What the National Cyber Strategy Implementation Plan means for critical infrastructure

The White House published the National Cybersecurity Strategy Implementation Plan (NCSIP) last week, a significant effort by the Biden-Harris administration to mitigate cyber risk. The plan details more than 65 high-impact federal initiatives targeted for implementation before the end of 2025. While a huge undertaking, it signals a move to action following President Biden’s signing of the National Cybersecurity Strategy in March.

Given its importance to the economy, it’s very promising to see critical infrastructure security as a top pillar, especially now amid the current increase in attacks. When it comes to protecting the fabric of our society and our scarcest resources, the U.S. faces an unacceptable reality of being an infrastructure cybersecurity laggard with an urgent need to step-up its defenses.

On a more positive note, the 16 critical infrastructure sectors, each with its own sector risk management agency (SRMA), have made some progress by issuing sector-specific cyber guidance. The Transportation Security Administration (TSA) paved the critical infrastructure security path by going beyond guidance and issuing new regulations for the energy and transportation sectors, which required oil and gas pipeline operators to level-up their security.

It’s been good to have regulations with teeth governing these industries and there are documented cases of operators making strides to implement TSA guidance. The NCSIP signals to the other SRMAs across the remaining 15 critical infrastructure sectors to move forward with their own specific regulations and cybersecurity requirements.

The urgent need for new requirements has been reflected in recent cyber incidents like the living-off-the-land (LOTL) attacks that affected everything from operational technology (OT) to IT. Similarly, the recent Volt Typhoon disclosure revealed that a China-sponsored cyber adversary had been lurking around in U.S. critical infrastructure in Guam and other locations using sophisticated LOTL techniques.

What’s worse, the risks come from all directions. We’ve got a situation today where inside jobs, in addition to nation-state adversaries, are plaguing infrastructure environments. Case in point: this month a California a man was charged with hacking into a water treatment facility where he formerly worked as a contractor. Insecure remote access issues pose a real – and addressable – threat to critical infrastructure.    

Leading critical infrastructure initiatives defined

Language from the new NCSIP demonstrates a move by the Biden-Harris administration to close the individual sector regulatory gaps with enforcement measures that address all 16 sectors. Of note, the document says, “The federal government will use existing authorities to set necessary cybersecurity requirements in critical sectors. Where federal departments and agencies have gaps in statutory authorities to implement minimum cybersecurity requirements or mitigate related market failures, the administration will work with Congress to close them.” This suggests that authority to set requirements and compliance mandates will expand, which could force action. Other important initiatives include:

How to face the challenges ahead   

Yes, the NCSIP initiatives are meaningful and good. Still, the government and critical infrastructure sectors will face challenges such as partisan and federal-state regulatory clashes that stand in the way of achieving greater cyber standards with the NCSIP. As the White House announced the NCSIP, a U.S. court put a stop to an Environmental Protection Agency (EPA) rule intended to better safeguard public water systems against hackers, the Washington Post reported.   

It's important to make more headway with public-private collaboration to create forward progress. Most of the businesses within the 16 sectors are privately owned, but they’re regulated by federal agencies and, they may not have faced the need to comply with specific cybersecurity regulations to date. The SRMAs will have to make skilled regulatory rollouts to ensure substantive adoption of improved cybersecurity by the regulated companies.

Incentives may help. We are already seeing progress with the Federal Energy Regulatory Commission (FERC) allowing for incentive treatment of voluntary cybersecurity spend in recent weeks. This means that when utilities invest in cyber they can charge higher rates until they recoup that investment, typically five or so years down the line.

Mandates encourage action and technology adoption

Although some initiatives in the plan are more developed than others, overall the NCSIP suggests strong progress in ensuring the adoption of modern cybersecurity technologies, such as preventative zero-trust techniques that have the power to protect us against cyberattacks. It’s also encouraging to see the plan include specific milestones with completion timeframes and annual follow-up.

The OT security market has already moved to more progressive cyber approaches, according to the new Gartner Market Guide for Cyber-Physical Systems Protection, including ones that block attacks without requiring a rip-and-replace of equipment. The NCSIP implementation plan further accelerates this trend.

It’s good to see the federal government move from cybersecurity guidance to more focused requirements that can drive cyber improvements across critical infrastructure sectors. It’s time to modernize America and the cybersecurity of our most critical infrastructure, and these steps will help get us there.

Roman Arutyunov, co-founder & SVP products, Xage Security