The White House issues a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems
2021-08-05 | 6 min read
What does this memo mean for you? Watch our video as Keysight's Gail Ow interviews industrial cybersecurity expert Patrick Miller about the memo and what you need to do now.
Prevention alone isn't enough
Cybersecurity is often described as prevention, detection, response --- and recovery, if needed. What the Colonial Pipeline ransomware attack, the Oldsmar Florida Water poisoning attempt, and now the White House are all telling us is that prevention isn’t perfect and therefore, we need to increase focus on detection, response, and recovery.
“We cannot address threats we cannot see; therefore, deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response actions to cyber threats is central to ensuring the safe operations of these critical systems. ”
The National Security Memorandum to Improve Cybersecurity for Critical Infrastructure Control Systems (NSM) is an initiative, "a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems." The overall goal of the NSM is to encourage critical infrastructure asset owners to deploy threat visibility and detection technologies to support their incident response and recovery capabilities, as well as provide greater information sharing potential.
So, what does this mean for you?
According to Patrick Miller, ex-utility and former regulator, now consultant and CEO of Ampere Industrial Security, the NSM effort will focus first on the electricity subsector, natural gas pipelines, water, wastewater, and chemical sectors, but could ultimately apply to all 16 critical infrastructure sectors as defined by the Department of Homeland Security (DHS) . He says these organizations should begin with the basics like asset inventory, change management and network segmentation, but implementing detection and monitoring tools will be essential to meet the expectations of the NSM.
The level of participation in the NSM effort will be measured through “baseline cybersecurity goals that are consistent across all critical infrastructure sectors.” Creation of these goals has been tasked to the National Institute of Standards and Technology (NIST) and DHS’ Cybersecurity and Infrastructure Security Agency (CISA). Patrick says that asset owners should perform an assessment of their environments against NIST 800-53 and 800-82 to know where they stand. The results can also be mapped to existing regulation, standard, guideline or similar security framework for the sector to show what is already covered (e.g., NERC CIP, TSA Pipeline Security Directives, DHS CFATS and AWWA G430/J100).
Is this a new regulation?
The voluntary and collaborative approach of the initiative means is that the NSM isn’t a regulation or law. There are no fines for non-compliance. But it is very clear that the NSM is hinting that if voluntary and collaborative efforts don’t meet the stated objectives, then enforceable regulations are coming.
“Securing our critical infrastructure requires a whole-of-nation effort, and industry has to do their part. These may be voluntary, but we hope and expect that all responsible critical infrastructure owners and operators will apply them. We can’t stress it enough that they owe that to the Americans that they serve for these critical services to have more resilience… And as we’ve said, we’re exploring everything we can do to mandate strengthening of cybersecurity standards.” 
The NSM is one of several recent motions from the federal government, such as the 100-Day Plan to Address Cybersecurity Risks to the U.S. Electric System , the Department of Energy Request for Information on Securing Critical Electric Infrastructure , the Federal Energy Regulatory Commission Request For Information on Potential Enhancements to the Critical Infrastructure Protection Reliability Standards  and Executive Orders 13920  and 14028  – all of which have similar components: 1) threat detection and monitoring; 2) incident response and recovery; 3) information sharing; and 4) supply chain security. This volume of activity focused on cybersecurity for the critical infrastructure sectors is a strong indicator that action is expected – and may even be inevitable.
This is the first of a series of informative interviews with Patrick Miller, CEO of Ampere Industrial Security. So stay tuned!