Nov 4, 2021
83 Views
0 0

CISA wants to identify the most vulnerable critical infrastructure

Written by

CISA is fast-tracking critical infrastructure categorization, and the companies most vulnerable to cyberattacks. The CSC wants Congress, after identifying these organizations, to ensure “the full support of the U.S. government and shoulder additional security requirements” to suit their “unique status and importance.” 
In October, Rep. John Katko, R-N.Y., and Rep. Abigail Spanberger D-Va., proposed the Securing Systemically Important Critical Infrastructure Act, which would direct CISA to prioritize benefits for the owners and operators of specified critical infrastructure. Katko could see the bill included in the FY2022 National Defense Authorization Act (NDAA), he said during the webcast. 
Under Katko and Spanberger’s bill, CISA would have to consult with the heads of Sector Risk Management Agencies (SRMAs) and create a methodology for determining what elements of critical infrastructure meet the threshold of maximum national security and economic impact. 
The bill also asks for identified critical infrastructure companies to have prioritized representation in CISA’s Joint Cyber Defense Collaborative (JCDC)
The proposal is in line with what the CSC asked for, where the government is “assured that these companies are taking their security responsibilities seriously, honoring the public trust that appertains to the services and functions they provide,” the report said. 
What the government is working toward is something the private sector needs — different treatments based on the uniqueness of each critical infrastructure sector. In March, the White House announced it was reviewing OT/ICS operators, and prioritizing bigger utilities impacting larger populations. And in July, the Biden administration signed the National Security Memorandum, which tasked CISA with developing performance goals for critical infrastructure. 
Cyberattacks on critical infrastructure this year — particularly Colonial Pipeline and JBS USA — already led to firsts in cybersecurity requirements. In May, the Transportation Security Administration (TSA) announced two pipeline-specific cybersecurity directives. The TSA gave aggressive timelines for pipeline owners and operators to meet, though administrators said the TSA is willing to work with companies if they submit alternative procedures. 
Owners and operators using OT and industrial control systems (ICS) worry that the new requirements could impact the safety of their equipment if they move too rapidly. Meanwhile, the TSA admittedly is understaffed in cybersecurity
A similar announcement was made for railroad and airport operators in October. Secretary of Homeland Security Alejandro Mayorkas announced the TSA will also issue mandatory requirements for transportation sectors operating in the air, land or sea. Owners and operators will have to report incidents to CISA, though the complete published regulations are expected by the end of the year. 
Follow on Twitter
As more states legalize recreational use, employers in the public and private sector may need to change how they hire for cybersecurity.
If the vulnerability remains unpatched, it's a ripe target for malicious actors to escalate privileges and the perfect ingredient for an exploit kit.
Subscribe to Cybersecurity Dive for top news, trends & analysis
As more states legalize recreational use, employers in the public and private sector may need to change how they hire for cybersecurity.
If the vulnerability remains unpatched, it's a ripe target for malicious actors to escalate privileges and the perfect ingredient for an exploit kit.
Get the free daily newsletter read by industry experts
The free newsletter covering the top industry headlines

source

Article Categories:
Cybersecurity News

Comments are closed.