- The Cybersecurity and Infrastructure Security Agency (CISA) is identifying what critical infrastructure would most impact U.S. national security and economy if hacked, according to CISA Director Jen Easterly during a virtual Center for Strategic and International Studies event. CISA is basing its analysis on economic and network centrality, and "logical dominance in the national critical functions," she said.
- CISA joins the Cyberspace Solarium Commission (CSC) in efforts to identify systematically important critical infrastructure (SICI), which CISA refers to as primary systemically important entities (PSIE). CSC recommended that Congress "codify the concept of" SICI, in its inaugural report last year.
- "We're going to move forward and do it, whether it ends up in legislation or not," Easterly said. Though if PSIE- or SICI-related proposals end up in law, "it will be very helpful in continuing to bring the private sector to the table … We're in a state right now where critical infrastructure is much more vulnerable than it should be."
CISA is fast-tracking critical infrastructure categorization, and the companies most vulnerable to cyberattacks. The CSC wants Congress, after identifying these organizations, to ensure "the full support of the U.S. government and shoulder additional security requirements" to suit their "unique status and importance."
In October, Rep. John Katko, R-N.Y., and Rep. Abigail Spanberger D-Va., proposed the Securing Systemically Important Critical Infrastructure Act, which would direct CISA to prioritize benefits for the owners and operators of specified critical infrastructure. Katko could see the bill included in the FY2022 National Defense Authorization Act (NDAA), he said during the webcast.
Under Katko and Spanberger's bill, CISA would have to consult with the heads of Sector Risk Management Agencies (SRMAs) and create a methodology for determining what elements of critical infrastructure meet the threshold of maximum national security and economic impact.
The bill also asks for identified critical infrastructure companies to have prioritized representation in CISA's Joint Cyber Defense Collaborative (JCDC).
The proposal is in line with what the CSC asked for, where the government is "assured that these companies are taking their security responsibilities seriously, honoring the public trust that appertains to the services and functions they provide," the report said.
What the government is working toward is something the private sector needs — different treatments based on the uniqueness of each critical infrastructure sector. In March, the White House announced it was reviewing OT/ICS operators, and prioritizing bigger utilities impacting larger populations. And in July, the Biden administration signed the National Security Memorandum, which tasked CISA with developing performance goals for critical infrastructure.
Cyberattacks on critical infrastructure this year — particularly Colonial Pipeline and JBS USA — already led to firsts in cybersecurity requirements. In May, the Transportation Security Administration (TSA) announced two pipeline-specific cybersecurity directives. The TSA gave aggressive timelines for pipeline owners and operators to meet, though administrators said the TSA is willing to work with companies if they submit alternative procedures.
Owners and operators using OT and industrial control systems (ICS) worry that the new requirements could impact the safety of their equipment if they move too rapidly. Meanwhile, the TSA admittedly is understaffed in cybersecurity.
A similar announcement was made for railroad and airport operators in October. Secretary of Homeland Security Alejandro Mayorkas announced the TSA will also issue mandatory requirements for transportation sectors operating in the air, land or sea. Owners and operators will have to report incidents to CISA, though the complete published regulations are expected by the end of the year.