Following a series of major ransomware attacks, including against Colonial Pipeline, which provides the East Coast with 45 percent of its gasoline, jet fuel and diesel, President Biden issued a National Security Memorandum (“the Memorandum”) last week intent on improving cybersecurity for critical infrastructure systems. The Memorandum comes in follow up to the Biden Administration’s Executive Order issued immediately following the Colonial Pipeline Cyberattack back in May, entitled “Improving the Nation’s Cybersecurity” (EO). The EO made a clear statement on the Administration’s cybersecurity policy,
“It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security. The Federal Government must lead by example. All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.”
In the latest Memorandum, the Administration posited that the country’s critical infrastructure is a responsibility of both the government and private owners/operators of that infrastructure. Any threat to that infrastructure is deemed a threat to the country’s national and economic security. Critical infrastructure includes dams, energy, critical manufacturing, food and agriculture, and water and wastewater systems.
As a result, the Administration established an Industrial Control Systems Cybersecurity Initiative (the “Initiative”) that will be a voluntary, collaborative effort between the federal government and members of the critical infrastructure community aimed at improving voluntary cybersecurity standards for companies that provide critical services.
The primary objective of the Initiative is to encourage, develop, and enable deployment of a baseline of security practices, technologies and systems that can provide threat visibility, indications, detection, and warnings that facilitate response capabilities in the event of a cybersecurity threat. According to the President’s Memo, “we cannot address threats we cannot see.”
The Initiative already had been undertaken with the electricity subsector and will now result in similar efforts with natural gas pipelines, followed by water and wastewater, and chemical sectors later this year. According to news reports, more than 150 power industry utilities have enrolled in the voluntary program.
The Initiative will be coordinated by the Department of Homeland Security, which is being direct to issue preliminary performance goals for control systems for all sectors no later than September 22, 2021, followed by sector-specific system goals within one year. These performance goals aim to serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services, to “protect national and economic security, as well as public and health safety”.
The U.S. government continues to ramp up efforts to strengthen its cybersecurity, and we can expect states to continue to legislate and regulate in this area. Businesses across all sectors will likely experience pressure to evaluate their data privacy and security threats and vulnerabilities and adopt measures to address their risk and improve compliance.
The complete Memorandum can be viewed by clicking here.