Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Cybersecurity for Critical Infrastructure: How CISA Programs, New Legislation Can Help

Recent efforts by the U.S. Cybersecurity and Infrastructure Agency, combined with significant bills coming out of the House and Senate, are putting critical infrastructure operators on a path towards achieving cross-sector visibility and strong operational technology security.

Nearly six months ago, the global coronavirus pandemic necessitated a massive, sudden pivot to remote work. Organizations and industries that never planned to enable employees to work from home found themselves scrambling to adapt. That pivot came with cybersecurity ramifications, forcing organizations to reevaluate their threat landscape and risk environment. For critical infrastructure owners and operators in sectors such as  healthcare, communications, defense and energy the shift to remote work was particularly concerning.

For instance, during this time, the pharmaceutical industry has been hard at work to develop treatments and vaccines for COVID-19, the illness caused by the novel coronavirus — a key step towards a return to normal. But as organizations focused on this work, bad actors, foreign adversaries and criminal organizations have stepped up cyberattacks against the industry. The risks of an attack on the development, manufacture and distribution of a vaccine pose significant national security, economic and societal dangers that put the importance of secure critical infrastructure into perspective.

In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) has been working to protect federal and critical infrastructure IT systems from exploitation by malicious actors during COVID-19.  But even before the pandemic, CISA had been working to secure industrial control systems (ICS) connected to critical infrastructure, including commercial manufacturing plants. In July, CISA released its ICS Strategy, which calls for empowering and educating ICS operators to secure their operations against cyberthreats. This is key: Operators from all sectors need tools, resources and expertise to defend themselves using basic cyber hygiene and vulnerability management practices. Galvanizing the ICS community to work across sectors and with government agencies will have a tangible impact on their security posture. CISA is leading the way in that plan.

But cyber hygiene and vulnerability management aren't enough to completely mitigate today's advanced threats. We also need cross-sector visibility and strong overall OT security and collaboration to help manage threats. CISA is currently in the process of refreshing the National Infrastructure Protection Plan, which was last updated in 2013. CISA is engaging with public and private stakeholders across all critical infrastructure sectors and from all levels of government in the update to this plan. Cross sector collaboration should be a key feature in the updated plan. In the instance of grid security, electric utilities should work together, not against each other, on security. Pharmaceutical companies should be sharing best practices to keep COVID-19 vaccine information and manufacturing plants secure.

CISA has also released cybersecurity best practices through its Cyber Essentials toolkits series. The most recent release, Essential Elements: Your Systems, leads with the essential action of learning what is on your network. This inventory of hardware and software assets is crucial because an organization's security team can't effectively protect connected assets if it's unaware of their existence.

As I noted in August during a webinar with Barak Perelman, Tenable's VP of OT Security, several of the security issues for critical infrastructure industries right now stem from a lack of awareness, and many OT operators don't know where to start. These measures will help to bridge that gap.

While CISA makes important strides on OT security through the agency process, Congress is also keenly aware of the threat. The Senate is working on the American Energy Innovation Act, which contains several provisions, including the PROTECT Act, the Enhancing Grid Security through Public-Private Partnership Act and the Energy Cybersecurity Act, that would help make significant strides towards securing the electric grid and the nation's energy infrastructure. Here's a closer look at some of these recent efforts:

  • The PROTECT Act, introduced by Sens. Lisa Murkowski (R-Alaska) and Joe Manchin (D-W.Va.), would establish a grant program within the Department of Energy (DOE) to help improve the cyber defenses of rural electric cooperatives — which are among our most vulnerable electric infrastructure — giving cooperatives the support they need to make vital cyber improvements. The act would also direct the Federal Energy Regulatory Commission (FERC) to use rate incentives to encourage electric utilities to invest in cybersecurity.  

  • The Enhancing Grid Security through Public-Private Partnership Act, introduced by Sens. Cory Gardner (R-Colo.) and Michael Bennet (D-Colo.) in the Senate, and Reps. Jerry McNerney (D-Calif.) and Bob Latta (R-Ohio) in the House, would give DOE the authority to provide cybersecurity assistance through a public-private partnership to resource-constrained electric utilities by providing tools for self-assessment, sharing of best practices and assistance with threat assessments and training.
  • The Energy Cybersecurity Act, introduced by Sens. Maria Cantwell (D-Wash.) and Martin Heinrich (D-N.M.), directs DOE to develop advanced cybersecurity applications and technologies for the energy sector through advancing the security of field devices and third-party control systems. DOE engagement with other appropriate federal agencies, the national laboratories and with industry stakeholders is a key component of this legislation.


In addition to the above measures, the House is currently considering the Clean Economy Jobs and Innovation Act, which includes cybersecurity provisions associated with electric grid modernization, smart buildings and smart manufacturing. It also incorporates cybersecurity research and development legislation sponsored by Reps. Ami Bera (D-Calif.) and Randy Weber (R-Texas), including important sections on grid resilience and vulnerability testing to improve energy sector cybersecurity.

This agency work and these aforementioned bills coming out of the House and Senate are all important and thoughtful steps towards securing the nation's energy infrastructure, but we shouldn't stop innovating and improving. For instance, energy cybersecurity legislation should require DOE to work closely with CISA on interoperable information sharing.

The American Energy Innovation Act and the Clean Economy Jobs and Innovation Act have several vital energy cybersecurity components and Congress should work quickly to further refine and pass this legislation.

As Perelman noted in our discussion last month, 15 years ago, we had to convince people that the threat to the electric grid was real. Now, Congress is taking important steps towards securing our OT infrastructure. I look forward to working with my colleagues and government partners on this important issue as industry co-chair of the Control Systems Working Group (CSWG). In this role, I'm thrilled to help develop the CSWG's strategy and work with industry and government stakeholders to implement our plans for collaboration and information sharing across sectors and fields to improve OT security and ensure we have a strong critical infrastructure foundation for years to come.

Learn more:

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training