The Department of Homeland Security has developed and released new cybersecurity performance goals for critical infrastructure through the Cybersecurity and Infrastructure Security Agency (CISA). Cyber threats facing critical infrastructure are on the rise, and these new goals are designed to give stakeholders the foundation they need to reduce cyber risk.
Critical Infrastructure Cyberthreats
The FBI’s Internet Crime Complaint Center (IC3) reported 649 complaints of critical infrastructure ransomware attacks in 2021, and it anticipates increased ransomware victimization this year.
Critical infrastructure sectors, such as healthcare, food, energy, and transportation, are vital to the economy and national security. The financial consequences of a ransomware attack can be substantial.
“Given the highly regulated nature of the industries that operate critical infrastructure, the risks of financial loss due to penalties from lawsuits regulatory penalties, lost productivity, and recovery costs as a result of a ransomware attack are extremely high,” says Dan Pepper, partner at global law firm Norton Rose Fulbright.
In addition to heavy financial consequences, cyberattacks on critical infrastructure providers can result in lost lives.
“Critical infrastructure owners and operators of all sizes are particularly attractive targets for threat actors, including nation states, because of the potential high visibility impact — real or perceived — on life and vital services,” explains Katherine Ledesma, senior director of public policy and government affairs at cybersecurity ratings company SecurityScorecard, and former CISA senior advisor.
The increasingly interconnected nature of supply chains and rapid cloud adoption expand the attack surface for critical infrastructure organizations, which do not always have the resources to adequately understand and defend against the cyber threats that they face.
“A lack of identity intelligence and visibility into emerging cyber threats is the greatest challenge facing the critical infrastructure sector today,” says Joel Bagnal, director of federal business at cybersecurity company SpyCloud.
CISA’s Cybersecurity Performance Goals
CISA worked with hundreds of partners across the public and private sectors to develop cybersecurity performance goals, or CPGs, to address key challenges facing critical infrastructure, including the lack of fundamental security protections, limited resources among small- and medium-sized organizations, lack of consistent standards, and under-resourced operational technology (OT) cybersecurity.
“The scope of the goals was largely informed by the operational realities that both CISA and stakeholders consistently see across their engagements with critical infrastructure,” says Eric Goldstein, executive assistant director for cybersecurity, CISA.
The goals are divided into eight broad categories:
- Account security
- Device security
- Data security
- Governance and training
- Vulnerability management
- Supply chain/third party
- Response and recovery
- Other (network segmentation, detecting relevant threats and TTPs, and email security)
“The CPGs were determined based on three criteria: (1) Significantly and directly reduce the risk or impact caused by commonly observed, cross-sector threats and adversary TTPs; (2) clear, actionable, and easily definable; and (3) reasonably straightforward and not cost-prohibitive for even small- and medium-sized entities to successfully implement,” Goldstein elaborates.
The CPGs, aligned with the NIST cybersecurity framework, are meant to be a starting point for critical infrastructure organizations to strengthen cybersecurity, even if they are starting from scratch. “If an organization starts from zero, I would recommend prioritizing the CPGs according to known cybersecurity gaps and then adopting a crawl, walk, run approach for high-priority CPGs in order to make incremental progress,” says Robin Berthier, co-founder and CEO of cybersecurity audit and compliance solutions Network Perception.
Implementation of the CPGs will require buy-in from critical infrastructure leadership. “Ideally, the sector-specific performance goals will enable security leaders to, within their risk management approach, measure their current cybersecurity situation and quantify how much they want to improve and how much that improvement will cost,” says Kelly Rozumalski, SVP at IT consulting company Booz Allen Hamilton.
Achieving CISA’s CPGs for critical infrastructure also calls for continued coordination between the public and private sectors. “The goals should become a catalyst to strengthen public and private sector relationships and help all stakeholders to be aligned. For instance, cybersecurity vendors can integrate the CPGs as part of their reporting packages to help organizations prioritize and meet their high-priority goals,” says Berthier.
If the CPGs are to be successful, they need to be measurable. CISA plans to leverage public and private sector relationships, including partnerships with sector risk management agencies, to help critical infrastructure organizations measure their use of the CPGs and security outcomes, according to Goldstein.
“It will be important to demonstrate how cybersecurity investments and implementation of recommendations to meet the CPGs have effectively raised the bar on the cybersecurity of critical infrastructure,” Ledesma points out.
The goals, like cyber threats, will not remain static. CISA is planning to build out sector-specific CPGs and to update the CPGs every six to 12 months.
Pepper anticipates more focus on supervisory control and data acquisition program development, business continuity and recovery planning as the CGPs evolve. Bagnal hopes to see future goals address “…the intersection between identity intelligence and infrastructure to enable greater visibility between IT infrastructure and compromised OT devices.”
CISA has established a GitHub discussions page for feedback and new CPG ideas.