Yesterday, the Biden Administration unveiled a new initiative to help improve the cybersecurity stance of the industrial control systems (ICS) that manage the nation’s critical infrastructure. As recent events (like the Colonial Pipeline ransomware incident) have shown, disruptions to critical infrastructure can have serious, potentially even fatal consequences. In short, this is a very real need and one the Federal government should be helping to meet.
It’s important to note, however, that the new Industrial Control System Cybersecurity Initiative is a voluntary collaborative effort in which Federal cybersecurity agencies will advise the ICS community on the technical security controls they should deploy to help thwart, monitor, detect, and alert against threats to their systems. Ultimately its success or failure will depend on two things: the actual technical details of the government’s recommendations and the fines or impacts imposed if the recommendations aren’t followed.
So far, the administration hasn’t shared any specific recommendations, just that they will collaborate to help. The initiative will start with electricity companies before expanding to include other critical infrastructure providers. While the administration intends to set performance goals for this initiative, they haven’t defined them yet. Also, since the initiative is voluntary for now, there are no consequences for private ICS businesses that choose to ignore it (or, for that matter, positive incentives to get them to comply).
Without the details and more teeth, it’s hard to say if this program will have any impact. After all, federal agencies have already been collaborating and sharing threat info with ICS companies that listened (ICS-CERT). It will be interesting to see whether the administration takes a more aggressive approach if (or more likely when) there’s another major attack on a critical infrastructure company.