New CRS report delivers overview of critical infrastructure security and resilience

A recent Congressional Research Service (CRS) report scrutinizes how the development of critical infrastructure security and resilience-oriented communities to provide robust sector and cross-sector professional networks, multilateral flows of critical infrastructure information, collaboration with relevant government agencies, and investments in resilience have been uneven.

The report summarizes the U.S. critical infrastructure community, describing the current development of cyber risk management programs and activities in the energy, communications, and healthcare and public health (HPH) sectors.

“In recent decades, the federal government has supported voluntary programs and activities intended to develop common perspective, risk awareness, and risk management culture within a diverse and evolving community of critical infrastructure stakeholders,” Brian E. Humphreys, an analyst in science and technology policy, wrote in the CRS report.

The report recognizes the Department of Homeland Security (DHS) as the lead federal agency for critical infrastructure security and resilience. At the federal level, the critical infrastructure community is organized under auspices of presidential policy directives, which assign DHS, acting through Cybersecurity and Infrastructure Security Agency (CISA), responsibility for leadership and interagency coordination of voluntary public-private partnerships across the critical infrastructure sectors. 

DHS delegates this responsibility to other agencies in some cases. The report said that the responsible agency in each sector is referred to as the Sector Risk Management Agency (SRMA). The CISA commonly describes its partners in the national critical infrastructure security and resilience enterprise as the critical infrastructure community.

As much of the nation’s critical infrastructure is owned and operated by the private sector, implementation of federal cybersecurity initiatives to counter nation-state and other threats often depends upon the willingness and ability of private-sector entities to engage with the critical infrastructure security and resilience-oriented communities of interest, according to the CRS report. This has a bearing on relevant resilience investments and reporting cyber incidents quickly, even those that may pose reputational, legal, or regulatory consequences. 

“Likewise, owner-operators of vulnerable systems may have to absorb significant up-front business costs to increase security. Owner-operators of systems that do not meet the statutory definition of critical infrastructure may still suffer from attacks that present systemic risk, given the interconnectedness of such systems,” it added.

The CRS report classifies the energy sector into two sub-sectors of electricity and oil and natural gas, with the Department of Energy (DOE) designated as the SRMA. The North American Electric Reliability Corporation (NERC) develops and enforces mandatory reliability standards that address cybersecurity and other risks affecting the nation’s bulk power system. In addition, the federally authorized, industry-led reliability organization NERC plays a significant role in voluntary best practices and information-sharing programs. 

NERC also operates the Electricity Information Sharing and Analysis Center (E-ISAC), which facilitates sharing of cyber threat information and analysis between industry partners and government through alerts, exercises, and other means, according to the report. ISACs in other sectors have similar functions. For example, E-ISAC manages a DOE program for real-time cyber threat information sharing to protect critical infrastructure. 

According to DOE, utilities participating in its information-sharing program provide power to over 75 percent of customers in the continental U.S., the CRS report said. “NERC periodically organizes grid security exercises. A major November 2021 exercise included 700 participants from the bulk power industry, according to media reports. Prior to the 2021 exercise, some observers voiced concerns about regulatory gaps and inadequate standards. NERC reliability standards are consensus-based and mostly apply to larger utilities engaged in interstate transmission,” it added.

The report said no industry reliability organization is analogous to NERC in the oil and gas industry segment. Major industry trade groups lead standards development functions on a largely voluntary basis. Certain voluntary consensus standards have been incorporated by reference into the Code of Federal Regulations, giving them legal effect. These standards are concentrated in the heavily regulated offshore segment and the pipeline subsector, it added. 

Further—except for pipelines—these standards focus on risks inherent to the physical operation of industrial equipment rather than cybersecurity. The report said that industry groups own and operate the Oil and Natural Gas (ONG) ISAC. Some independent reports indicate slow progress in developing cybersecurity culture and meaningful community engagement. 

A 2020 report by the Lawrence Livermore National Laboratory on cybersecurity in the oil and gas subsector noted widespread deficiencies, including using legacy assets lacking cybersecurity features, using consumer-grade operating systems and software with known vulnerabilities, and the prevailing culture of general apathy across enterprises. However, industry groups assert that they work closely with federal agencies to ensure ‘collaboration and communication at every point.’

Moving on to the HPH sector, the CRS report said that the Department of Health and Human Services (HHS) is the designated SRMA. Limited HHS regulatory authorities and programs focus on maintaining the privacy of patient health information and the operational integrity of agency computer systems. HHS’s private-sector counterpart, the HPH Sector Coordinating Council (SCC), has created several relevant industry working groups in recent years to increase threat reporting and analysis, information sharing, and adoption of best practices, it added. 

The Cybersecurity Working Group reports increasing stakeholder engagement. In addition, the HealthISAC has operated since 2010 and remains active. “A 2018 survey of 600 healthcare organizations on industry adoption of cybersecurity best practices showed that most organizations participate in one or more cybersecurity information-sharing and analysis organizations. Indicators of substantive private-sector engagement with such organizations and adoption of best practices were more mixed,” the CRS report added.

Analyzing the communications sector that includes the five segments of broadcasting, cable, satellite, wireless, and wireline, with the DHS as the designated SRMA, the CRS report said it operates the National Coordination Center, which hosts the Communications ISAC and provides operational support for specific national-level incidents. DHS and other agencies do not regulate cybersecurity risk management activities of private-sector partners. It added that the DHS’s private-sector counterpart, the Communications SCC (CSCC), supports a host of public-private partnership activities for threat reporting and analysis, information sharing, and adoption of best practices. 

In letters and filings to federal agencies, the CSCC has noted persistent information-sharing obstacles related to security classification and legal exposure, the CRS report said. “The CSCC has also noted limited community-wide awareness of collaboration and information-sharing channels, and insufficient grant funding for cybersecurity resilience activities,” it added. 

The CRS report also included the Cyber Incident Reporting for Critical Infrastructure Act of 2022 that was passed by Congress this month as part of the Consolidated Appropriations Act, 2022, and then signed into law by U.S. President Joe Biden last week. CISA has two years to publish a Notice of Proposed Rulemaking (NPRM) and then 18 months following the NPRM to issue final rules. Once the rules are published, CISA must conduct an ‘outreach and education campaign’ so that no one is caught by surprise.

The legislation “requires covered critical infrastructure entities to report certain breaches and ransom payments to CISA, among other provisions,” it added. Among other provisions, critical infrastructure owners and operators must report to CISA within 72 hours if they are experiencing a substantial cyber-attack and within 24 hours if they make a ransomware payment.

“Although additional clarity is needed, it is clear that the federal government is serious about federal reporting requirements,” analysts wrote in a Norton Rose Fulbright blog post. “Accordingly, companies should begin evaluating their processes around incident response and detection to determine how they will comply with the new requirements,” they added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.