CISA presents cybersecurity targets for critical infrastructure

At the request of the White House, the US Cybersecurity and Infrastructure Security Agency (CISA) recently released voluntary, cross-sector Cybersecurity Performance Goals. The memorandum issued by President Biden in July 2021 aimed to increase national cybersecurity for systems that control infrastructure across all critical sectors.

Work to develop the goals was carried out in conjunction with the US National Institute of Standards and Technology (NIST) and communities representing the industries involved. It resulted in a standard set of critical infrastructure cybersecurity essential practices aimed at helping small and medium-sized organisations start their efforts.

The so-called Cybersecurity Performance Goals (CPGs) prioritise cybersecurity practices for Information Technology and Operational Technology (IT and OT) systems that can be implemented by owners and operators of critical infrastructure to significantly reduce the risks and impacts of intrusions. “By pursuing these goals, risks to critical infrastructure operations and the American people will be reduced,” CISA warns.

The goals are based on extensive feedback from groups, including federal agencies, the private sector and international partners. Comments were received, and workshops, listening sessions and discussions were held with experts in various disciplines. The CPGs were determined taking into account three criteria:

(1) Significantly and directly reduce the risks and impacts caused by commonly observed cross-sectoral threats and adversarial TTP;

(2) Be clear, practical and easily definable; and

(3) Be reasonably simple and not cost-prohibitive, even for small and medium-sized organisations.

CISA intends to keep the dialogue open for input as organizations adopt CPGs in practice and thus update the targets regularly. The agency also intends to develop targets for specific critical infrastructure sectors in the coming months, identifying additional practices, providing examples of sector-specific recommended actions, and mapping other potential requirements, such as regulations or security directives.

In addition to the basic set of practices, CPGs can become a benchmark for critical infrastructure operators who wish to measure and improve their cybersecurity maturity levels.

CISA cautions that these goals are not comprehensive, failing to identify all the cybersecurity practices needed to protect national, economic, health and public safety. They are only a basic set of measures with recognised value to reduce risks across all sectors. The agency also stresses that the CPGs are voluntary, meaning owners and operators will not be required to adopt them, let alone issue related reports to any government agency.

“CPGs are intended to complement the NIST cybersecurity framework for organisations seeking assistance in prioritising limited high-impact security investments, either because of gaps in experience, resources or skills or to enable improvements with a focus on suppliers, business partners or customers,” CISA explains.

In an interview with the CSO website, several experts reacted well to the CISA initiative. One of those interviewed, Mark Montgomery, senior project director of the Center for Cyber and Technology Innovation at the Foundation for Defense of Democracies (FDD), noted that CPGs are “really important for small and medium enterprises. According to him, large companies generally need less of the easily digested assistance contained in CPGs. “And for that reason, I think there’s value in these targets for that large median group,” he says.

The CSO story points out that one must be vigilant. While CISA emphasizes that CPGs are voluntary, some say that the NIST cybersecurity framework was incorporated into CISA’s recommendations following a White House national security memo may indicate the goals becoming regulatory requirements.