Proposed CIRCIA rule boosts cyber threat understanding, early detection of adversary campaigns, offers coordinated actions

With the recent release of a proposed rule under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), critical infrastructure owners and operators will likely bolster their cybersecurity posture from rising threats and attacks. The move helps develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA, enabling the agency to rapidly deploy resources and assist victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.

Published in the Federal Register, the Notice of Proposed Rulemaking (NPRM) initiates a 60-day public comment period ending on June 3. During this period, CISA urges stakeholders to voluntarily provide information on cyber-related incidents that could help mitigate existing or potential cybersecurity threats to critical infrastructure. CIRCIA mandates CISA to issue the final rule within 18 months of the NPRM publication, with the final rule specifying its effective date. 

A senior CISA official has identified that covered entities are “we have a kind of size-based threshold that says anything that is not a small business that operates within a critical infrastructure sector since we define those really broadly, will be a covered entity under CIRCIA. This will cover a large number of entities and will likely cover many entities in the space that you mentioned.”

“We also include some sector-specific criteria for many, but not all, critical infrastructure sectors that we believe, and working with our sector risk management agency partners across the federal government, work that we believe kind of cover the coverage gaps that we have,” according to the CISA official. “So, in most cases, anything that is a large company and then anything that is a small company that needs certain very specific sector-based criteria, because of their criticality within that sector will be included.”

That being said, the CISA official identified that this is a proposed rule, “those criteria are subject to change based upon the comments that we receive. And I anticipate that we will receive, as I indicated earlier, many comments on our proposed definitions. And if we have missed certain things, if there’s a lot of feedback on where we’ve been too narrow or too expansive, those will all factor into our decision-making as we consider the final rule.”

The CIRCIA regulations, as amended, task CISA with establishing regulations for reporting covered cyber incidents and ransom payments by relevant entities. The legislation requires CISA to issue a Notice of Public Rulemaking (NOPR) in the Federal Register, with NPRMs open to public comment under the Administrative Procedure Act. CISA is actively seeking feedback on the proposed rule to implement CIRCIA’s requirements and address various practical and policy issues related to the new reporting obligations.

The CIRCIA regulations, requiring covered entities to report covered cyber incidents and ransom payments to CISA, will enhance the nation’s cybersecurity posture by enabling CISA to swiftly deploy resources, assist attack victims, analyze cross-sector reporting for trends, and share insights with network defenders to prevent similar incidents. The regulatory requirements of CIRCIA, including reporting obligations, will take effect upon the final rule’s implementation. 

A senior DHS official identified that the CIRCIA legislation and implementation is a two-way street. “We as a department must provide value back to the country and the cybersecurity community because of this reporting and influx of information that we will see whether the ability to warn and detect cyber intrusion, provide trend analysis for given sectors, work with the interagency on ransomware and crypto payments, or overall inform and improve the critical infrastructure security of our country,” he added.

In developing the NPRM, CISA engaged with various public and private sector stakeholders to ensure a balanced approach to implementing CIRCIA’s requirements. This engagement included issuing a request for information (RFI) in the Federal Register in September 2022, hosting public listening sessions nationwide, conducting virtual sector-specific sessions, and collaborating with sector risk management agencies (SRMAs) and other relevant federal entities to gather comprehensive input from a broad spectrum of stakeholders. CISA carefully considered this feedback when formulating the proposals outlined in the NPRM.

Going beyond mere compliance with statutory mandates, CISA is dedicated to providing stakeholders, including state, local, private sector representatives, and the public, with opportunities to contribute ideas and perspectives throughout the CIRCIA rulemaking process following legal requirements. By releasing an NPRM, CISA can gather insights from a wide range of stakeholders, informing the development of the final rule.

The implementation of CIRCIA will enhance CISA’s ability to leverage cybersecurity incident and ransomware payment data reported to the agency to detect real-time patterns, address critical information gaps, swiftly deploy resources to assist entities impacted by cyberattacks and alert potentially affected parties. Timely sharing of cyber incident details enables CISA to provide support and issue warnings to prevent similar incidents in other organizations. This information is also crucial for identifying trends that support homeland security efforts.

Industrial Cyber consulted cybersecurity experts to ascertain the specific criteria that will determine which cyber incidents are mandated for reporting under the proposed CIRCIA rules. They also explored how CISA intends to enforce compliance with the incident reporting requirements outlined in CIRCIA across critical infrastructure sectors.

“There are four general criteria used to determine which cyber incidents are subject to reporting,” Patrick Miller, president and CEO at Ampyx Cyber told Industrial Cyber. 

Identifying these benchmarks as substantial loss of confidentiality, integrity, or availability; serious impact on safety/resilience of operational systems and processes; disruption of business or industrial operations; and unauthorized access facilitated through a third party (e.g., CSP, MSSP), Miller pointed out that “these are broad enough criteria to work within all applicable sectors. CISA provides some guidance on assessing whether an impact threshold is met, and it should be assumed they will use a similar approach in ensuring compliance with the requirements.”

“Based on my experience, I think it is vitally important that CISA develop a taxonomy for how incident data will be categorized and classified if they haven’t already,” John Cusimano, vice president for OT cybersecurity at Armexa, told Industrial Cyber. “The classification scheme should seek to quantify the consequence(s), especially the physical impacts, of the incident as granularly as practical. Information Risk Management (IRM) leaders tend to think of cyber consequences strictly in terms of data loss, which is valid when considering typical enterprise IT data.”  

However, Cusimano added that “if cyber-physical systems, (e.g., industrial control systems, OT and IIoT systems, building automation systems, safety systems) are compromised, the consequences of a compromise can include health, safety, environmental, equipment damage, product safety, service interruption, supply-chain interruption, and other impacts that go far beyond just financial losses.”  

“So, it is important that the taxonomy that CISA adopts identifies and quantifies the impact of the incident in terms of health, safety, environmental, equipment damage, product quality, production, etc.,” Cusimano detailed. “Each of these consequences will result in corresponding financial damages to the organization that should be quantified into bands (e.g., <$10,000, $10K – $100K, $1K to $1M, $1M to $10M, $10M to $100M, >$100M). 

He recommends that CISA leverage expertise from process safety risk management subject matter experts, as well as enterprise risk management and information risk management when building this taxonomy.

The executives discuss the expected advantages of creating a centralized platform for incident reporting and information sharing as part of CIRCIA. They also explain how CISA plans to utilize the data gathered from CIRCIA reporting to improve situational awareness and shape cybersecurity strategies.

Miller identified that using a centralized platform will consolidate the information. “This will provide a common method and structure for all. The goal is to understand threat and vulnerability patterns both within single infrastructures as well as across many or all. Having a single place to hunt with normalized data will make this faster and more efficient.” 

“The challenge is, that while this approach makes it easier for CISA, it also makes it easier for an adversary,” Miller added. “As far as measures to protect this information? The government – even CISA – has seen their fair share of breaches so many would be right to hold extreme skepticism. We can only hope it will come with the most effective security controls possible.”

“I think there could be many benefits in establishing a centralized platform for incident reporting and information sharing under CIRCIA, especially if CISA periodically produces public reports redacting the details but documenting trends by industry, sector, geography, threat actor, attack vector, Tactics, Techniques and Procedures (TTP), types of vulnerabilities being exploited, consequence types (e.g., health, safety, etc.), financial impact ranges, etc.,” Cusimano said. “Reports from RISI and ICS STRIVE could be used as a guide to the type of information and reporting that would be valuable to industry.”

He added that objective reporting like this would help to separate fact from fiction and quench some of the over-sensationalism seen with some highly publicized incidents while offering some degree of transparency about very serious incidents that may have previously gone unreported.  

“While sector-based Information Sharing and Analysis Centers (ISACS) strive to provide these insights, their information about incidents is limited, and it is only shared with their members,” according to Cusimano. “Many private-sector threat intelligence vendors also try to report on incidents but also struggle to provide a complete picture due to the lack of publicly available information.” 

Cusimano pointed out that there are many downsides to a centralized platform for incident reporting and information sharing. “Top of mind is the risk that the database itself is compromised and sensitive information about the victims is made public. The other risk that comes to mind is the victim could suffer additional damages beyond those caused directly by the incident, especially for non-public companies.  For example, will the data be subject to Freedom of Information Act requests?” he added.

Looking into the measures that will be put in place to protect the confidentiality and privacy of sensitive information shared through the CIRCIA reporting mechanism, and how CIRCIA aims to incentivize proactive risk management and cybersecurity investments among organizations within critical infrastructure sectors, Miller said the proposed rule does try to provide some legal protections for the information such as designation as proprietary information, exemption from FOIA disclosure, and no waiver of privilege. “It also has some restrictions on how they will use the data, such as not using it in regulatory actions and liability protections.”

He added that the goal for covered infrastructure organizations is to have a cybersecurity posture that is sufficient enough to minimize or eliminate the need for reporting. “More reporting will lead to an array of unwanted issues because it will be seen as a negative indicator for any interested party. This will incentivize proactive risk management and cybersecurity investments.”

The CISA official also discussed public disclosure concerns. “Obviously, Congress built in strong protections for the information submitted to CISA under CIRCIA and those have been carried forward in the proposed rulemaking. We want to give confidence that the information that is shared with us is not going to be released publicly, as it will often contain sensitive information from companies.” 

That being said, the CISA official added that he “will kind of make two points here. One, of the primary purposes of CIRCIA and gathering this type of information, either in a voluntary or regulatory fashion, is to enable us to have better insights into the cyber incidents that are happening so that we can provide public guidance to our critical infrastructure and other stakeholders to allow them to protect themselves. So, the information is designed to be put out there, obviously protected and anonymized from any specific victim.” 

Secondly, the official added “We will be working on a longer-term plan for how we would make anonymized information available to researchers. But that is not, we don’t have anything to release on that right now.” 

When discussing how CISA plans to ensure that the CIRCIA reporting requirements stay adaptable and responsive to emerging cyber threats and evolving technological landscapes, Miller explained that the proposed rule includes provisions for updating reporting criteria, continuous stakeholder engagement, and flexibility in rulemaking to address technological advancements and changing threat landscapes. “Additionally, the structure is built upon several other federal agencies, efforts, and products that have their own update cycles which will feed into the overall machine in order to try to match the evolving tech landscapes.”

The CISA official detailed that, for example, “the sector risk management agencies to ensure that they get the relevant reports to their sector, or our law enforcement colleagues at the FBI who we partner with on almost all cyber incident reporting-related activities. Again, while these are enhancements to our current system, in many cases, we perform functions like this today.”

“So, for example, the Transportation Security Administration has issued a series of directives over the past several years requiring incident reporting for entities in the pipelines, rail, and aviation and airlines space,” the CISA official detailed. “Those directives require reporting to CISA and then we provide those reports back to TSA and other transportation sector partners under the terms of those security directives. So, we have experience with doing this, which for us, is just scaling it up to make sure that we can meet the needs of a larger reporting base.”