This article is more than 1 year old
'Woefully insufficient': Biden administration's assessment of critical infrastructure infosec protection
Memorandum details plans to turn that around with rapid development of security baselines, not mandates
The Biden administration has issued a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems to address what it describes as a "woefully insufficient" security posture.
The Memorandum was accompanied by transcripts of remarks made by a "Senior administration official" who said the edicts are needed because "We have a patchwork of sector-specific statutes that have been adopted piecemeal, typically in response to discrete security threats in particular sectors that gained public attention.
"So, our current posture is woefully insufficient given the evolving threat we face today," the anonymous official added. "We really kicked the can down the road for a long time."
The Memo outlines plans to change that, with an "Industrial Control Systems Cybersecurity Initiative" that sees government and industry collaborate to define security baselines. The administration also wants security baselines to become consistent across all critical infrastructure sectors.
- Biden warns 'real shooting war' will be sparked by severe cyber attack
- Kaseya obtains REvil decryptor, starts sharing it with afflicted customers
- Wanted: State-backed bandits planning cyberattacks on US infrastructure. Reward: $10m
The Memo tasks the Secretary of the Department of Homeland Security with issuing preliminary goals for control systems across critical infrastructure sectors no later than September 22, 2021. Within a year, the administration expects "final cross-sector control system goals" will have been developed.
Despite the transcript repeatedly referring to a lack of statutes mandating certain security practices, and mentioning recent mandates introduced by the Transportation Security Administration to set security requirements for oil pipeline operators, the Memo doesn't discuss whether critical infrastructure operators need to be compelled to act.
Instead, the Memo pledges that US government risk management agencies will "work with critical infrastructure stakeholders and owners and operators to implement the principles and policy outlined in this memorandum." ®