Biden orders CISA and NIST to develop cybersecurity performance goals for critical infrastructure

The order also formally establishes the Industrial Control System Cybersecurity Initiative which was created in April.

President Joe Biden signed a memorandum on Wednesday addressing cybersecurity for critical infrastructure, ordering CISA and NIST to create benchmarks for organizations managing critical infrastructure.

The move builds on, and formalizes, an effort started in April around securing industrial control systems, which are now facing a barrage of attacks from both cybercriminals and state-backed entities. 

In a press briefing, a senior administration official explained that federal cybersecurity regulation in the US is sectoral, noting that the country has "a patchwork of sector-specific statutes that have been adopted piecemeal, typically in response to discrete security threats in particular sectors that gained public attention." 

The official added that there is no strategic, coordinated requirement for the cybersecurity of critical infrastructure.  

"To the extent, as I noted, there are mandatory cybersecurity requirements. They're either sector specific -- finance and chemical; they're mandated under state or local law, like electricity ones; or they're limited and piecemeal -- water and bulk electricity are two that we've put a lot of work into studying in the last few weeks," the official said. 

"So, our current posture is woefully insufficient given the evolving threat we face today. We really kicked the can down the road for a long time. The administration is committed to leveraging every authority we have, though limited, and we're also open to new approaches, both voluntary and mandatory. Responsible critical infrastructure owners and operators should be following voluntary guidance as well as mandatory requirements in order to ensure that the critical services the American people rely on are protected from cyber threats."

The memorandum formalizes the Industrial Control Systems Cybersecurity Initiative, which the White House said was a "voluntary, collaborative effort between the federal government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems."

The first part of the initiative started with the electricity subsector, according to a statement from the White House. The pilot will now start a second round on natural gas pipelines. Water systems, as well as wastewater sector systems and the chemical sector will be next. 

The senior administration officials said the effort has already led to over 150 electricity utilities representing almost 90 million residential customers deploying or agreeing to deploy control system cybersecurity technologies.

"These are the technologies that, had they been in place, would have blocked what occurred at Colonial Pipeline in that they connect the operational technology side of the network to the IT side of the network. The action plan for natural gas pipelines is underway, and additional initiatives for other sectors will follow later this year," the official said. 

The White House acknowledged that each organization has different cybersecurity needs but it ordered CISA and NIST to work together on creating cybersecurity baselines "that are consistent across all critical infrastructure sectors," and "security controls for select critical infrastructure that is dependent on control systems."

DHS has until September 22 to release the preliminary guidelines and one year to issue the final draft of the rules. The sector-specific rules will also be released within one year. 

"These performance goals should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services," the memorandum said.  

"That effort may also include an examination of whether additional legal authorities would be beneficial to enhancing the cybersecurity of critical infrastructure, which is vital to the American people and the security of our Nation."

A report by cybersecurity researchers at Trend Micro earlier this month warned that ransomware is "a concerning and rapidly evolving threat to industrial control systems endpoints globally" with a significant rise in activity during the past year. 

Of all countries covered in the report, the US has the most instances of ransomware affecting industrial control systems. The White House said almost 90 percent of critical infrastructure in the US is owned and operated by the private sector.

Recent attacks on Colonial Pipeline and meat processor JBS prompted the federal government to get serious about forcing cybersecurity measures on private companies running critical systems. The White House specifically mentioned both ransomware attacks as reasons why more stringent measures were needed.

DHS unveiled a new security directive a week ago that forces owners and operators of important pipelines to put tougher cybersecurity protections in place. 

The memorandum comes one day after Biden caused a minor stir with his comments about the ability of a cyber conflict to turn into a physical war. 

"You know, we've seen how cyber threats, including ransomware attacks, increasingly are able to cause damage and disruption to the real world," Biden told reporters on Tuesday. 

"I can't guarantee this, and you're as informed as I am, but I think it's more likely we're going to end up -- well, if we end up in a war, a real shooting war with a major power, it's going to be as a consequence of a cyber breach of great consequence. And it's increasing exponentially -- the capabilities."