Critical Infrastructure Security
Governance & Risk Management
White House Shows Increased Interest in Standards for Critical Infrastructure, IoT
Cybersecurity requirements for entities critical to the day-to-day functioning of the United States will expand to new sectors, a senior Biden administration official today said.
See Also: Building a Secure IoT Deployment Using 5G Wireless WAN
The administration also intends to create a new voluntary cybersecurity labeling program for consumer devices amid a general recognition that cybersecurity has transformed from a niche to a quality of life issue. Pervasive connectivity means hackers can engage in anything from harassment and theft to nation-state attacks.
Public water systems will soon come under a new cybersecurity mandate issued by the Environmental Protection Agency, said Anne Neuberger, a White House deputy national security adviser, during a Washington event. Existing EPA authorities to regulate the safety and security of water extend to cybersecurity, said Neuberger.
In a statement an EPA spokesperson said the agency “is considering a regulatory approach to improve cybersecurity at water systems that could affect safe drinking water. EPA has worked with the states to collaborate on identifying assessment and technical assistance approaches”* (see: Public Water Systems at Cybersecurity Risk, Lawmakers Hear).
The Department of Health and Human Services is looking into cybersecurity standards for hospitals, Neuberger said. The Federal Communications Commission already recently initiated a rule-making process requiring broadcasters and cell network providers who transmit emergency alerts to have basic cybersecurity measures, such as a risk management plan, in place.
The Transportation Security Administration, which regulates the entire transportation sector despite being best known for providing airport security, will publish updated cybersecurity directives for public transportation and passenger railroads this winter, Neuberger said. The agency in July published a second iteration of its cybersecurity directive for the pipeline industry.
Later this month, the White House will host internet of things manufacturers to discuss a voluntary labeling program for products that meet minimum security standards. The program will start with routers and home cameras, “the most common, and often most at-risk, technologies,” the White House says.
Cybersecurity challenges have loomed large for the Biden administration from nearly its start, including a dayslong consumer shortage of gasoline in May 2021 caused by a ransomware attack on Colonial Pipeline. President Joe Biden initiated efforts to boost industrial control system cybersecurity in the private sector, through regulation where possible and otherwise through voluntary measures. Roughly 85% of the U.S. systems necessary for ordinary life, such as power generation or healthcare delivery, are under private ownership.
A Department of Homeland Security official in September acknowledged the administration is behind on the deadline to roll out sector-specific performance goals for all of the 16 sectors that make up critical infrastructure.
The administration doesn’t intend for its directives to apply to every organization within a critical infrastructure sector, Neuberger said. Instead, they’re meant for “the big players” for which a disruption would have a broad impact on Americans, she said.
Update Oct. 13, 2022 20:02 UTC: Adds statement from EPA.