The National Infrastructure Advisory Council has approved a report calling for mandatory cyber standards that go across critical infrastructure sectors and are outcome-based to allow for flexibility in implementation.
The report addresses several cross-cutting policy challenges that impact critical infrastructure and finds voluntary standards are not enough to achieve the necessary security needs. The council approved the report at a Tuesday meeting following an overview from NIAC member Craig Glazer of electric transmission company PJM and deliberation among NIAC members.
“Although NIAC members recognized the value of voluntary coordination and collaboration among private sector entities and between the private and public sectors, given the cross-sector interdependencies of critical infrastructure, there was a consensus that in key areas such as cybersecurity, it is time to move toward more mandatory standards rather than relying solely on appeals to altruism or consideration of best practices,” NIAC says in a pre-decisional draft of the report circulated ahead of the meeting.
When it comes to outcomes, the report says “NIAC recommends that any mandatory standards focus on the what (i.e. the objective to be achieved) rather than dictating the how (i.e. the details of how the standard is to be met by any individual or group of critical infrastructure providers).”
It argues that the Biden administration should start with developing standards for “the physical security or cybersecurity of critical infrastructure and the delivery of essential services.”
During the meeting, NIAC members agreed to add “tangible examples” of performance-based standards to the report and also acknowledged a need to recommend in the final report a forum to analyze the standards concept in greater detail.
The White House has made establishing cyber regulation in critical sectors a priority as part of the national cyber strategy.
The NIAC report identifies ten barriers to cross-sector collaboration and offers specific recommendations for improvements. One of the barriers focuses on supply chain physical and cybersecurity challenges.
The report says, “As our nation’s industries have become more dependent upon one another, information sharing and cross- sector collaboration concerning commonly used hardware and software inputs grows in importance. This need exists both for physical dependencies but is even more pronounced in addressing cybersecurity concerns with products received from others in the supply chain.”
“In short,” NIAC found, “if various industries in the supply chain are not communicating and developing workarounds for damaged or compromised hardware and software inputs, the entire supply chain can face crippling interruptions.”
More intelligence sharing from the government is also needed, according to report.
The report says, “The NIAC recognizes the sensitivities around sharing of intelligence information. However, the NIAC believes there is a difference between sharing the source of the threat, which the private sector does not necessarily need to know, versus more specifics on the nature of the threat so the private sector can take self-help steps to mitigate.”
NIAC also recognizes that the private sector should share information on potential vulnerabilities. This includes hardware and software as well as a need for “common approaches to maintenance and security upgrades to critical infrastructure such as dams, levees, pipelines and related physical infrastructure that can affect public safety.”
Among the recommendations is a proposal for the National Security Council to form a convening group for “cross-sector drills” to test out coordinating responses to physical or cyber attacks on critical infrastructure. NIAC points to the GridEx exercise for the electricity sector as an example.
Other proposals address streamlining standards for common activities in the private sector like employee background checks and supply chain security authorization; developing a “common playbook” for increased coordination between federal, state and local governments; and including “vulnerable communities in planning and restoration efforts.”
The report calls for a “common clause failure analysis” to address supply chain issues and offers areas for prioritizing standards setting for cyber starting with “[t]hreat modeling/vulnerability assessments.”
The other areas are:
- Network segmentation;
- Access provisioning;
- Privileged account management;
- Patch management; and
- Clear pathways for real time sharing of legally protected information (such as between the health care sector, law enforcement and regulatory communities).
NIAC proposes creating a pilot to “identify the benefits of additional third-party certifications.”
The report says, “Third-party verification and certification can also be a basis for granting business incentives between stakeholders that encourage adoption of enhanced, voluntary cybersecurity standards beyond minimal cybersecurity regulations.”
President Biden announced a substantial revamp of the NIAC membership last September. The report marks the first work product under the reorganized advisory group.
At the Tuesday meeting, Liz Sherwood-Randall, Assistant to the President for Homeland Security and Deputy National Security Advisor, said she was impressed by NIAC’s ability to turn around the report in a three-month time period and pledged to provide a response from the National Security Council at the next NIAC meeting in June.
The council is working on additional reports on water security and electrification and heard updates from subcommittee leadership on those efforts. -- Sara Friedman (sfriedman@iwpnews.com)