On July 28, 2021, President Biden signed a National Security Memorandum entitled “Improving Cybersecurity for Critical Infrastructure Control Systems” (the “Memorandum”). The Memorandum formally establishes an Industrial Control Systems Cybersecurity Initiative and directs the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) and the Department of Commerce’s National Institute of Standards and Technology (“NIST”), in collaboration with other agencies, to develop and issue cybersecurity performance goals for critical infrastructure. The Memorandum follows recent high-profile attacks on U.S. critical infrastructure, including ransomware attacks on Colonial Pipeline and JBS Foods.
Industrial Control Systems Cybersecurity Initiative
In line with the Biden Administration’s policy to safeguard the critical infrastructure of the U.S., the Memorandum establishes the Industrial Control Systems Cybersecurity Initiative (the “ICS Initiative”). The ICS Initiative is a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to improve the cybersecurity of systems supporting national critical functions.
Primarily, the ICS Initiative aims to defend critical infrastructure by encouraging, facilitating and expanding the deployment of technologies and systems to monitor and detect malicious activity and facilitate appropriate responses to cyber threats. Through the ICS Initiative, the Federal Government will work with industry to share threat information for priority control system critical infrastructure throughout the U.S.
A pilot effort of the ICS Initiative was launched within the electricity subsector in April 2021. As a result, over 150 electricity utilities representing almost 90 million customers are either deploying or have agreed to deploy control system cybersecurity technologies. A similar effort for natural gas pipelines is underway and will be followed by additional initiatives in the water, wastewater and chemical sectors later this year.
Critical Infrastructure Cybersecurity Performance Goals
The Memorandum acknowledges the need for baseline cybersecurity goals, consistent across all critical infrastructure sectors, as well as a need for security controls for select critical infrastructure that is dependent on control systems.
The goals that the Memorandum directs CISA and NIST, in collaboration with other agencies, to develop are intended to further a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public safety.
As a first step in this effort, the Secretary of Homeland Security is required to issue preliminary goals for control systems across critical infrastructure sectors by September 22, 2021. Final cross-sector control systems goals are to follow by July 28, 2022. Furthermore, following consultations with relevant agencies, the Secretary of Homeland Security is required to issue sector-specific critical infrastructure cybersecurity performance goals by July 28, 2022.