It’s important to note, however, that the new Industrial Control System Cybersecurity Initiative is a voluntary collaborative effort in which Federal cybersecurity agencies will advise the ICS community on the technical security controls they should deploy to help thwart, monitor, detect, and alert against threats to their systems. Ultimately its success or failure will depend on two things: the actual technical details of the government’s recommendations and the fines or impacts imposed if the recommendations aren’t followed.
So far, the administration hasn’t shared any specific recommendations, just that they will collaborate to help. The initiative will start with electricity companies before expanding to include other critical infrastructure providers. While the administration intends to set performance goals for this initiative, they haven’t defined them yet. Also, since the initiative is voluntary for now, there are no consequences for private ICS businesses that choose to ignore it (or, for that matter, positive incentives to get them to comply).
Without the details and more teeth, it’s hard to say if this program will have any impact. After all, federal agencies have already been collaborating and sharing threat info with ICS companies that listened (ICS-CERT). It will be interesting to see whether the administration takes a more aggressive approach if (or more likely when) there’s another major attack on a critical infrastructure company.