Dec 20 2021

Agencies Still Developing Cybersecurity Policies for Critical Infrastructure

With the infrastructure bill signed into law, funding is now available for cybersecurity initiatives, but the federal government still has a long way to go in protecting critical infrastructure.

When the White House issued an executive order on improving the nation’s cybersecurity in May, it didn’t include many concrete details about how to achieve the goals it laid out, despite the increasingly common attacks.

However, the White House issued a follow-up statement Aug. 25 outlining the details of a meeting it held between government officials and IT leaders. In that meeting, President Joe Biden announced that the National Institute of Standards and Technology would collaborate with industry and other partners to develop a framework to improve the security and integrity of the technology supply chain. “The approach will serve as a guideline to public and private entities on how to build secure technology and assess the security of technology, including open source software,” according to the statement. Microsoft, Google, IBM and Travelers were among the companies that committed to participate in the NIST-led initiative.

Now that Biden has signed the Infrastructure Investment and Jobs Act into law, federal agencies have the funding to transform some proposals into actionable plans to offer greater cyber defense to critical infrastructure, including the energy and utilities sector.

DHS and Department of Commerce Improve Cybersecurity

After a string of high-profile ransomware attacks this year, government officials have taken notice of the risks utilities face in the current threat landscape.

The Department of Homeland Security and the Department of Commerce released a joint statement Sept. 22 laying out some “preliminary cybersecurity performance goals” for owners and operators of critical infrastructure. In the statement, the agencies say the goals are “part of a long overdue, whole-of-government effort to meet the scale and severity of the cybersecurity threats facing our country.”

Click the banner below to unlock exclusive security content when you register as an Insider.

“It is vital that critical infrastructure owners and operators immediately take steps to strengthen their cybersecurity posture toward these high-level goals,” the statement continues. “The safety and security of the American people relies on the resilience of the companies that provide essential services such as power, water, and transportation. We look forward to further engaging with key industry stakeholders to promote these efforts to protect our national and economic security.”

Federal Agencies Recommend Cybersecurity Goals

NIST and the Cybersecurity and Infrastructure Security Agency announced nine categories of cybersecurity practices they used to develop a foundation for cybersecurity performance goals for critical infrastructure. For each goal, the organizations have established objectives they say will “support the deployment and operation of secure control systems that are further organized into baseline and enhanced objectives.”

The nine categories for which CISA lists performance goals are architecture and design; configuration and change management; continuous monitoring and vulnerability management; incident response and recovery; physical security; risk management and cybersecurity governance; supply chain risk management; system and data integrity, availability and confidentiality; and training and awareness.

Regarding its training and awareness goals, CISA offered two baseline objectives. The first is to “ensure that control system operators and administrators understand cybersecurity concepts, terminology, activities, and the threat environment associated with implementing cybersecurity recommended practices.” The second objective is to “ensure control system operators and cybersecurity personnel recognize the indicators of potential compromise and what steps they should take to ensure that a cybersecurity investigation succeeds.”

MORE FOR ENERGY AND UTILITIES: The tech trends that will shape the industry in 2022.

Tech Companies to Offer Cybersecurity Training

In its Aug. 25 fact sheet, the White House touted private sector partnerships, several of which focused on opportunities for cybersecurity training that would meet the goals CISA outlined.

Microsoft and IBM both announced programs to make cybersecurity training more available. According to the White House, “Microsoft announced it will invest $20 billion over the next 5 years to accelerate efforts to integrate cyber security by design and deliver advanced security solutions. Microsoft also announced it will immediately make available $150 million in technical services to help federal, state, and local governments with upgrading security protection, and will expand partnerships with community colleges and non-profits for cybersecurity training.”

IBM announced plans to offer training that will expand the workforce in both number and diversity. In an Aug. 30 statement, the company said, “Today, every adult has the opportunity to develop technology and professional skills regardless of background, education, or life experiences on IBM’s free learning platform — SkillsBuild. We will also partner with more than 20 Historically Black Colleges & Universities to establish Cybersecurity Leadership Centers to build a more diverse U.S. cyber workforce.”

The statement also touted the organization’s continued commitment to gender diversity for cybersecurity training. “At IBM’s CyberDay4Girls, preteen and teenage girls learn about how to protect themselves online as well as basics about threat modeling. They also get to talk with people who work in the industry to learn what it’s like and ask questions. Since the program began in 2016, more than 39,000 middle and high school girls have joined, narrowing the skills gap.”

You may not know exactly what your startup will look like in a year, but with the right collaboration tools and implementation strategy, you can ensure a smooth transition.

gorodenkoff/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT