Securing critical infrastructure: Get ready as voluntary becomes mandatory

Biden memorandum signals that the private sector must live up to cyber performance goals 

On July 28, 2021, President Biden signed a memorandum to modernize defenses in industrial control systems (ICS) that command and direct manufacturing, product handling, production, distribution and related data acquisition. 

Why does it matter? The Biden administration committed to take concrete action soon after Americans saw how easy it was for hackers to threaten essential services like gas and food in May 2021. It immediately required pipeline owners and operators to implement urgently needed protections, spelled out in two directives from the Department of Homeland Security’s Transportation Security Administration.

With the July 28 memo, President Biden signals future action on other priority critical infrastructure sectors such as water, wastewater and chemicals. 

This is a matter of trust. American people should be able to count on services to be safe and reliable. And they should be able to trust that critical infrastructure — in government and in the private sector — can stand up to 24/7 cybersecurity threats.

What’s in the memo?

Biden’s “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems” engages the private sector to harden defenses in two ways:

It requires setting cyber performance goals — “baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety.” September 22, 2021 is the deadline for the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute for Standards and Technology (NIST) to draft preliminary goals. Final cross-sector and sector-specific goals are due in a year, after consultations with relevant agencies.

It encourages expanded deployment of technologies and systems in the private sector via the voluntary, but formalized, ICS Cybersecurity Initiative. In scope are technologies and systems that (a) provide threat visibility, indications, detection and warnings and (b) facilitate response capabilities for cybersecurity in essential control system and operational technology networks. 

Although the ICS initiative is a voluntary, collaborative effort between the federal government and the critical infrastructure community, the Biden administration takes a positive view. At the background press call about the memo, an official cited the ICS initiative pilot with the electricity subsector, stating that “already over 150 electricity utilities representing almost 90 million residential customers are either deploying or have agreed to deploy control system cybersecurity technologies.”

Get ahead of the coming regulatory compliance obligations

Engage with the government on the development of goals and standards

Organizations in critical infrastructures have an opportunity to shape voluntary standards and goals that will likely become requirements a year from now. Here are some key ways to get ahead:

  • Actively engage with the government. Develop a smart understanding of how the government is approaching this initiative. Share your industry and operational insights to help develop clear performance standards in order to build trust in services that Americans depend on every day.
  • Drive a risk-based approach and work with your respective government agencies towards standards and goals that can lead to the greatest improvement (despite resource constraints) and position the private sector to be agile in the face of ever-evolving threats. 
  • Bring your voice and influence together with your industry associations. Use established mechanisms and programs (including consortia and public working groups) to collaborate with the government via CISA and NIST
  • If you’re in a sector that has not had any regulatory security compliance obligations, prepare to fold these into your overall regulatory compliance program.

Continue to improve your cyber program

Continue improving your organization’s cyber posture. That’s what you can fully control. Your own cyber performance goals should reflect your assessment of the weaknesses that prevent your business from attaining sustainable outcomes for stakeholders

Don’t overlook these ways to fortify your cyber defenses, where we consistently see weaknesses across critical infrastructures. 

  • Asset inventory: This capability separates the vulnerable from the resilient. In the energy, utilities and mining sector, for example, only 37% of respondents reported having conducted an inventory of key processes and assets in our 2019 Digital Trust Insights survey. Meanwhile, across all industries, 91% of the respondents scoring the highest on resilience maintain an accurate inventory, which is refreshed as needed. Having visibility into your key assets and processes is foundational. You can’t protect what you can’t see. For large enterprises, IT assets run in the millions and connections in the hundreds of millions. But there are technologies now to map critical assets and processes in depth.
  • Operational technology security program: Many operational technology (OT) infrastructures still lack basic cyber protection. Securing your OT requires different and distinct tools from those used for IT security. For example, patching vulnerabilities on devices that control your production lines or product formula or medical dosage is not the same as patching IT operating systems.
  • Network segmentation: Even in a converged network, you’ll need a network architecture that prevents threats from moving unimpeded — between your OT and IT systems, and throughout your networks that are spread over multiple environments. Powerful but still underutilized, network segmentation enables your organization to reap the benefits of digitized operations (efficiency, continuous improvement, better customer service) while mitigating risks.
  • Threat detection and response: Intrusion detection and response systems are often a target for abuse, so attackers can access and then move within systems without being discovered. Today, identifying and containing intrusions takes months, long enough for undetected attackers to do costly damage. But companies realize that this has to change. Real-time threat intelligence capabilities is second only to cloud security as investment priorities for industrial manufacturing companies in the next two years, according to our 2021 US Digital Insights Snapshot Survey of CISOs and CIOs.

Contact us

Joseph Nocera

Joseph Nocera

Cyber, Risk and Regulatory Marketing Lead Partner, PwC US

Matt Gorham

Matt Gorham

Cyber & Privacy Innovation Institute Leader, PwC US

Brad  Bauch

Brad Bauch

Principal, Cyber, Risk and Regulatory, PwC US

Harshul Joshi

Harshul Joshi

Principal, Consulting Solutions, PwC US

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide