CISA chief tees up cyber directives for the water and chemical sectors

CISA Director Jen Easterly said new directives for the water and chemical industries were coming soon in the wake of the passage of the $1.2 trillion Infrastructure Investment and Jobs Act, which includes cybersecurity requirements for public water systems.

Jen Easterly, CISA Director, speaks at Aspen Cyber Sept. 29, 2021

CISA Director Jen Easterly speaks at a think tank event in September 2021

The Cybersecurity and Infrastructure Security Agency (CISA) is working on establishing new directives for the water and chemical industries as part of a federal effort to protect critical infrastructure from increasing cyber threats, according to the head of the cybersecurity agency.

CISA Director Jen Easterly detailed how she has been working with various agencies to release a series of publicly-available guidelines which align with the president's cybersecurity executive order since she was unanimously confirmed to serve in her post in July, while expanding collaborative partnerships with federal agencies and industry stakeholders around improving cyber posture.

"I'm spending a lot of time on implementing the president's executive order, which was very focused on federal cybersecurity, but frankly is a signal to the rest of industry about the kind of things we need to do from a modernization and visibility perspective to ensure the security and resilience of our critical infrastructure," Easterly said at an industry event hosted by Wired, adding that she has been "spending a huge amount of time on that critical infrastructure mission, both working off some of the sprints that the White House has directed with the electricity sector, the pipeline sector, and soon-to-be the water and chemical sectors."

Easterly remarks come following the passage last week of the $1.2 trillion Infrastructure Investment and Jobs Act the House passed last week, which featured $48.4 billion over five years for drinking water and wastewater spending at the Environmental Protection Agency (EPA) – including several cybersecurity measures involving CISA.

The bill requires the EPA to coordinate with the CISA director to prioritize public water systems based on the impact on public health and safety if they are taken offline or disrupted by cyberattacks. CISA and EPA will also be tasked with establishing timelines for water systems to make necessary fixes to mitigate cyber vulnerabilities and reduce the risk of cybersecurity threats.

CISA has built out partnerships and created new initiatives under Easterly to provide a growing pool of prioritization frameworks and security directives for sector-specific agencies.

Last week, the agency released a new binding operational directive requiring all federal civilian agencies to remediate nearly 300 known exploited vulnerabilities within six months. Earlier this year, the Transportation Security Administration (TSA) released its first-ever emergency security directives for the pipeline industry following the Colonial Pipeline ransomware attack, developing the guidelines in consultation with CISA.

However, some of the directives have been met with pushback from lawmakers and private industry. Senate Republicans on the Homeland Security and Governmental Affairs Committee have called for the Department of Homeland Security Office of Inspector General to review how the recent pipeline directives were created while expressing concerns of an apparent cloak of secrecy, saying in a letter that CISA and TSA "failed to give adequate consideration to feedback" and departed "from TSA's historically collaborative relationship with industry experts" when drafting the guidelines.

Still, Easterly said she was continuing to establish performance goals around previously released directives for the electricity and pipeline sectors, while expanding partnerships between the public and private sector, like the Joint Cyber Defense Collaborative (JCDC) the agency launched in August to combat ransomware.

"We're looking at things functionally now, and doing a lot of work on how to define systemic risk and importantly, how to reduce that risk," she said. "It's all about collaborative partnerships, and that's why I've been spending a huge amount of time with industry.