National Cybersecurity Strategy Implementation Plan boosts cybersecurity in critical infrastructure, though scope is ‘limited’

Following the release of the National Cybersecurity Strategy in March, the U.S. administration announced Thursday a roadmap called the National Cybersecurity Strategy Implementation Plan (NCSIP) to ensure transparency and continued path for coordination. The plan outlines 65 federal initiatives aimed at protecting jobs, combating cybercrimes, and developing a skilled workforce.

Commenting on the release of the NCSIP, Jen Easterly, CISA (Cybersecurity and Infrastructure Security Agency) director said that the agency “is grateful for the important work of the Biden-Harris administration in developing the National Cybersecurity Strategy Implementation Plan as a roadmap to ensure a secure, defensible, and resilient global ecosystem.” 

She added that the NCSIP captures much of CISA’s vital work to improve the cybersecurity of the nation and better secure the critical infrastructure Americans rely on every hour of every day. “From our efforts to strengthen cyber incident response and reporting to our work with the private and public sector to mitigate the risk of ransomware to our focus on ensuring technology that is secure-by-design.”

Easterly added that CISA looks forward to leading the way on its assigned key initiatives in concert with partners. 

In a LinkedIn post, the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) identified that the Implementation Plan defines how government agencies, the private sector, and international partners will work together to improve cybersecurity across the nation. CESER plays an important role in advancing these efforts in the energy sector.

“All Americans deserve a resilient, prosperous and secure future supported by safe, reliable infrastructure,” Puesh Kumar, director of CESER at the U.S. Department of Energy (DOE) said. “The newly released National Cybersecurity Strategy Implementation Plan clarifies and defines how we will achieve this nationwide. CESER is proud to play a key role in this whole-of-government effort alongside our private, civilian, and international partners, and to lead the effort to secure the U.S. transition to a clean energy future.” 

“We commend the Administration for releasing the implementation plan that accompanies White House’s National Cybersecurity Strategy,” Rep. Bennie G. Thompson, a Democrat from Mississippi and chairman of the Committee on Homeland Security, and Rep. Eric Swalwell, a Democrat from California and a ranking member of the Subcommittee on Cybersecurity and Infrastructure Protection, wrote in their Thursday statement. “By being transparent about how the Executive branch will pursue its ambitious cybersecurity goals, Congress is in a better position to provide the necessary resources and authorities while holding the Administration accountable.” 

The members also said that it will also empower the private sector and other critical stakeholders to engage effectively, which is critical because our success demands a full court press. “We look forward to continuing to work with the Administration and our private sector partners to improve the security of the digital ecosystem,” they added.

Mark E. Green, a Republican from Tennessee and chairman of the Committee on Homeland Security, and Andrew Garbarino, a Republican from New York and chairman of the subcommittee on Cybersecurity and Infrastructure Protection applauded the Office of the National Cyber Director (ONCD) for the prompt release of the National Cybersecurity Strategy Implementation Plan. 

“As we stated when the Strategy was released in March, a strategy is meaningless unless properly implemented. We are pleased to see specific responsible agencies and contributing entities called out in the plan and quantifiable timelines for completion,” according to a Thursday statement. “We look forward to seeing how ONCD works with the Office of Management and Budget to appropriately address budgetary considerations for each initiative. We remain steadfast in our belief that the Biden administration must streamline existing regulations while working with the private sector to identify new opportunities for partnership rather than punishment.” 

They pointed out that the implementation of this strategy must be a collaborative process that aims to ease regulatory burden while maintaining strong cybersecurity practices. “We intend to exercise strict oversight on CISA’s efforts as the responsible agency for at least 10 initiatives and a contributing entity to at least 19 initiatives, as it continues to execute its federal cybersecurity and critical infrastructure resilience mission.”

Vytautas Butrimas, industrial cybersecurity consultant, and member of the International Society of Automation (ISA) wrote in a Friday LinkedIn post that even though the plan covers critical infrastructure it is still limited in its scope to the information, network and data centric activities found in the office and departments of government and private sector. 

He further tried to determine the threats that the plan will address. “Cybercrime and Ransomware feature prominently which make up a lot of the work in Strategic Pillar number 2. Although the malicious activities of states are mentioned it is also in the context of cybercrime (mentioned 9 times) and ransomware (33 times). Known efforts by states to disable safety systems, send false telemetry data to operators or otherwise take away view and control of a critical process from the operator are not recognized in the plan. 

Butrimas added that the writers of this document perhaps have not heard of STUXNET, failure to shut down a smelter in Germany, compromise of SIS and shutdown (twice) of a Saudi petrochemical plant and other cyber-attacks by perpetrators who were not criminals or trying to plant ransomware.

Addressing the usage of the word ‘standard(s),’ Butrimas said that it has been used in the NCSIP 28 times but the main standards organization that is mentioned in this context is NIST. “No mention of ISA or IEC let alone ISA/IEC 62443 (quite a surprise to see that even ISO 27000 is not listed). A listing of relevant standards for the strategy’s implementation would provide some guidance and coherence to all the initiatives for cyber securing the nation’s critical infrastructure.” 

He added that “this plan cries out for some official response from engineers, vendors and standards organizations that can provide guidance in protecting process control technologies used not in the billing department but in the power grids, petrochemical plants and water supply systems and other sectors of C.I.”

Butrimas also pointed out that another weakness is the format of the implementation plan itself. “After the strategy establishes the way resources will be used to achieve the objectives, the implementation plan is to provide the details for those that are tasked with the actual work of implementation. In the end this is less of an implementation plan and more of another vision statement. It is not a guide for collaboration with others toward the achievement of some coherent goal,” he added.

Ron Fabela, CTO of ICS/OT cybersecurity firm XONA Systems, wrote in an emailed statement that the NCSIP is a detailed and milestone driven followup to the Nation Strategy released earlier this year. “Pillar 1 outlines the goals for defending critical infrastructure with the implementation plan detailing action items that fall into common themes: Regulatory harmonization, public-private partnerships, and finalization/codification of key plans and review boards. Overall the plan assigns 69 initiatives to 18 different agencies to action the executive branches strategy.” 

“First actions include harmonizing requirements with the eventual release of a NIST Cybersecurity Framework 2.0 that would underpin future regulation,” Fabela pointed out. “The implementation plan for defending critical infrastructure specifically uses ‘requirements’ while also stating ‘use existing authorities to set necessary cybersecurity requirements in critical sectors.’” 

He added that the challenge for the implementation plan is that critical sectors, or what CISA defines as ‘Sector Risk Management Agencies,’ may have federal agency oversight but are composed of private industry with few sectors forced to meet cyber regulations.

For instance, Fabela cited that while some of the nation’s electric grid is regulated by NERC most of this critical sector is privately owned, from large investor owned utilities to local cooperatives, and has no overall regulation for secure operations. “This challenge is repeated across all 16 SRMAs with this implementation plan looking to set the foundation for new regulation while bolstering ‘public-private’ partnerships.”

Last month, the administration issued a memorandum to department and agency heads, outlining the Biden administration’s cross-agency cybersecurity investment priorities for the formulation of the fiscal year (FY) 2025 Budget submissions to the U.S. Office of Management and Budget (OMB), consistent with spring guidance. Additionally, guidance on cybersecurity research and development priorities will be released in a separate memorandum.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.