December 22, 2024
Biden Launches ICS Cybersecurity Initiative
New Critical Infrastructure Program to Build on April Electricity Actions
The White House
President Biden announced a cybersecurity initiative for U.S. critical infrastructure, building on one launched in April for the electric sector.

Calling cybersecurity threats to critical infrastructure “among the most significant and growing issues confronting our nation,” the Biden administration on Wednesday announced an initiative to strengthen cyber defenses in industrial control systems (ICS) at “priority critical infrastructure” systems.

The Industrial Control Systems Cybersecurity Initiative will comprise a “voluntary, collaborative effort between the federal government and the critical infrastructure community” focused on accelerating the deployment of cybersecurity technologies in essential ICS and operational technology (OT) networks. The effort will deploy systems and technologies that target capabilities, including threat visibility, indications, detection and warnings, along with cybersecurity response, according to a National Security Memorandum issued on Wednesday.

“We cannot address threats we cannot see; therefore, deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response actions to cyber threats is central to ensuring the safe operations of these critical systems,” the White House said in the memorandum.

Wednesday’s announcement comes on the heels of a speech in which Biden warned that “a real shooting war with a major power” is a “more than likely [result] of a cyber breach of great consequence,” according to Reuters. In recent months a number of cyberattacks against major U.S. companies such as Colonial Pipeline and JBS USA have led cybersecurity experts and government officials to call for stronger action to secure U.S. critical infrastructure. (See King, Mandia Warn of ‘Unlimited’ Cyber Dangers.)

Cyber Performance Goals on the Way

The new initiative builds on one begun in April, although the earlier 100-day “sprint” applied only to the electricity industry. (See Biden Reinstates Trump Supply Chain Order.) Wednesday’s memorandum expands that program to cover natural gas pipelines. Similar measures aimed at the water, wastewater and chemical sectors will begin later this year.

According to a White House fact sheet, more than 150 electric utilities representing almost 90 million residential customers have either deployed or have agreed to deploy control system cybersecurity technologies since the earlier initiative began. That effort, led by the Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response (CESER), encouraged utilities to:

  • invest in “technologies and systems that enable near-real-time situational awareness and response capabilities” in ICS and OT networks;
  • deploy technology or processes that enhance their detection, mitigation and forensic capabilities; and
  • improve the cybersecurity posture of critical infrastructure information technology networks.

In addition to formalizing the April initiative and applying it to more sectors, Wednesday’s memorandum also directs the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Commerce’s National Institute of Standards and Technology (NIST) to implement “cybersecurity performance goals for critical infrastructure.”  

The aim of these performance goals is to establish a set of “baseline security practices” that should be followed by critical infrastructure owners and operators across sectors. Homeland Security Secretary Alejandro Mayorkas will issue preliminary cross-sector goals no later than Sept. 22, with final cross-sector and sector-specific goals to follow within one year of the memorandum.

In a call with reporters, a senior administration official labeled the initiative “the first steps” toward securing U.S. critical infrastructure but warned that, “short of legislation,” this type of public-private partnership is limited in how far it can go.

“The government’s responsibility is to feel confident that critical services that the American public [relies] on have the modernized defenses to ensure that they can continue to deliver the critical services they do,” the official said. “And the current patchwork of sector-specific statues does not enable us to … have confidence that there [are] cybersecurity thresholds in place. … That is something that will likely require [Congress] to partner with us to address.”

FERC & FederalStandards/Programs

Leave a Reply

Your email address will not be published. Required fields are marked *