CSC 2.0 report suggests revising public-private collaboration to protect US critical infrastructure, provides guidance

A recent report released by the U.S. Cyberspace Solarium Commission (CSC) 2.0 identified that the lessons learned from the Colonial Pipeline ransomware incident speak to the broader challenge of inconsistent capabilities and performance across SRMAs (Sector Risk Management Agency). The CSC 2.0 report identified three key takeaways from the Colonial Pipeline attack related to public-private collaboration and include a breakdown in government information sharing; SRMA framework that struggles to be relevant during emergency response; and pre-crisis collaboration and partnerships, especially voluntary security standards, relationships, and processes, proved insufficient. 

“During the response to the Colonial Pipeline breach, information appears to have been siloed within government agencies,” Mary Brooks, Annie Fixler, and Mark Montgomery wrote in their latest CSC 2.0 report, released last week. “After detecting the breach, Colonial Pipeline informed the FBI of the cyberattack, yet according to the testimony of CISA officials, the FBI did not inform CISA of the crisis for several hours, and Colonial did not contact CISA separately. (Brandon Wales, then CISA’s acting director, testified that he did not believe Colonial would have notified CISA at all had the FBI not done so.) And neither the FBI nor Colonial immediately notified the TSA or the Department of Transportation.)”

It also revealed that as the co-SRMA for the pipeline subsector, the TSA has ‘primary oversight responsibility for the physical security and cybersecurity of pipeline systems.’ However, “the product carried in the pipeline — jet fuel and gasoline — is part of the energy sector. Simply put, supporting the security and resilience of the pipeline was the TSA’s responsibility, but the Department of Energy (DOE) held responsibility for ensuring that the product was delivered,” the report added. 

“In the Colonial Pipeline case, DOE appears to have served as the primary interagency coordinator for the federal government as a result of a White House decision,” the CSC 2.0 report identified. “By most accounts, DOE did an admirable job in this role, and, as the chief concern was less the security of the pipeline and more the availability of energy, there was a natural role for DOE. Nevertheless, it appears CISA and TSA were marginalized, which indicates at least some elements of the SRMA framework are not optimized for crisis response.”

The CSC 2.0 report also identified that at the time of the incident, Colonial Pipeline had no regulatory requirement to inform the government of a cyber breach, nor was the company required to meet specific cybersecurity standards. “TSA had previously issued voluntary security guidelines for pipelines and conducted security assessments of private pipeline companies in its role as SRMA. TSA testified to Congress, however, that Colonial Pipeline declined several of its offers for physical security and cybersecurity assessments, although the company had participated in corporate security reviews and critical facility security reviews in the past.”

In the wake of the breach, TSA issued an emergency pipeline directive to compel incident reporting and designation of a central point of contact within companies, the CSC 2.0 report said. “Oil and natural gas industry associations and infrastructure cybersecurity experts criticized the first iteration of this directive not only as overly prescriptive but also as technically infeasible. TSA has subsequently revised the directive multiple times with increasing industry input and support, although disagreements on substance and process remain between TSA and industry groups,” it added. 

Additionally, in early 2022, Congress passed a new law, the ‘Cyber Incident Reporting for Critical Infrastructure Act of 2022,’ which will require critical infrastructure providers to report cyberattacks to the CISA (Cybersecurity and Infrastructure Security Agency) within 72 hours.

The Colonial Pipeline ransomware incident provided insights into the broader challenge of inconsistent capabilities and performance across SRMAs. “While the FY 2021 NDAA attempted to rectify discrepancies by establishing consistent responsibilities, not all SRMAs have the necessary authorities and resources to perform their jobs well. Poor performance may also result from how the SRMA’s responsibilities are delegated within the department or a lack of agency leaders’ commitment to the SRMA’s mission,” the report added.

The report also pointed out that two Obama-era directives created the foundation of the critical infrastructure protection framework currently in use – Presidential Policy Directive 21 (PPD-21) and Executive Order (EO) 13636. These directives built on work done in the Bill Clinton and George W. Bush administrations, including efforts to establish a cross-sector critical infrastructure protection commission and assign lead agencies to work with designated sectors of U.S. infrastructure. Clearly, the strategy and policy documents are static and out of date, and hence unable to keep up with advancing cyber threats and adversarial attacks. 

“Neither PPD-21 nor the FY 2021 NDAA provides specific guidance to federal agencies on how to manage or resource their SRMA responsibilities,” the CSC 2.0 report underlined. “The agencies may designate a specific office to execute the role of SRMA on behalf of the department. The SRMA for a given sector may or may not have regulatory authority over that sector. In section 9002(b) of the FY 2021 NDAA, Congress tasked the secretary of homeland security with assessing the existing framework as well as the performance of SRMAs and, as applicable, issuing recommendations for 1) revising that framework, 2) the current list of sectors and their SRMAs, and 3) identifying and designating new sectors or subsectors,” it added.

CISA conducted this assessment and transmitted its findings to the White House in November 2021, the CSC 2.0 report said. “Its report focused on weaknesses in the SRMA framework — with particular attention to CISA’s own performance — and proposed concrete recommendations to improve the system. In November 2022, the Biden administration forwarded the DHS report to Congress and made the findings public. Alongside the report, the White House issued a letter from President Joe Biden noting the administration’s intent to revise PPD-21.”

Keeping these factors in mind, the CSC 2.0 report identifies that updating the national critical infrastructure protection framework is no small task. “Doing so successfully requires both an understanding of the minutiae of individual SRMAs and their subcomponents as well as a holistic understanding of the SRMA framework. It requires a firm understanding of statute, policy, and practice, and it will require action and input by the executive branch, Congress, and industry alike.”

It added that “the Biden administration has already committed to rewriting PPD-21 and has begun a broad policy review in service of that goal, although questions remain about the scope and timeline of the planned revisions. A wholesale rewriting of PPD-21, however, risks undercutting those relationships, structures, and processes that have effectively promoted public-private collaboration.” 

The CSC 2.0 report identifies numerous challenges in the existing structure, as the strategy and policy documents governing critical infrastructure have become stale. The current systems for designating sectors as critical and for mitigating cross-sector risks are inadequate, as CISA is unable to fulfill its responsibilities, and it does not receive the interagency support necessary to act effectively as the national risk manager. 

“Voluntary security relationships are not delivering the necessary results. Additionally, processes for sharing information, responding to emergencies, designating priority infrastructure within sectors, and promoting resilience are insufficient,” the report said. “Despite these challenges, this report concludes that the overall concept underlying the government’s critical infrastructure protection system — anchored in an approach that balances regulation, incentivization, and collaboration — remains the best method to coordinate the public and private sectors.” 

The report offers operational-level recommendations to improve the existing system while addressing broader strategic considerations that require an update to PPD-21. It also offers specific guidelines on how to revise PPD-21 to preserve what is working while also addressing the significant challenges in building effective public-private collaboration.

While there are outstanding questions on the intent, scope, and timeline of the Biden administration’s policy review process for updating PPD-21, the CSC 2.0 report provided a set of guidelines that should shape any revision process. The authors divided these recommendations across two categories – rewrite PPD-21 for a new era and support the PPD-21 rewrite with implementation and resourcing efforts. 

As part of rewriting PPD-21 for a new era, the CSC 2.0 report suggests identifying any change in strategic direction, as the geopolitical and cybersecurity environment has changed substantially, and PPD-21 must change accordingly. It also identifies new critical infrastructures that have emerged over the past decade including space systems and the cloud computing industry. It also put forward making updates to processes with surgical precision, while bringing about a whole-scale change, like removing the sector-by-sector focus, risks undercutting this work and leaving the country even more vulnerable in a crisis.

The document also recommends not using policy as a catch-all for implementation problems, but ensuring operational and implementation documents are updated. Many of the weaknesses of the current national critical infrastructure protection framework are ones of implementation. It also proposes creating a mechanism to keep PPD-21 and supplemental policy documents updated. Critical infrastructure protection documents should probably be updated biennially and certainly more often than once a decade. 

The report also calls for defining expectations for CISA as the national risk management agency (NRMA), as its success underpins the success of the national critical infrastructure protection framework. Its roles and responsibilities as the national risk manager should be clarified, and it should be given the authority to realize them. It also suggests selectively strengthening CISA as the NRMA. CISA has been given a tremendous amount of responsibility in recent years, and there is a hunger for it to do more — particularly in information sharing, risk analysis and management, and emergency response. 

The CSC 2.0 report also seeks clarification of SRMA roles and responsibilities to resolve any discrepancies between executive branch policy and FY 2021 NDAA language. Further, provide clarity to ensure these issues do not resurface. But also recognize that not all SRMAs — and not all sectors — are the same and that flexibility is a must. It also suggests that adequate resources be allocated to SRMAs to ensure that agency needs are anticipated and included in the President’s annual budget submission to Congress.

The document suggests solving the perennial question of who in the government to call during a crisis, as a company dealing with an emergency incident cannot be expected to call the FBI, CISA, and its SRMA. It also recommends revamping information sharing between the government and private sector, largely resolving issues of liability and recognizing that private sector information is often better than government information, particularly on domestic issues. 

The CSC 2.0 report also proposes establishing a prioritization framework to identify systemically important entities and work with Congress to develop a system of benefits and burdens. It also calls for the creation of minimum physical security and cybersecurity standards hand in hand with industry. Industry often knows what it needs, and minimum standards cannot be dropped from high. Nonetheless, a completely voluntary model has repeatedly proven unsuccessful. There needs to be a new middle ground that achieves sufficient standards through a balance of regulation, incentivization, and collaboration.

Lastly, the report identifies requiring continuous communication with stakeholders. “Updating stakeholders in government and beyond in an iterative process. This is not the type of policy that can be held until a final version is decided upon,” it added. 

Commenting on the move, Roman Arutyunov, co-founder and senior vice president of products at Xage Security, wrote in an emailed statement that “revising the decade-old Presidential Policy Directive 31 (PPD-21) is long overdue, given the rise of attacks on our nation’s critical infrastructure. From the colonial pipeline attack in 2021 to Volt Typhoon’s hack into U.S. military bases in Guam in 2023, the need to secure tactical, operational, and strategic critical assets for the U.S. government from the edge to the core has never been so important.”

“This rewrite signifies major steps being taken to safeguard America’s critical infrastructure to diminish nation-state attacks and malicious actors from causing chaos and gaining access to our critical assets, systems, and networks,” according to Arutyunov. “In fact, very few U.S. agencies have created cybersecurity-related regulations outside of DHS/TSA, DOE, and EPA, making this rewrite a monumental and much needed move.”

Further, Arutyunov added that it is time for the directive to broaden out the definition of critical infrastructure. “With the U.S. just releasing a framework for space diplomacy, I believe it would be a missed opportunity to not include space as a critical infrastructure sector in the rewrite. If not included in this update, I predict that space would need to be added within the next five years – as threats posed by near-peer competitors are rising. After all, the Space Force was designed to protect our society and people – from the highest ground of any battlefield – and that cannot be done without the right foundations and regulations in place.” 

In March, Robert M. Lee, CEO and co-founder of industrial cybersecurity company Dragos informed the U.S. Senate Committee on Energy and Natural Resources that prioritizing OT/ICS networks is required, with an emphasis on security measures that have proven effective against attackers and going beyond just identifying and adopting best practices used in other domains like business information technology (IT). He also pointed to the Pipedream malware which has shown that the threat landscape has irreversibly changed and that a sense of urgency is required.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.