Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
Reports

NIAC report finds security, resilience of critical infrastructure depends on collaboration; calls for mandatory standards

March 16, 2023
NIAC report finds security, resilience of critical infrastructure depends on collaboration; calls for mandatory standards

The President’s National Infrastructure Advisory Council (NIAC) has emphasized that the security and resilience of the nation’s critical infrastructure depend on collaboration across sectors. The NIAC report identified significant barriers that impede effective collaboration and analyzed these barriers, presenting recommendations to address them. It concludes that standards governing the security and resilience of critical infrastructure assets should be mandatory. 

Late last year, the National Security Council (NSC) tasked the NIAC to examine cross-cutting infrastructure policy challenges. The Cross-Cutting Infrastructure Policy Challenges Subcommittee, which was composed of 13 Subcommittee members, was formed to draft a report to address the tasking on behalf of the broader NIAC. 

At the President’s request, NIAC members conducted in-depth studies on physical and cyber risks to critical infrastructure and recommended solutions that reduce risks and improve security and resilience. Members draw upon their deep experience, engage national experts, and conduct extensive research to discern the key insights that lead to practical federal solutions to complex problems.

The Subcommittee members examined the means to improve cross-sector collaboration both within the private sector and between the private and the public sectors. To undertake its work and with input from NSC staff, the Subcommittee defined the scope of cross-sector collaboration as encompassing collaboration on infrastructure resilience and security among sectors within the private sector; the collaboration of those sectors with federal, state and local governments; and collaboration between government, the private sector and academic institutions. 

Following the deliberations, the NIAC identified nine barriers to needed cross-sector collaboration designed to improve U.S. infrastructure resilience and security and provided ten specific recommendations on improving cross-sector collaboration both among private sector providers of critical infrastructure and between such providers and the public sector. It also offered its input on whether standards governing critical infrastructure should be mandatory or voluntary.

The NIAC found that there can be a lack of clear authority leading to disparate answers to industry or delays in times when swift decision-making is needed. As different sectors of the economy work with and report to a panoply of federal, state or local agencies, this decision-making complexity can inhibit cross-sector collaboration with the private sector. It added that the need for clear proactive decision-making and command is not limited to the public sector. In the private sector, resources are not always harnessed across sectors effectively during incidents to ensure a comprehensive response. 

The report also revealed that critical infrastructure sectors might have different risk tolerance levels based on how a particular risk impacts their operations and their legal and fiduciary duties. However, increased mutual interdependencies create challenges when managing various risk equivalencies across sectors. For example, if a disruption in the electric sector denies power to the communications sector for a prolonged period of time, then the communications sector may be unable to provide services to the electric sector. It added that identifying these critical time-sensitive interdependencies can help to prioritize restoration efforts.

The NIAC found a lack of outcome-based goals to secure critical infrastructure. In setting clearly defined common goals to secure critical infrastructure, there should be a focus on shared outcomes that participating sectors and government partners seek to achieve collective action. More work across the sectors and between the public and private sectors is sorely needed to identify more outcome-based common goals. Making the goals outcome-based is key because industries in different sectors and even within sectors will have different ways of reaching the same outcomes.

The public sector is often expected to be nimble when responding to physical or cyber threats to critical infrastructure, according to the NIAC report. Yet public sector officials face many laws and regulations that require extensive legal processes to be followed in the course of such a response. Government agencies can find themselves bound by statutes that govern their actions and which may not allow them to modify or depart from those procedures in emergencies. 

The NIAC report found that as industries become more dependent upon one another, information sharing and cross-sector collaboration concerning commonly used hardware and software inputs grow in importance. This need exists both for physical dependencies and is even more pronounced in addressing cybersecurity concerns with products received from others in the supply chain. 

The NIAC identified three examples – the growing need for increased coordination between the electricity and natural gas sectors; the healthcare sector’s challenge in managing different proprietary platforms to access medical records; and issues faced by shipping companies versus port facilities in reconciling separate protocols and information systems. 

“In short, if various industries in the supply chain are not communicating and developing workarounds for damaged or compromised hardware and software inputs, the entire supply chain can face crippling interruptions,” the report added. 

The NIAC report disclosed that to maintain a strong economy, critical infrastructure sectors will need to continually attract new talent both in the public and private sectors, retain trained workers and develop a skilled workforce that can support highly integrated and co-dependent industries. Similarly, the public sector is facing significant retirements of experienced employees while needing qualified government workers to support the public sector.

The report also found a lack of baseline cybersecurity standards that allow for different levels of rigor toward employing good cybersecurity hygiene across industries. “The lack of basic standards can also result in a diminished focus and unintentionally encourage relaxed approaches to security as businesses weigh the cost of enhancing their cyber and physical security with maintaining their competitive position in the market. The lack of common standards affecting critical infrastructure encompasses more than cybersecurity. Industries that operate in multiple jurisdictions can face a panoply of local risk assessments and inconsistent required mitigation actions during an emergency,” it added.

The NIAC identified a need for more intelligence sharing from the government, including timely sharing of sensitive intelligence related to cyber activity, which is critical both before and during broad cyberattacks involving one or more critical infrastructure industries. The report also found a need for private sector information sharing regarding vulnerabilities. Many private industries and the government share a lack of recognition and consistent proactive communication of cross-sector dependencies for cyber and physical attack prevention and restoration. 

Subcommittee members proposed a range of recommendations as solutions to the barriers identified. Some recommendations were very specific to industries while others cut across multiple sectors. Although Subcommittee members proposed many industry-specific recommendations, for the purposes of this report, the NIAC highlights a couple of cross-sector proposed recommendations.

The NIAC recommends that the NSC gather and analyze informal activities that have been undertaken in this area in the past and use that information to help inform the development of the drills and the scenarios that were chosen. It also suggests that the federal government consider establishing streamlined processes and best practice standards for common activities such as employee background verification and supply chain security authorization. 

The report recommends developing and drilling a common playbook that would ensure greater coordination among local governments and among local, state and federal government entities. It also proposes including vulnerable communities in planning and restoration efforts and sharing early assessment, and communication of a threat and its impact on critical infrastructure as early as possible. It also suggests performing common cause failure analysis from a multi-sector viewpoint, which could provide critical insights about unrecognized national and regional vulnerabilities beyond today’s more sector-specific focus.

The NIAC report recommends prioritizing standard settings in threat modeling/vulnerability assessments, network segmentation, access provisioning, privileged account management, patch management; and clear pathways for real-time sharing of legally protected information, such as between the healthcare sector, law enforcement, and regulatory communities.

It also recommends a pilot test to identify the benefits of additional third-party certifications, as they can be a basis for granting business incentives between stakeholders that encourage adoption of enhanced, voluntary cybersecurity standards beyond minimal cybersecurity regulations. The NIAC proposes a renewed effort to ensure that the infrastructure funding under this legislation can be delivered in a timely and responsible way. Lastly, the report suggests that government officials ensure consistency in international trade requirements and ‘Buy America’ mandates in federal, state and local contracts.

Although NIAC members recognized the value of voluntary coordination and collaboration among private sector entities and between the private and public sectors, given the cross-sector interdependencies of critical infrastructure, there was a consensus that in key areas, such as cybersecurity, it is time to move toward more mandatory standards rather than relying solely on appeals to altruism or consideration of best practices.

The NIAC’s view is that any standards related to the protection and resilience of critical infrastructure be outcome-based: they should focus on the objective to be achieved while leaving flexibility for how an individual meets the standard’s requirements. The report also highlighted that any standards addressing the security of critical infrastructure assets not only focus on the ultimate provider but also reach all critical suppliers in the supply chain that manufacture the hardware and software components providers rely upon.

In conclusion, the NIAC urges the President to consider these recommendations for immediate and long-term implementation to improve the nation’s critical infrastructure resilience and security through increasingly essential collaboration across sectors. Earlier this month, the U.S. administration published its National Cybersecurity Strategy, which identifies a deep and enduring collaboration among stakeholders across the nation’s digital ecosystem.

The move serves as a foundation for making a path to resilience in cyberspace more inherently defensible, resilient, and aligned with the country’s values. It also imposes additional mandates on organizations that control the majority of the nation’s digital infrastructure, with an enhanced government role in upsetting hackers and state-sponsored entities.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base