Amidst all the high-profile cyberattacks of the last year, President Joe Biden released a National Security Memorandum (NSM) on Improving Cybersecurity for Critical Infrastructure Control Systems. It covers how the government wants to improve cybersecurity for critical infrastructure control systems.
The NSM states: “As we have seen, the degradation, destruction, or malfunction of systems that control this infrastructure can have cascading physical consequences that could have a debilitating effect on national security, economic security, and the public health and safety of the American people.” Whether the threat has been aimed at the food industry, pipelines, hospitals or somewhere else, cyberattacks affect all sectors of the national infrastructure.
“Today President Biden signed a new National Security Memorandum (NSM) to implement long overdue efforts to meet the scale and severity of the cybersecurity threats our country continues to face,” said a joint statement from Secretary of Homeland Security Alejandro N. Mayorkas and Secretary of Commerce Gina M. Raimondo. “This NSM takes a key step toward improving the cybersecurity of critical infrastructure by directing the Departments of Homeland Security and Commerce to work together, alongside other agencies, in developing cybersecurity performance goals that set a clear, easy-to-understand security baseline. The safety and security of the American people rely on the resilience of the companies that provide essential services such as power, water, and transportation. The establishment of cybersecurity performance goals marks important progress toward this goal. We look to responsible critical infrastructure owners and operators to follow voluntary guidance in order to ensure that the critical services the American people rely on are protected from cyber threats, and we are committed to working closely with our partners in the private sector to promote proactive cybersecurity practices that will protect our national and economic security.”
To combat these cyberattacks on U.S. critical infrastructure, the NSM states that the Departments of Homeland Security and Commerce and other agencies are to set the cybersecurity standards for companies who provide critical services.
While the needs are different for each critical infrastructure sector, the memorandum states that there should be a baseline of cybersecurity goals set by Sept. 22, 2021. The performance goals are to provide guidance on best practices for “cybersecurity practices and postures” to guide critical infrastructure owners and operators.
There is also a need for security controls for critical infrastructure that are reliant on control systems, which is planned to be done by this time next year. Consequently, this effort may indicate whether additional legal measures are necessary to strengthen the cybersecurity posture of critical infrastructure.
The NSM also establishes the President’s Industrial Control System Cybersecurity (ICS) Initiative, “a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems.” This means the developed technologies and systems that can help prevent cyberattacks can be distributed across the nation to critical facilities that need to be better defended, which would allow the owners and operators to take their own responsive actions to cyber threats.
The initiative started with a pilot program within the electricity subsector earlier this year. For now, efforts will focus on the natural gas pipelines, but they will move on to the water, wastewater and chemical sectors later this year.
The NSM is the latest effort at the federal level to address increasing cybersecurity concerns amidst attacks on critical infrastructure, such as the Colonial Pipelines and JBS Foods. It stresses that the government alone cannot fix everything; true cybersecurity requires government agencies and private industry alike to come together. This memorandum does not repair the damage already done, but it does take steps toward strengthening cybersecurity for the U.S.