technology system
- A physical attack against network infrastructure
- Any other cybersecurity incident that results in operational disruption to the Owner/Operator’s Information or Operational Technology systems or other aspects of the Owner/Operator’s pipeline systems or facilities, or otherwise has the potential to cause operational disruption that adversely affects the safe and efficient transportation of liquids and gases.
- Designate a cybersecurity coordinator who will always be available to the TSA and CISA
- Immediately conduct internal security assessments for the purpose of reporting the results no later than 28 June 2021
Biden Administration casts a wider net to safeguard critical infrastructure assets
Acknowledging the limitations of a sectoral-specific approach, the Biden Administration issued newer regulations towards the end of July 2021. At that time, the President signed a National Security Memorandum (NSM) on “Improving Cybersecurity for Critical Infrastructure Control Systems.”
What does the NSM address? The cybersecurity regulations seek to compel critical infrastructure asset owners to implement so-deemed “long overdue efforts” to meet the threats their assets face. More precisely, the NSM covers the following:
- Directs the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Commerce’s National Institute of Standards and Technology (NIST), in collaboration with other agencies, to develop cybersecurity performance goals for critical infrastructure.
- Formally establishes the President’s Industrial Control System Cybersecurity (ICS) Initiative. The ICS initiative is a voluntary, collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections, and warnings. This initiative widens the Electricity Subsector pilot, begun earlier this year, with an action plan for natural gas pipelines already underway and additional initiatives for other sectors to follow soon after.
If these measures resemble what’s happening in Australia, you’re right. Australia has come out with broad reforms to boost the resilience of its critical infrastructure assets against physical, cyber, and personnel security threats as well as supply chain. To learn more about what’s happening, read our Guide to Understanding the Updates to the Security of Critical Infrastructure Act: