The federal government is seeking to increase cybersecurity in critical infrastructure industries through the implementation of a voluntary Industrial Control Systems Cybersecurity Initiative (Initiative), while the US House of Representatives (House) concurrently focuses on the same goal by passing three bills aimed at enhancing cybersecurity. While it’s currently voluntary, it’s likely the Initiative—along with its performance goals issued in conjunction— may become mandatory for companies that own or operate critical infrastructure facilities.
In order to focus on strengthening the nation’s cybersecurity within the energy industry, the House recently passed the Energy Emergency Leadership Act (HR 3119), the Enhancing Grid Security through Public-Private Partnerships Act (HR 2931) and the Cyber Sense Act (HR 2928).
On July 28, 2021, shortly after the House passed the above three bills, the Biden Administration released a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (Memorandum). The Memorandum affirmatively recognized the “[p]rotection of our Nation’s critical infrastructure is a responsibility at the Federal, State, local, Tribal and territorial levels and of the owners and operators of that infrastructure.” In order to protect such infrastructure, the administration provides that it is their policy “to safeguard the critical infrastructure of the Nation, with a particular focus on the cybersecurity and resilience of systems supporting National Critical Functions…”
As a result, the administration established the voluntary Initiative between the federal government and the critical infrastructure community with the primary objective of defending the United States’ critical infrastructure through facilitating the deployment of technologies and systems that will increase cybersecurity. The Memorandum further instructs the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the US Department of Commerce’s National Institute of Standards and Technology (NIST) to develop cybersecurity performance goals for critical infrastructure. The US Secretary of Homeland Security will issue initial goals for control systems no later than September 22, 2021, with cross-sector and sector-specific goals to be issued within a year of the Memorandum.
On May 7, 2021, just before 5 am, an employee in the Colonial Pipeline Co.’s control room found a ransom note sent by hackers demanding cryptocurrency. In response, Colonial Pipeline Co. Chief Executive Officer Joseph Blount shut down the entire pipeline by 6:10 am. This marked the first time in its 57-year history that Colonial Pipeline Co. shut down its entire gasoline pipeline system. Colonial Pipeline Co. paid the hackers, who were an affiliate of a Russia-linked cybercrime group known as DarkSide, a $4.4 million ransom shortly after the hack. However, the US Department of Justice announced it recovered $2.3 million of the ransom in June.
Only mere months after this significant breach of cybersecurity, the House approved HR 3119, which was introduced by US Representatives Bobby Rush (D-IL) and Tim Walberg (R-MI) to increase energy emergency and cybersecurity responsibilities as a core function for the US Department of Energy (DOE) and create a new assistant secretary position to specifically focus on these issues. In a statement released [...]