Following in the footsteps of the cybersecurity Executive Order, President Biden issued a National Security Memorandum last week on improving cybersecurity for critical infrastructure control systems – that is the computers that control our critical infrastructure.
Like the EO, this NSM has specific details.
- The government has created a Industrial Control Systems Cybersecurity Initiative to collaborate between the government and industry on significantly improving security. Hopefully this works, because if it doesn’t the next step is mandatory controls and industry doesn’t want that.
- The initiative is already in progress. It started with electricity and now has added pipelines. Water, wastewater and chemicals will be added later this year.
- NIST and DHS are required to create a set of baseline cybersecurity goals. Again, these goals are voluntary, but if industry doesn’t adopt them, the next step will be rulemaking. The authority to make rules for safety is already there, it just takes longer.
- NIST has until September 22, 2021 (basically 45 days) to release preliminary rules and a year to finalize the rules. The idea is to create a clear benchmark that the government expects critical infrastructure to meet.
Hopefully this is one more step in the right direction. There are no silver bullets.
One more thought. While this initially applies to critical infrastructure like power and water, it may make sense to expand to other industries. Smart companies will review these guidelines when they are released and see if they should apply to them. Credit: The Whitehouse