Cybersecurity Experts Discuss Plans for Protecting Critical Infrastructure
WASHINGTON — When an oil and gas pipeline was disrupted by a ransomware attack just two years ago, other vital industries took notice. Now, the administration is seeking to secure the nation’s infrastructure from cyberthreats through mandatory minimum standards.
“The Colonial Pipeline hack was a transformative moment for cybersecurity in the United States,” Anne Neuberger, deputy assistant to the president and deputy national security advisor for Cyber and Emerging Technology, recently explained to the Center for Strategic and International Studies.
This is, in particular, she said, because it forced a recognition that “in almost all cases of critical infrastructure we didn’t have minimum required cybersecurity practices for owners and operators of critical infrastructure.”
The nuclear industry, defense industrial base and some parts of the chemical sector had some protections, but other sectors only had emergency authorities in place, or unused authorities that the executive branch felt could be fashioned to implement minimum standards or develop new mandates.
“How common is a ransomware attack in the pipeline sector? We didn’t know because there was no reporting requirement,” David Pekoske, Transportation Security Administration administrator, said.
“Within a year’s time we did a complete pivot and came up with a performance-based regulation,” he said.
Reporting requirements were put in place for certain high-risk companies, with baseline standards created to which any company delivering truly essential services to people must adhere.
And the information from these reports is stored in one place and shared with other agencies that have an interest through the Cybersecurity and Infrastructure Security Agency.
“[This has] proven its worth,” Pekoske said, because “everybody gets the same report and there’s no confusion … and companies get a cyber point of contact.”
“When we know there is a threat to a sector, now there is a common visibility,” he said.
To further drive minimum resilience requirements for those services we all rely on, like transportation and energy services, Pekoske explained that vulnerability assessments and a cybersecurity response plan are necessary. Key outcomes of such plans would include network segmentation, accessing control of critical cybersystems, providing for continuous detection and monitoring, and developing a plan for patching systems.
“It’s one thing to have a plan, it’s a whole different thing to be able to execute off the framework of that plan,” Pekoske said. “And it’s one thing to be able to prevent, and another thing to build in the resiliency so that even if attacked you can be as resilient as possible to be able to respond.
“We all know that when you have a plan, it’s unlikely that your plan has the exact scenario that you’re going to face, but it does give you a framework and a way to think about it,” he said.
Not all industries will — or should — have enforced cybersecurity regulations according to Rob Silvers, under secretary of Homeland Security for Strategy, Policy, and Plans. But the administration is looking to set common frameworks from which regulations can spring, like CISA’s performance goals, while taking steps to ensure that only those entities that need to be regulated are regulated and requirements are minimized and flexible.
“Our work to protect the American people is a mix of voluntary programs and mandatory programs with companies,” Silvers said. “The majority is voluntary — and growing in sophistication — but we’ve put a lot of focus on ensuring that in cases where a regulatory approach is required, we’re doing it in a surgical, tailored, risk-based and thoughtful way.”
“We’ve made a tremendous amount of progress in a very short amount of time,” Pekoske said. “As a result, we have, as a government, much more awareness of where the threat is and how it’s developing, separate from the intel that we might be receiving.”
You can reach us at [email protected] and follow us on Facebook and Twitter
