Create a free Industrial Equipment News account to continue

Broadening Requirements for Defending Critical Infrastructure

The current imbalance of OT/ICS regulations heightens risks for the entire sector.

Dr. Terence Liu
Feb 29, 2024
Risk Management

A lack of uniform mandatory regulations has led to dramatic disparities in cybersecurity practices across different industrial sectors. This discrepancy is especially evident in industries associated with critical infrastructure, where some companies excel in security practices for operational technology (OT) and industrial control systems (ICS), while others lag. The imbalance introduces risks for the entire sector. 

Consensus is gathering among national governments and regulatory agencies about the need for broadening minimum cybersecurity requirements in order to address the inconsistencies. We are amid a period of intense development in OT/ICS security globally, as key cybersecurity frameworks are being updated and standards are being rolled out in North America, and markets globally, to shore up defense of national critical infrastructure. 

Mandating and Incentivizing Change 

Significant regulatory initiatives around cybersecurity are being enacted to safeguard critical infrastructure in the United States. The National Cybersecurity Strategy released by the White House, for example, concentrates on boosting defensive and resilient capabilities for both information technology (IT) and OT systems through “zero trust” architecture and modernization. 

It states, “The Federal Government can better support the defense of critical infrastructure by making its own systems more defensible and resilient. This Administration is committed to improving Federal cybersecurity through long-term efforts to implement a zero trust architecture strategy and modernize IT and OT infrastructure. In doing so, Federal cybersecurity can be a model for critical infrastructure across the United States for how to successfully build and operate secure and resilient systems.” 

There has been significant movement, as well, across individual agencies of the U.S. government with oversight over particular industry sectors:

  • The Federal Energy Regulatory Commision (FERC) has approved Reliability Standard CIP-003-9 (Cyber Security – Security Management Controls) to better account for supply chain risks in the energy sector. The new standard addresses methods for determining and disabling vendor remote access in the event of malicious communications, and expands controls to provide greater visibility into interactions between electric-system cyber systems and vendors.
  • The Transportation Security Administration last year updated its cybersecurity directives, particularly around performance-based measures to enhance cyber resilience.
  • A new Environmental Protection Agency (EPA) cybersecurity factsheet focuses on enhancing cybersecurity around drinking water and wastewater systems, covering both tools and funding opportunities. 

Furthermore, the U.S. government has gone beyond mandates to also incentivize key infrastructure operators into implementing new cybersecurity regulations or standards. FERC is incentivizing utility companies to invest in advanced cybersecurity technologies, and the Department of Homeland Security (DHS) State and Local Cybersecurity Grant Program (SLCGP) is another example of the approach: “The program is designed to allocate funding where it is needed most: into the hands of local entities. States and territories will use their State Administrative Agencies (SAAs) to receive SLCGP funds from the federal government and then distribute the funding to local governments in accordance with state law and procedures.” 

Boosting Transparency and Strengthening Compliance 

Providing detailed information about incidents, their impacts, and management strategies is crucial for fostering a more secure and resilient digital environment, and the United States of late has undertaken significant steps to enhance transparency, accountability, and preparedness around and against cyber threats.

The U.S. Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), for example, is designed to enhance national cybersecurity resilience. It empowers the Cybersecurity & Infrastructure Security Agency (CISA) to enforce regulations for incident reporting and ransomware payments, to more quickly deploy resources and support victims, to analyze cross-sector trends, and to share crucial information to avert further attacks.

“When information about cyber incidents is shared quickly, CISA can use this information to render assistance and provide warning to prevent other organizations from falling victim to a similar incident,” CISA says of the act. “This information is also critical to identifying trends that can help efforts to protect the homeland.”

Similarly, newly implemented U.S. Securities and Exchange Commission (SEC) regulations oblige publicly listed companies to disclose comprehensive information on the cybersecurity risks that they confront, with the goal of arming investors to make better-informed decisions. Under the new requirements, a company within four business days of discovery of an incident must detail its nature and impact, as well as the company’s response measures and cybersecurity management policies. The disclosures must also cover the roles of a company’s board of directors in supervising risks to cybersecurity. 

Positioning for Evolving Threats 

Activity is intense in markets beyond North America, as well. The European Union-wide Network and Information Systems (NIS) 2 Directive, which is scheduled for implementation by October 2024, extends cybersecurity guidance to entities across a wide range of sectors, including chemicals, energy, food, manufacturing, space and wastewater.

Japan’s new Ministry of Economy, Trade and Industry (METI) Cybersecurity Management Guidelines for Japanese Enterprise Executives Ver. 3.0 instructs companies of any size on how “management should direct their executive in charge (e.g. CISO) to incorporate in implementing cybersecurity measures.” And, in the the United Arab Emirates, the updated Dubai Cyber Security Strategy integrates proactive protections against risks and boosts investment in technology infrastructure, to support Dubai’s digital ecosystem and smart city initiatives. 

Companies supporting critical infrastructure in markets globally will be pressed in 2024 and the years ahead as additional requirements and regulations are introduced to enforce OT/ICS cybersecurity in such a way to balance both protection goals with the need to maintain operational continuity. Fortunately, simplifying regulation also figures to be a point of interest, as countries seek to align around international standards, in order to alleviate the burden of compliance for their multinational entities. 

Indeed, organizations will need to move beyond mere regulatory compliance to simultaneously bolster governance structures and team capabilities; develop advanced Cyber-Physical Systems Threat Detection and Response (CPSDR); and strengthen supply-chain risk management. As digital transformation accelerates and the threat landscape evolves, companies and governments will have to work in close collaboration to safeguard the availability, reliability, and security of critical infrastructure.

 

A new, downloadable TXOne Networks report, The Crisis of Convergence: OT/ICS Cybersecurity 2023, details the contemporary threat landscape. Dr. Terence Liu is the chief executive officer of TXOne Networks.

Latest in Advanced Mfg
Security Breach Podcast
Sponsored
Security Breach Podcast
April 19, 2024
Ep90
Security Breach: DMZs, Alarm Floods and Prepping for 'What If?'
April 25, 2024
Industrial Cyber
5G, AI and More Are Changing OT - Why Zero Trust Could Be the Solution
April 24, 2024
Manufacturing Infrastructure Cyber
Avoiding Shutdowns from Ransomware Attacks
April 24, 2024
Related Stories
Flirtn
Advanced Mfg
On Demand: Acoustic Imaging for Manufacturing – Capturing Cost Savings Through Sound
I Stock 1425766526
Advanced Mfg
Purdue's New Interdisciplinary Labs Bolster U.S. Manufacturing
When selecting an RTU, performance, reliability and the right manufacturer are important factors for success.
Advanced Mfg
Factors to Consider When Selecting & Implementing an RTU
Security Breach Podcast
Sponsor Content
Security Breach Podcast
More in Advanced Mfg
Security Breach Podcast
Sponsored
Security Breach Podcast
A new video series from Manufacturing.net - Security Breach, looks to offer the insight and tools needed to ready your company's defenses. Stay up-to-date on today's vital cybersecurity topics by subscribing here.
April 19, 2024
Ep90
Safety
Security Breach: DMZs, Alarm Floods and Prepping for 'What If?'
The new factors impacting a growing attack surface, and how to evolve your cyber risk strategies.
April 25, 2024
Industrial Cyber
Advanced Mfg
5G, AI and More Are Changing OT - Why Zero Trust Could Be the Solution
Maximizing technology investments while maintaining security.
April 24, 2024
Manufacturing Infrastructure Cyber
Advanced Mfg
Avoiding Shutdowns from Ransomware Attacks
A strategic approach for protecting OT networks.
April 24, 2024
Rrmif
Advanced Mfg
RTX Breaks Ground on $115M Expansion of Alabama Missile Integration Facility
The expansion will also bring an estimated 185 new jobs to the area.
April 24, 2024
Electro
Advanced Mfg
Elevating Processes to Match Material Advancements
Pulsed electrochemical machining could be the key to unlocking new and innovative material benefits.
April 22, 2024
Cybersecurity In A Bubble
Advanced Mfg
Responding to Emerging Risks and Attack Vectors
Insight on key hacker strategies, response plans and creating a culture that embraces cybersecurity.
April 18, 2024
Ep89
Advanced Mfg
Security Breach: Weaponizing Secure-By-Design
How a greater focus on new and legacy OT connections could alter the cybersecurity battlefield.
April 18, 2024
Ep88tn2
Video
Security Breach: Over-Connectivity and Mobile Defeatism
The good, the bad and the ugly of mobile device security in the expanding OT attack landscape.
April 11, 2024
Container Ship At Port And Cargo Plane 000071988275 Large
Advanced Mfg
Protecting Ships from Cyber Terrorism
Cargo ships feature a number of connected operational technologies - making them vulnerable to cyberattacks.
April 10, 2024
People Cyber Metamorworks
Advanced Mfg
The Weakest Link in Manufacturing Cybersecurity
An organization can be equipped with state-of-the-art cybersecurity systems, but one significant vulnerability may remain.
April 4, 2024
Soc
Advanced Mfg
Everyone's Responsibility: Building a Cybersecurity-Centric Culture
Cybersecurity leaders must go beyond checking a box and get creative to actually change behavior.
April 3, 2024
Ep87tn
Video
Security Breach: Hackers Learn How to Attack You, From You
It's not always about the ransom, data theft or denial of service.
April 3, 2024
istock.com
Advanced Mfg
Data Woes Stifling Manufacturing, Adding to Cyber Challenges
A new report uncovers the complex issues surrounding the use and defense of Industry 4.0.
March 28, 2024
Jeff Thumb
Software
Security Breach: The Largest Attack Surface - People
How we're failing to properly support and train our most important cybersecurity asset.
March 28, 2024