The President’s National Infrastructure Advisory Council (NIAC) is calling for mandatory cybersecurity standards for the security and resilience of critical infrastructure assets, on the heels of the Biden administration’s release earlier this month of its national cybersecurity strategy that tacks in a similar direction.
On the critical infrastructure front, the cybersecurity strategy aims to expand the use of “minimum cybersecurity requirements” across the 16 critical infrastructure sectors already defined by the Department of Homeland Security (DHS) to “ensure national security and public safety.” The strategy also aims at “harmonizing regulations to reduce the burden of compliance.”
The new report from NIAC, commissioned in December 2022, relies on information from Federal agencies and private organizations to arrive at recommendations to improve critical infrastructure security, and also talks about barriers to getting there.
“Standards should ultimately be mandatory when they deal with security vulnerabilities that could impact the provision of critical infrastructure across sectors,” the report says.The report also emphasizes that work on improving security standards should be “outcome-based.”
“Outcome-based standards identify what needs to be addressed to ensure cross-sector physical and cyber security while leaving the how (i.e., the specifics of how each provider adjusts its business practices to meet that standard) to the providers themselves,” the report says.
The report found that one of the leading issues that has impeded cybersecurity efforts has been due to the lack of clarity when it comes to “decision-making and command.”
“The need for clear proactive decision-making and command is not limited to the public sector. In the private sector, resources are not always harnessed across sectors effectively during incidents to ensure a comprehensive response,” states the report.
The report’s recommendations include putting more emphasis on a cohesive strategy that will enable both private and public sectors to react to cyber issues quicker. One of the hallmark recommendations of the report is to create a “convening group” which can help develop responses in case of an attack on critical infrastructure.
“The NIAC recommends that the NSC gather and analyze informal activities that have been undertaken in this area in the past and use that information to help inform the development of the drills and the scenarios chosen,” states the report.
Other recommendations include:
- Harmonize standards that govern common activities of the private sector;
- Enhance coordination among local, state and federal government entities;
- Engage vulnerable communities in planning and restoration efforts;
- Enhance the timeliness and transparency of threat information;
- Undertake a common cause failure analysis for critical infrastructure supply chains and services;
- Prioritize standard setting in the areas of threat modeling, network segmentation, access provisioning and privileged account management;
- Pilot-test the benefits that additional third-party certifications can provide to sector and cross- sector stakeholders;
- Develop methods to ensure timely delivery of infrastructure support provided by the Infrastructure Investment and Jobs Act and the Inflation Reduction Act; and
- Ensure consistency in international trade requirements and “Buy America” mandates in federal, state and local contracts.
