Wednesday, July 28, 2021

Biden Issues Memorandum for Improving ICS Cybersecurity

Today, the White House published “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems”. It notes that: “The cybersecurity threats posed to the systems that control and operate the critical infrastructure on which we all depend are among the most significant and growing issues confronting our Nation.” The Memorandum goes on to establish and outline the goals for the Industrial Control Systems Cybersecurity Initiative.

Section 2 of the memo states that: “The primary objective of this Initiative is to defend the United States’ critical infrastructure by encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks.”

In Section 3, it goes on to say: “We cannot address threats we cannot see; therefore, deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response actions to cyber threats is central to ensuring the safe operations of these critical systems.”

To support this initiative, the Memorandum requires DHS to issue:

By 9-22-21, preliminary goals for control systems across critical infrastructure sectors,

By 7-28-21, final cross-sector control system goals, and

By 7-28-21, sector-specific critical infrastructure cybersecurity performance goals.


DHS is also directed to look at whether additional legal authorities would be beneficial to enhancing the cybersecurity of critical infrastructure. 

1 comment:

Jake Brodsky said...

The intent is good. I'm not so sure about the execution. I've seen efforts to impose security from an outside agency that has little other responsibility besides security. It almost never goes well. Security is not a goal. It's a property that enhances availability or resiliency of a control system.

I have a lot of respect for what CISA does. However, they cannot be the ones to enforce security on industries that they are not responsible for in any other capacity. That should come from the EPA in water, FERC in Energy, and so on. I would vastly prefer to see CISA become a research, integration, and intelligence distribution agency --much as they're doing now.

/* Use this with templates/template-twocol.html */