In its latest initiative to help secure critical infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA) has released a number of voluntary performance goals that aim to reduce security risks across organizations that deal with both IT and operational technology (OT).
The security performance goals were mandated by a National Security Memorandum passed in July 2021 by the Biden administration, which directed CISA to work with the National Institute of Standards and Technology (NIST) to develop them. The goals expand on previous security guidance, such as the NIST Cybersecurity Framework for building and evaluating cybersecurity programs, by identifying significant IT and OT system controls “with known risk-reduction value that are broadly applicable across sectors,” CISA Executive Assistant Director for Cybersecurity Eric Goldstein has previously said. At the same time, CISA said that the goals are intended for small- and medium-sized organizations that need additional support when prioritizing certain security measures, especially when struggling with operational limits like tight budgets, staffing and expertise.
“The Cross-Sector Cybersecurity Performance Goals (CPGs) strive to address this need by providing an approachable common set of IT and OT cybersecurity protections that are clearly defined, straightforward to implement, and aimed at addressing some of the most common and impactful cyber risks,” said Jen Easterly, director of CISA, in a statement. “The CPGs are written and designed to be easy to understand and relatively easy to communicate with non-technical audiences, including senior business leadership.”
The performance goals focus broadly on a number of cybersecurity measures that extend across the 16 designated critical infrastructure sectors, including issues related to account, device and data security; governance and training; vulnerability management; supply chain; and response and recovery. Each goal has been positioned by CISA with an intended outcome, the scope of the issue and a recommended action for both IT and OT; for instance, multi-factor authentication (MFA) is categorized under account security, with the recommended action being to enable MFA for IT accounts and within OT accounts that can be accessed remotely (including vendor/maintenance accounts, remotely accessible user and engineering workstations and remotely accessible Human Machine Interfaces).
On the heels of the Colonial Pipeline ransomware attack, the Biden administration over the past year has spearheaded several initiatives that aim to better secure industrial control systems (ICS). CISA has also led many of the critical infrastructure security efforts at a federal level, in April expanding the Joint Cyber Defense Collaborative (JCDC) – an agency effort to develop cyber defense plans with both public and private sector entities – to focus on ICS security by bringing in new partners, for instance. However, as previously highlighted during a Cybersecurity, Infrastructure Protection and Innovation subcommittee government hearing in September, the government is still working through challenges in targeting efforts toward smaller operators grappling with limited resources, and ensuring that the OT investments being made today have security built into them. CISA hopes the performance goals – which are voluntary and not regulatory – will help overcome this challenge by demonstrating potential first steps for these smaller operators in setting up security measures.
“Ultimately, our hope is that the CPGs will not only serve as a strong foundation for improving cybersecurity across our nation’s critical infrastructure sectors, but also as a baseline of security outcomes that merit the trust of the American people,” said Easterly.