In a comprehensive National Security Memorandum (NSM), the current administration has outlined its strategy for strengthening the security and resilience of United States critical infrastructure against threats like cyberattacks, natural disasters, and climate change. The memorandum designates 16 critical infrastructure sectors, such as energy, transportation, and health care, and outlines roles and responsibilities for relevant federal agencies to identify and mitigate risks within each sector.[1]
Key elements of the new strategy include:
- Establishing "Sector Risk Management Agencies" (SRMAs) to lead risk management efforts for each critical infrastructure sector, like the Department of Homeland Security (DHS) for communications and the Department of Energy (DOE) for energy
- Requiring SRMAs to produce biennial sector-specific risk assessments and risk management plans that establish minimum security and resilience requirements
- Directing DHS, through its Cybersecurity and Infrastructure Security Agency (CISA), to coordinate the overall national risk management effort as the "National Coordinator"
- Mandating the development of a National Infrastructure Risk Management Plan that synthesizes sector-level inputs to manage cross-sector risks
- Improving intelligence sharing and collection related to threats against critical infrastructure between agencies and the private sector
- Identifying a list of "Systemically Important Entities" whose disruption could cause cascading national impacts, prioritizing federal resources
The strategy represents a significant step toward unifying critical infrastructure security efforts across the federal government and compiling minimum cybersecurity baselines and other protective standards that regulation could backstop. It aims to enhance cross-sector risk management as critical infrastructure grows more interdependent. The White House also emphasizes more robust information sharing as a core component. "The United States is facing complex cyber threats. As we continue to become even more reliant on technology, this threat will only increase," said Michael Gregg, CISO for the State of North Dakota. "Highlighting this risk and building plans to test resilience via tabletops and testing will help us better prepare. Expanding threat intelligence sharing between these 16 critical infrastructure sectors is a good next step, as it will help build a more robust response capability."
Scott Margolis, CISO for Massachusetts Bay Transportation Authority, offered his perspective: "The real benefit of the Executive Order is the emphasis on a harmonized and risk-based approach to safeguarding critical infrastructure. Truly a transformational approach for our Federal Partners and the Executive branch in continuing to support us in this rapidly evolving cyber landscape. This approach ensures a consistent and actionable strategy across various sectors and agencies, enabling us to respond to increasingly sophisticated threats effectively. By aligning efforts and resources, prioritizing based on risk, and fostering strong public-private partnerships, we enhance our capacity to protect critical transit systems against emerging threats, ensuring safety and continuity in our services. This unified approach increases our resilience and streamlines our response mechanisms, making them more effective and timely."
Oren Koren, Co-founder and CPO at Veriti shared his thoughts: "I believe that under the new Biden administration's strategy, we will see a focus on three major areas that will add significant value:
- Service Providers: New service organizations, certified by the government, will be formed to oversee operations and require a blend of manpower and automation. Currently, this manpower is represented by MSSPs and MDRs.
- Automation: These service organizations, mostly government and MSSPs, will effectively consolidate various solutions to achieve their objectives.
- Data aggregation: Each company will need to share its data—logs, alerts, and insights—at a centralized location.
A critical concern is that this central aggregator could become a prime target for adversaries. If an attacker aims to harvest data for a cyberattack, their primary challenge would be to breach this central node effectively, the 'holy grail.' Ensuring the security of this data will be the foremost priority of the organization."
The memorandum identifies 16 critical infrastructure sectors and designates associated Sector Risk Management Agencies (SRMAs). In some cases, co-SRMAs are designated where multiple departments share the roles and responsibilities of the SRMA. The Secretary of Homeland Security shall periodically evaluate the need for and approve changes to critical infrastructure sectors and make recommendations to the President by statute and in consultation with the Assistant to the President and Homeland Security Advisor. The industries and SRMAs are as follows:
- Chemical Sector Risk Management Agency: DHS Commercial Facilities
- Sector Risk Management Agency: DHS Communications
- Sector Risk Management Agency: DHS Critical Manufacturing
- Sector Risk Management Agency: DHS Dams
- Sector Risk Management Agency: DHS Defense Industrial Base
- Sector Risk Management Agency: Department of Defense (DOD) Emergency Services
- Sector Risk Management Agency: DHS Energy
- Sector Risk Management Agency: DOE Financial Services
- Sector Risk Management Agency: Department of the Treasury Food and Agriculture: Co-Sector Risk Management Agencies: Department of Agriculture and Department of Health and Human Services (HHS)
- Government Services and Facilities: Co-Sector Risk Management Agencies: DHS and General Services Administration (GSA) Healthcare and Public Health
- Sector Risk Management Agency: HHS Information Technology
- Sector Risk Management Agency: DHS Nuclear Reactors, Materials, and Waste
- Sector Risk Management Agency: DHS Transportation Systems
- Co-Sector Risk Management Agencies: DHS and Department of Transportation Water and Wastewater Systems
- Sector Risk Management Agency: Environmental Protection Agency
CISA added this commentary in its overview of the White House memorandum: "CISA has already been working toward the goals of the NSM. We have already re-established the Federal Senior Leadership Council, which has made impressive strides toward meeting our shared goals through the FSLC's robust collaboration model. When the FSLC was re-chartered, the group took on new authorities and a heavy lift to inform how we define, modernize, and protect our critical infrastructure sectors. We have already completed the first assessment of sector designations. Through a transparent, iterative, and collaborative process, the FSLC evaluated the current 16 critical infrastructure sectors and considered potential new sectors, changing the scope of various other sectors and removing or moving various subsectors within existing sectors. The FSLC achieved consensus among its 30 member Departments and Agencies on the recommendations for the first time since the sectors were established in PPD-21 in 2013. This updated sector structure was presented to the President in late 2023 and is reflected in the sectors listed in the NSM." While implementation will take years, the new critical infrastructure directive overhauls US policies not substantially updated in a decade. It signals the Biden Administration's prioritization of this issue among pressing national security imperatives.
More from CISA on Systemically Important Entities (SIEs): "Finally, as the National Coordinator, CISA has already begun the work to establish Systemically Important Entities (SIE). As described in the NSM, SIEs are critical infrastructures prioritized based on potential disruption or malfunction to cause nationally significant and cascading negative impacts to national security (including national defense and continuity of government), national economic security, or national public health or safety. The SIE list will inform the prioritization of federal activities, including risk mitigation information and other operational resources for non-federal entities. The list of SIEs developed under this NSM, and subsequent updates, will strengthen our understanding and prioritization of those functions that Americans rely on daily and satisfy the Secretary of Homeland Security requirement to develop the list described in Section 9 of Executive Order 13636."
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.secureworld.io/industry-news/united-states-strategy-securing-critical-infrastructure
Comments