During the past year, the Biden administration has issued several standards and mandates across critical infrastructure sectors, from water to transportation. Critical infrastructure is unique because nearly all United States citizens benefit from a critical national infrastructure (CNI) entity every day — whether they realize it or not. So, when one of those CNI entities is compromised, the impact often is felt on a personal level. Just look at Colonial Pipeline breach: Lines at gas stations were longer than ever as Americans feared a drastic fuel shortage.
The Biden administration's efforts to strengthen these sectors are well-intentioned and certainly demonstrate that the US government is taking cybersecurity threats seriously. These efforts are worthy of recognition because previous administrations haven't always prioritized cybersecurity strength. Intentions aside, however, these reporting mandates and standards are likely to prove ineffective and even dangerous.
One of the main issues industrial control systems (ICSs) and operational technology (OT) systems face today is lack of visibility. You can't secure what you don't have access to, and studies have shown that the vast majority of organizations have limited visibility into their ICS environments — if they have any visibility at all.
These standards and mandates dangerously assume that organizations know they were breached in the first place. If organizations don't have the resources to monitor their ICS environments, they may never know a threat actor is trying to break into their network — or, worse, that a threat actor has already been inside the network for days, months or even years. This obviously makes the 24- and 72-hour reporting mandates impossible to meet. In addition, it appears we are headed toward a hodgepodge of overlapping regulations that will place a significant burden on private enterprises.
Distracting From What's Important
One example of this overlap is Senate bill S.2875 Cyber Incident Reporting Act of 2021 and House bill H.R. 5440 Cyber Incident Reporting for Critical Infrastructure. These bills have overlapping requirements that complicate the reporting process. Organizations will likely be required to determine what category an incident falls into and which government agency should handle it. The resources required to do this should be devoted to improving security rather than navigating the complexities of reporting requirements.
Indeed, complying with standards issued by the government takes significant time and resources that could be used to implement effective security controls, especially when it seems like it takes an actual cyberattack for the government to determine that we need another mandate for another industry.
It's time for regulators of critical infrastructure to focus more on operational resiliency. Focus and increase investments on ensuring organizations can respond to attacks, minimize impact, and restore operations quickly. We must begin accepting that not all cyberattacks against critical infrastructure can be prevented. The physical nature of these systems makes it nearly impossible to stop 100% of attacks. However, we still have the capability to respond and recover, and that's where we should focus our efforts.
Finally, it's time to take a step back and define a single critical infrastructure cybersecurity standard. If your industry is defined as critical infrastructure, then, by definition, it requires protection. Let's define a singular critical infrastructure cybersecurity standard now and start enforcing protection, including increased investments in systems to increase visibility and resiliency.