Biden signs national security memo on critical infrastructure cybersecurity

President Joe Biden signed a National Security Memorandum Wednesday that will improve the security of operational systems that run the nation’s pipelines and power grids.

The initiative is aimed at critical infrastructure and formalizes the Industrial Control System (ICS) Cybersecurity Initiative, which was launched in April and included a pilot program for the electricity sector.  The memorandum also directs the Departments of Commerce and Homeland Security (DHS) to draw up a list of cybersecurity performance goals to help utilities and other companies improve their individual capabilities.

“Those of you who have reported on critical infrastructure know that federal cybersecurity regulation in the U.S. is sectoral,” a senior administration official said on a conference call with reporters this week. “We have a patchwork of sector-specific statutes that have been adopted piecemeal, typically in response to discrete security threats in particular sectors that gained public attention.”

A major goal of the ICS Initiative is deploying interconnected sensor technology that will increase the visibility of events taking place within the operational systems in order to detect intrusions more quickly, and also improve the sharing of information about active hacker threats between the federal government and the industry.  “We cannot address threats we cannot see; therefore, deploying technologies that can monitor control systems and detect malicious activity and facilitate response actions to cyber threats is central to ensuring the safe operations of these critical systems,” the memorandum said.

The senior official added that the technologies would have prevented the shutdown of the Colonial Pipeline by a ransomware attack in May because “they connect the operational technology side of the network to the IT side of the network.”

Biden’s action Wednesday was quickly supported by U.S. Sen. Mark Warner (D-VA), the chairman of the U.S. Senate Select Committee on Intelligence. Warner is a sponsor of the Cyber Incident Notification Act of 2021, S. 2407, which will make it mandatory for infrastructure operators to report an intrusion into their IT systems within 24 hours of discovery. “We know that in order to mitigate the aftermath of these cyberattacks, we need open communication and transparency from affected entities to better anticipate and respond to these national security threats,” Warner said in a written statement. “Unfortunately, for too long we’ve relied heavily on voluntary reporting of these cyber intrusions which has limited our ability to effectively respond.”

The ICS Initiative is already up and running in the electricity sector as a pilot program. The response has been highly positive with more than 150 utility companies taking part.

“While individual companies monitor these systems, deploying sensors across the electric power sector will provide additional insights and enhance the government-industry partnership,” said Edison Electric Institute (EEI) President Tom Kuhn. “At this time, more than 85 percent of EEI’s member companies that own and operate the prioritized control systems that this initiative focuses on already are participating.”

A separate strategy under the ICS Initiative is being developed for natural gas pipelines later this year followed by plans for the chemical industry and waste-water treatment plants.

The Transportation Security Administration last week sent an official Security Directive to pipeline owners and operators requiring them to review their cybersecurity programs and also designate an official coordinator within their companies to oversee those plans. The directive requires pipelines to implement contingency plans for recovery from a cyberattack and conduct an annual review of cybersecurity architecture.