By Emily Newton, Editor-in-Chief at Revolutionized Magazine
Critical infrastructure cybersecurity is a crucial part of national security today. Sectors like energy and defense are vital to the protection and stability of the nation, but they are facing a growing number of digital threats.
With rates of cyber attacks continuing to increase yearly, critical infrastructure organizations must take action to improve their cybersecurity. The U.S. CISA has released a new set of cybersecurity guidelines designed to help build a standard baseline for cybersecurity in critical infrastructure sectors.
The 2022 CISA Cybersecurity Performance Goals
On October 22, 2022, the Cybersecurity Infrastructure and Security Agency — or CISA — released a new set of Cybersecurity Performance Goals (CPGs). This is a series of objectives designed to help organizations in critical infrastructure sectors strengthen their cybersecurity to meet minimum CISA-recommended standards.
The new CPGs are organized into several categories, including:
- Supply chain and third party
- Governance and training
- Vulnerability management
- Device security
- Account security
- Data security
- Response and recovery
The collection of guidelines is designed to address gaps in critical infrastructure cybersecurity. For example, the CISA points out operational technology is often forgotten about in cybersecurity initiatives, if cybersecurity measures are taken at all.
The CISA’s new guidelines are approachable for organizations at all levels of cybersecurity expertise. The organization did an excellent job of clearly outlining what each goal should accomplish as well as some tips and best practices for working toward that goal.
As a result, the new CPGs are an ideal starting point for strengthening critical infrastructure cybersecurity in organizations lacking experience. This is important to note since new businesses likely have significant cybersecurity vulnerabilities. The CISA is clearly making an effort to make it easier for these organizations to understand and improve their cybersecurity without getting lost in technical jargon.
U.S. security leaders have also announced a few critical infrastructure sectors will be getting new cybersecurity regulations from federal agencies. While the CISA’s CPGs are optional recommendations for organizations, these additional cybersecurity regulations will be mandatory. The new rules will help reinforce CISA minimum security guidance in sectors at particularly high risk of cyber attacks.
Why the New CISA CPGs Are Necessary
The new CPGs act as baseline cybersecurity standards to get critical infrastructure organizations up to modern security standards. Right now, there are no fundamental security rules in these crucial industries. This leaves critical infrastructure organizations vulnerable to cyber attacks, a growing concern given trends over recent years.
Studies of cyber attacks on enterprises — specifically in aerospace, defense and medicine — show some common trends. Ransomware attacks are hitting businesses initially with aggressive phishing schemes that rapidly escalate, most often leading to data exfiltration and even network-wide encryption. Some organizations fare better than others depending on the extent of their cybersecurity protocols, which is why standards for critical infrastructure cybersecurity are vital.
Arguably the most infamous cautionary tale for critical infrastructure organizations is the 2021 Colonial Pipeline ransomware attack. This cyber attack demonstrated the genuine threat facing critical infrastructure organizations. Hackers today will specifically target organizations they know can’t risk shutting down for long, such as those in critical infrastructure sectors. Attacks on organizations in these sectors don’t just impact the businesses — they impact the entire nation.
What Is the Next Step for Critical Infrastructure Cybersecurity?
The CISA’s Cybersecurity Performance Goals follow a July 2021 National Security Memorandum by the Biden Administration, which addresses the need to strengthen critical infrastructure cybersecurity today. It is one of a growing number of efforts by U.S. leaders to enhance the nation’s cybersecurity and cyber resilience. For instance, there have also been calls for the U.S. power grid to modernize to address infrastructural and security vulnerabilities.
The federal government is striving to shore up American cyber defenses however possible. The CISA’s new cybersecurity goals are certainly helpful guidelines. However, researchers have pointed out that clear, actionable incentives may be the only way to get critical infrastructure organizations to make meaningful changes to their cybersecurity protocols.
The issue is not necessarily a lack of awareness or tools. It is difficult to run any kind of business today without hearing about the cyber attacks hitting other organizations. Plus, cybersecurity tools and guidance are both widely available online. The roadblock to more robust critical infrastructure cybersecurity is a lack of motivating incentives to take today’s cybersecurity threats seriously.
So, the next step in improving critical infrastructure cybersecurity will be for federal security leaders to find a way to motivate widespread change among these key sectors. The national 401K tax incentive program is a good example of this principle. Many people feel more motivated to keep their money in the present rather than set it aside for retirement. A tax incentive changes things, giving these reluctant savers an appealing reason to set their money aside.
A similar incentive is necessary for critical infrastructure organizations. Of course, raising awareness about the risks of ransomware and hacking is essential. The new Cybersecurity Performance Goals are also helpful for ensuring all critical infrastructure organizations have a clear place to start developing a cybersecurity strategy.
Fear of cyber attacks and conveniently available security guidance can only do so much. A motivating incentive program will be the next step and the missing piece that hopefully sparks a wave of change for critical infrastructure cybersecurity.
Strengthening National Cybersecurity
Critical infrastructure cybersecurity is vital for ensuring the safety of sectors the entire nation depends on. Without industries like energy, defense and emergency services, the American public could be in danger or lose access to services and resources critical to daily life. The CISA’s new Cybersecurity Performance Goals are a step in the right direction toward strengthening critical infrastructure cybersecurity when it is needed most.
Emily Newton is the Editor-in-Chief at Revolutionized Magazine. A regular contributor to Brilliance Security Magazine, she has over four years of experience writing articles in the industrial sector.