US inspecting another model to step up critical infrastructure protection, after its JCDC initiative

A senior member of the U.S. government said on Friday that it is scrutinizing a new model that it calls ‘primary systemically important entities’ or PSIES, which will deal with the next steps in providing critical infrastructure protection. The measure follows the JCDC (Joint Cyber Defense Collaborative) initiative that depended on close partnerships with critical infrastructure companies, as the nation sets out to promote coordination across federal agencies, state, local, tribal and territorial (SLTT) partners, and private sector entities to identify, protect against, detect, plan for and respond to malicious cyber activity targeting U.S. critical infrastructure.

Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA) said in a virtual event hosted by the Center for Strategic and International Studies (CSIS) that the new effort is being called PSIES, as ‘systemically important critical infrastructure’ (SICI) sounds a little bit disturbing sometimes. The virtual event was on the ‘Next Steps in Critical Infrastructure Protection: Challenges for Congress and CISA.’ She, however, did not elaborate on the details of the PSIES model.

“So, essentially – and in cases – I think it’s important because we might talk a little bit about supply chain – but in cases where these entities are actually part of the supply chain for both hardware and software that can increase risk, that collaboration that you talked about will focus us on how these entities can work together to increase the security and resilience of vulnerable technology throughout the supply chain,” Easterly said.

The critical infrastructure sector has emerged as a prime target with cybercriminals targeting the operational technology (OT) networks that interconnect the industrial control systems (ICS). As services like power grids, water treatment facilities, transport, and healthcare systems increasingly integrate their OT systems with the internet of things (IoT), this leads to a new frontier of risks with innumerable vulnerability points and new vectors that can be exploited by cyber attackers.

The U.S. administration is “prototyping a variety of different approaches in our National Risk Management Center – which folks may be familiar with – to try and start identifying those entities that are, in fact, systemically important,” Easterly said. “And we’re doing it based on economic centrality, network centrality, and logical dominance in the national critical functions. And because, again, we look at sectors, but we – all sectors are connected, so we have to look at these from a national critical function perspective,” she added.

Easterly said that the administration is “going to move forward and do it whether it ends up in legislation or not. But I think that signaling – that ending up in law will be very helpful in continuing to bring the private sector to the table because I think, you know, we’re in a state now where our critical infrastructure is much more vulnerable than it should be. And frankly, that’s what I worry about most every day.”

U.S. Congressman, John Katko, a Republican from New York, also spoke at the CSIS event pointed out that it was also incumbent upon Congress to ensure such a program includes the appropriate guard rails, guidance, and built-in mechanisms for industry collaboration. “Such an important program must be done, and it must be done right. This is why I introduced bipartisan legislation to authorize the director of CISA to work in partnership – (audio break) – collaborative, which is leveraging those new authorities in last year’s NDAA,” he added.

“The JCDC will greatly improve CISA’s risk-management partnership across the critical-infrastructure community and allow them to better defend government and private networks and share information on cyber threats,” Katko added.

The JCDC initiative launched in August by the CISA to lead the development of the nation’s cyber defense plans by working across the public and private sectors to help defend U.S. critical infrastructure. The mission of the JCDC plan is to unify cyber defense that will complement existing efforts by law enforcement and the intelligence community. It also strives to drive down risk before an incident and to unify defensive actions should an incident occur.

Speaking about the JCDC initiative, Easterly said that, “I wanted to call it the Advanced Cyber Defense Collaborative, but my lawyer wouldn’t let me. But we still do a lot of rock and roll there. So it really encompasses that Joint Cyber Planning Office, but it’s a larger recognition that it’s more than planning. It takes a full suite of capabilities to really make a difference for our nation’s cybersecurity posture.”

Now, in some ways, “the JCDC may be a little more evolutionary than revolutionary because it’s really the maturation of what I think about as one of our superpowers, and that’s our very expansive information-sharing authorities to share many to many,” according to Easterly. “And that truly is powerful when you’re talking about having to move at the speed of cyber. But you know, at least in a few important ways it is novel,” she added.

Congressman Katko had earlier this month introduced legislation that would protect systemically important’ critical infrastructure from cyber-attacks. The bill helps establish a transparent process for designating systemically important critical infrastructure and directs the CISA to prioritize meaningful benefits to systemically important critical infrastructure owners and operators without any additional burden. It also authorizes the CISA director to establish a transparent, stakeholder-driven process to designate systemically important critical infrastructure.

Given the diverse views, Easterly said at Friday’s event that the administration is “looking at this through a variety of lenses. We’re going to move forward and do it whether it ends up in legislation or not. But I think that signaling – that ending up in law will be very helpful in continuing to bring the private sector to the table because I think, you know, we’re in a state now where our critical infrastructure is much more vulnerable than it should be. And frankly, that’s what I worry about most every day,” she added.

The U.S. government has been ramping up cybersecurity demands for safeguarding U.S. critical assets and infrastructure after malicious cyber attackers deployed DarkSide ransomware that led to the compromise of the Colonial Pipeline networks in May, which forced the company to take certain systems offline to contain the threat. Apart from Colonial Pipeline, JBS USA, a large beef supplier paid ransom to malicious cyber actors who had infiltrated their networks and threatened the U.S. meat supply.

In February, ​​unidentified cyber attackers were able to gain access to a panel that controls the water treatment plant at the city of Oldsmar near Tampa, Florida. A modification in the setting would have drastically increased the amount of sodium hydroxide in the water supply, which could have led to the poisoning of the water supply to the city. There was also a cybersecurity incident in August at a major U.S. port, which was targeted by suspected nation-state hackers, according to officials.

It is imperative that all actors involved in the defense of the nation’s most important assets understand the ‘critical of critical,’ according to a Lawfare blog. “Prioritizing the defense of systemically important critical infrastructure—whose disruption and collapse would have debilitating effects on U.S. national security, economic security, public health, and safety—is a vital step in keeping the United States secure from malicious cyberattacks,” it added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.