Operators of chemical facilities will follow those of electric utilities, gas pipelines and water treatment plants in being asked to facilitate visibility into their systems.
The Biden administration’s voluntary-first approach to cybersecurity is set to target the chemical sector in a fourth 100-day sprint to gain insights into the cybersecurity posture of the nation’s critical infrastructure, and to ultimately improve its resilience.
“We were asked last year by the White House through a national security memorandum to focus on protection of industrial control systems, and I think the chemical sector is next in line,” said Cybersecurity and Infrastructure Security Agency Director Jen Easterly, adding, “we're going to kick off a 100-day sprint with probably many of you here.”
Easterly was addressing participants Wednesday at a 3-day chemical security conference the agency is hosting on the issue.
The national security memo published last summer was in response to the attack on Colonial Pipeline and focussed attention on the vulnerability of critical industrial control systems. Rolling out the initiative, administration officials said the sprints aim to encourage operators to install tools that would help them detect and respond to cyber incidents.
Ideally, pilot programs under the sprints would tap an existing CyberSentry program run by CISA, the officials said, but they were unclear on how or if the operators would be compensated for implementing censors in their environments. Regardless, they say, more than 150 utilities have installed—or have committed to installing—the technology.
During Wednesday’s conference, Kelly Murray, CISA’s associate director for the chemical sector, said the industry partners are already closely collaborating with the agency, which is significant in the predominant dynamic where there is suspicion that voluntary programs will suddenly turn into mandatory ones. She shared data showing the agency conducted almost as many voluntary compliance assistance visits as they have mandatory inspections.
The chemical sector is often cited as one to replicate when considering how to incentivize cybersecurity through regulations.
“[With] chemical facilities...this is an area where this performance, outcome-based approach to regulation has been very successful.,” the Government Accountability Office’s Tina Won Sherman recently told Nextgov. “It's kind of just how it's done. So that is an area where we have done work in the past and...that is kind of like an alternative path forward rather than laying out the more prescriptive steps.”
But industry stakeholders have already started pushing back on the administration’s efforts to broaden out the performance-based approach, asking for flexibility more in line with the National Institute of Standards and Technology’s framework of cybersecurity standards for critical infrastructure. The NIST CSF, as it’s called, allows operators to choose which controls they implement based on the amount of risk they’re willing to accept.
Easterly praised the chemical sector’s performance standards for addressing both information technology and the operational technology managed by industrial control systems.
“It was really telling to me that even back in 2009, how robust the standards were, laid out for both physical security but also cyber security,” she said. “It was before cyber was really a thing that this community really understood the importance of a collective approach.”
She told Nextgov the performance-based standards CISA is getting ready to issue for the broader community can be thought of “almost as a subset of some of what you see in the NIST cybersecurity framework,” and that the agency is, “working together with industry to ensure that that makes sense, where they want to have a focus.”