New cyber incident reporting legislation set to streamline process for critical infrastructure sector

Amidst rising cyber threats, the legislative branch of the U.S. administration is working overtime. It has passed legislation necessitating reporting of ‘substantial’ cybersecurity incidents and ransomware payments by the critical infrastructure sector to the Cybersecurity and Infrastructure Security Agency (CISA). In addition, the move will push these environments to set up more robust asset visibility models so that anomalies and abnormal behavioral patterns can immediately be flagged down and appropriately addressed.

The Cyber Incident Reporting bill passed in the U.S. House of Representatives last week and was hailed by CISA Director Jen Easterly as a game-changer. “Today marks a critical step forward in the collective cybersecurity of our nation,” she said on Friday. Having earlier cleared in the U.S. Senate as the ‘Strengthening American Cybersecurity Act,’ the bill now heads to U.S. President Joe Biden for his signature before becoming law.

The legislation requires the critical infrastructure sector to report to CISA within 72 hours if they are experiencing a substantial cyber-attack and within 24 hours if they make a ransomware payment. It also addresses the need to modernize the government’s cybersecurity posture and authorize the Federal Risk and Authorization Management Program (FedRAMP) to ensure federal agencies can quickly and securely adopt cloud-based technologies that improve government operations and efficiency.

Developed following the SolarWinds supply chain attack and gaining additional momentum from the Russia-Ukraine conflict, the bipartisan, bicameral Cyber Incident Reporting legislation ‘further solidifies Congress’ intent that CISA is the lead Federal agency for cybersecurity.’

Industrial Cyber reached out to executives in the industrial cybersecurity sector to evaluate the effect of the passage of the ‘Strengthening American Cybersecurity Act’ on the cybersecurity issues prevalent in the critical infrastructure sector. It also covered whether asset owners and operators would put together the necessary information to report to CISA within the stipulated time frame. 

The bill and subsequent rule-making functions for CISA will streamline the reporting process for cyber-attacks and indicators of compromise (IOCs) to enhance cyber risk management over time, Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, told Industrial Cyber. “This will both help CISA see across a wider swathe of sectors and identify commonalities of attacks as they occur. It also has the potential to illuminate interdependencies, shed light on information gaps either from a specific industry or lack of visibility into a specific network, or technologies that a number of critical infrastructure sectors rely on,” she added. 

“We believe the most important effect of this package is to bring much-needed insight and visibility to the problem,” Francis Cianfrocca, CEO at InsightCyber, told Industrial Cyber. “America’s critical infrastructure is far more vulnerable to cyberattacks than most people realize. Shining a light on the issue is paramount to our national security and our economy, and we applaud this bipartisan action,” he added. 

The legislation is important for the simple reason that requiring critical infrastructure owners and operators to promptly report cyberattacks or ransomware payments will establish a new baseline for measuring the current state of the problem, according to Cianfrocca. “Today, we have woefully little visibility into the true incidences and costs of these attacks. The U.S. urgently needs to adopt new practices, standards, and solutions that will put industry and government on the same page. When organizations no longer fear the repercussions of reporting a cyberattack, they will become more forthright in sharing information about when and how they’re being attacked,” he added.

“Everyone should be clear, however, that this legislation is only an early step in a long and challenging journey for government and industry to properly protect critical infrastructure. This is a uniquely new and difficult problem,” Cianfrocca said. “Protecting infrastructure and operational technology from attack is not simply a matter of extending the cybersecurity practices that are used today to protect IT (networks, computers, and applications). Real protection of critical infrastructure and operational technology will require new innovation and investment to meet the challenge,” he highlighted.

In the current threat landscape, further weakened by geopolitical issues, it is essential to determine how achievable it is for the critical infrastructure sector to meet the provisions of the Strengthening American Cybersecurity Act.

Jablanski said it is important to keep in mind it was crafted with input and support from the critical infrastructure sectors. “CISA and the private sector have several years to work on a draft rule, so current geopolitical issues heighten awareness of these issues, but should not impact the ability for sectors to meet provisions,” she added.  

Reporting should be one key factor in a holistic preparedness plan that outlines exactly which priorities necessitate action, according to Jablanski. “If preparedness is bolstered ahead of time, reporting during an incident becomes a natural reflex rather than a stringent request. and companies should develop the ability to workshop and simulate live crises in order to work through their priorities and requirements and build up internal response capabilities,” she added.

Companies really do want to do the right thing here, but it will be very costly, and it will expose them to serious privacy and liability issues, according to Cianfrocca. “These have been major stumbling blocks in the past. The new legislation gives us a chance to get this right,” he added.

“Out of the gate, it will be hard for many organizations to effectively meet all the provisions of the bill. In particular, the requirement that critical infrastructure owners and operators report within 72 hours if they are experiencing a substantial cyberattack is dependent on their ability to realize that an attack is even happening,” Cianfrocca added. 

Perhaps it’s just a matter of how one defines ‘substantial,’ according to Cianfrocca. “Sophisticated attacks often unfold over the course of weeks and months, as cybercriminals gain access into systems and quietly perform reconnaissance and planning across a broad range of networks and operational technology. In our book, that is ‘substantial.’ However, most organizations never see it happening. They only recognize an attack when a ransomware demand is made. It’s like reporting that the barn door is unlocked when you realize the cow is gone,” he added.

Analyzing if asset owners and operators would face any issues in putting together the necessary information to report to CISA within the stipulated time frame, Nozomi’s Jablanski said that “this is an opportunity for critical infrastructure sectors to assess the extent to which their operations are data rich, but information poor, and to establish new baselines for cybersecurity monitoring.” 

She said that they have an opportunity to prioritize their most critical assets and address uncertainty surrounding potential threats and points of failure in their operations. “The bill also gives sectors time to create the structures needed to share information and work together for a collective defense,” Jablanski added.  

Most asset operators and owners struggle to compile an accurate accounting of what even exists in their environments, so it will be difficult for them to provide reports that offer much information beyond the fact that an attack took place, InsightCyber’s Cianfrocca said. “This is not due to a lack of interest or desire, but rather because the connected devices, sensors, and other smart components that make up modern operational technology generate security data that is radically different from the data seen in traditional IT environments,” he added.

“A new class of security information and event management solutions is needed to help security teams make sense of that data and deliver the insights required to respond to attacks effectively,” Cianfrocca said.

Every organization cares deeply about this problem, but they’re all struggling to address it because innovation in this area is still in the nascent stage, according to Cianfrocca. “Our vision is to help an organization nip a cyberattack in the bud by spotting tiny operational anomalies the moment they occur, through AI-powered monitoring of operational technology,” he added.

Trade association USTelecom had previously raised concerns that the private sector must be engaged with and more recently questioned the timing of the passage of the Strengthening American Cybersecurity bill by the Senate. Looking into the issues raised as owners and operators of the critical infrastructure sector have unique operational insights that can help the government effectuate its security goals with greater efficiency, Jablanski said that the more important issue will be working collaboratively with CISA as it implements the rulemaking. 

“The bill lays out the parameters that CISA and industry will have to work through to ensure that the mandate provides the information needed by CISA and provides clarity on what needs to be reported and when,” according to Jablanski.

“Working through the right balance will be critical and all critical infrastructure sectors need to be involved in this process,” she added. “The significance of the bill is in the potential for these partnerships to move the needle on security. Companies will have to demonstrate that they take these tasks seriously, and the government will have to demonstrate the benefit of cooperation over time.”

Cianfrocca applauds the fact “that this critical issue is being illuminated, and we encourage industry/government collaboration where it makes sense. Our focus is to work with the industry to develop solutions that can be immediately and broadly adopted to address these urgent challenges,” he concluded.