Biden releases national security memo on critical infrastructure

“I think if we end up in a war — a real gun battle with a great power — it’s going to be the consequence of a major cyber intrusion, and it’s going to be exponential,” the president said. growth, then there is a good chance that we will end this war.”

Brad Williams

July 28, 2021

WASHINGTON: President Biden today released a national security memorandum ON improving the cybersecurity of critical infrastructure aimed at encouraging critical infrastructure owners and operators to voluntarily adopt better cybersecurity standards.

The memo was aimed at addressing what a senior U.S. administration official said on Tuesday night was a “grossly inadequate” U.S. cybersecurity posture, less than 24 hours after Biden’s remarks. Biden said cyberattacks could one day lead to a “true shooting war.”

“I think if we end up with a war — a real gun battle with the great powers — then there’s a good chance we’ll end up with that war,” President Biden said on Tuesday during a visit to the Office of the Director of National Intelligence.

Among other things, the senior administration official said the national security memorandum will attempt to piece together the current “piecemeal adoption of sector-specific regulations, often discrete security threats to certain sectors of public concern.” The executive branch has the power to impose long-term network requirements on the private sector.

The memorandum specifically addresses industrial control systems (ICS) that monitor, regulate and automate operational technology (OT) – a unit that encompasses hardware and software that implements the functions of physical components of infrastructure such as circuit breakers, motors and valves. From power grids and telecommunications networks to manufacturing plants, mass transit systems and energy pipelines, OT is prevalent in critical infrastructure environments.

In some cases, a compromised ICS/OT could allow an attacker to physically damage the system or even cause widespread disruption. Perhaps the most famous example is the Stuxnet event, which occurred in 2010. Stuxnet took aim at the ICS, which controlled centrifuges at Iran’s Natanz nuclear enrichment facility, eventually destroying the centrifuges and setting Iran’s nuclear program back several years. Stuxnet is widely believed to be a U.S.-Israeli cooperation, but neither government has ever acknowledged participation.

The ransomware attack on U.S. oil pipelines in May illustrated a thorny problem: the convergence of traditional information technology and ICS/OT networks. In the pipeline incident, the company pre-emptively shut down the pipeline’s ICS/OT network to prevent attackers from transferring IT networks to the ICS network that controls pipeline operations, which could potentially cause physical damage to the pipeline. The ransomware did not directly target the pipeline’s ICS/OT network, but the shutdown of the ICS network caused a general shortage of fuel up and down the East Coast for several days.

ICS/OT cyberattacks are also a growing concern for the Pentagon, whose bases are backed by potentially vulnerable networks at home and abroad. While the memo is not aimed at the USDA, the infrastructure needed to support military bases, such as electricity and water, often comes from utilities that have proven easy targets for threat actors. Pentagon planners have acknowledged fears that the planes will be rendered unusable because the doors to the hangars are locked or the U.S. military is poisoned by a hacked water system.

The memorandum will address ICS/OT security in part through “cyber performance goals,” which the U.S. government expects critical infrastructure owners and operators to adopt voluntarily. The cyber leadership of the U.S. Department of Homeland Security, the Agency for Cybersecurity and Infrastructure Security, and the National Institute of Standards and Technology will set performance goals.

About 80 to 90 percent of the infrastructure the U.S. government considers critical is owned and operated by the U.S. private sector. This complicates government efforts to protect government security, as private entities have historically been reluctant to allow state authorities to monitor or actively interfere with their networks. To that end, the senior administration official said securing critical infrastructure requires a “nationwide” approach, noting that “the federal government cannot do this alone.”

Another complicating factor is the lack of timely online information sharing between private sector entities and governments. Sen. Mark Warner, the D-VA and many others introduced bipartisan legislation last week that, if passed, would require critical infrastructure owners and operators to report to the government any “state threat” within 24 hours of discovery. Irregularities.

Because the U.S. executive branch has limited power to impose long-term cybersecurity mandates on the private sector, the memo is intended to encourage voluntary action. Permanent authorization requires passage by the U.S. Congress. However, the official said the administration is “exploring everything we can do to authorize (cyber) standards,” citing a new round of pipeline cybersecurity rules issued by the Transportation Security Administration last week.

The memo is just the latest in a government effort to bolster the nation’s cybersecurity after a series of high-profile cyberattacks over the past two years, including hacks of Pipelines, SolarWinds and Microsoft Exchange servers, the latter of which went official on July 19. attributed to country A.

The memo followed, among other executive actions, a cybersecurity executive order in May, a 60-day ransomware “sprint” launched by the U.S. Department of Homeland Security in March (during which pipeline attacks occurred), and an April launch by the Department of Energy. An electric utility sector initiative aimed at cybersecurity.

The memo also follows warnings from other government entities, such as the NSA’s April call for a review of OT security. The NSA issued the advisory a week before the pipeline hack began.

The senior official said the memo is in line with the administration’s three-pronged approach to improving national cybersecurity. This approach includes modernizing cyber defenses, developing cyber-specific policies and government resources, and building international coalitions to counter cyber-attack states and criminals. The senior official said the memo was designed to directly address the first part of the administration’s strategy, the modernization of cyber defenses.

“I think we’ve shown a willingness to do the work we need to do,” the administration official said late Tuesday. “I think we’ve shown a willingness to share information in new ways,[以]Voluntary approach, but we also made it clear that given the magnitude of the threat, we need urgent action and we need to look at all options – voluntary and mandatory – to achieve the rapid progress we need.