President Biden on Wednesday signed a new National Security Memorandum (NSM) designed to encourage owners and operators of critical infrastructures to continue to strengthen the cybersecurity of their systems that control operational technologies through voluntary measures and tasked two federal agencies to help in the effort.
But the administration stopped short of any new mandates in its attempts to continue to prod the private sector to work with the federal government in boosting the cybersecurity of industrial control systems (ICS) that, if compromised, can have cascading impacts on the economy, lives and ultimately national security.
“These may be voluntary, but we hope and expect that all responsible critical infrastructure owners and operators will apply them,” a senior administration official said Tuesday on background call with media. The official also said the latest effort to bolster the cybersecurity of the private sector is “within the voluntary model” currently in use but added later, “And as we’ve said, we’re exploring everything we can do to mandate strengthening of cybersecurity standards.”
The official pointed to a new security directive last week from the Department of Homeland Security’s Transportation Security Administration requiring owners and operators of pipelines in the U.S. to implement specific measures to help guard their information technology and ICS from ransomware attacks. That directive and a previous one in late May took advantage of existing regulator authorities that TSA has with the pipeline industry, which is part of the transportation sector.
The pipeline directive stemmed from a ransomware attack in early May that led to pipeline operator Colonial Pipeline to briefly shut down operations, which caused fuel shortages in parts of the eastern U.S.
When it comes to current cybersecurity regulations for critical infrastructure, they are “sectoral” and “piecemeal” in targeting different sectors “typically in response to discrete security threats,” and in other cases mandated by state and local governments, the administration official said.
Asked on the media call if the administration needs to work with Congress on cybersecurity mandates, the official replied that “the current patchwork of sector-specific statutes does not enable us to say we have confidence that there is cybersecurity thresholds in place with regard to practices and with regard to technology, governance, and practices. That is something that will likely require the Hill to partner with us to address.”
The ICS Cybersecurity Initiative, outlined in NSM-5, contains two main thrusts. The first directs the DHS Cybersecurity and Infrastructure Security Agency and the Department of Commerce’s National Institute of Standards and Technology to work with other federal agencies on performance goals and standards for companies to adopt.
The second effort formally establishes the ICS Initiative, a voluntary effort launched in April as a pilot program with the electricity subsector to deploy technologies to protect control systems. So far, more than 150 electric utilities representing nearly 90 million residential customers are engaged in the program.
The White House said an action plan is underway to extend the ICS Initiative to the natural gas pipeline industry and that additional industrial sectors will be included later this year.