Skip to main content
close search
site logo
Dive Brief

CISA wants to identify the most vulnerable critical infrastructure

Published Nov. 1, 2021
Samantha Schwartz's headshot
Samantha Schwartz Reporter
CISA, cybersecurity, agency
Photo illustration by Danielle Ternes/Cybersecurity Dive; photograph by yucelyilmaz via Getty Images

Dive Brief:

  • The Cybersecurity and Infrastructure Security Agency (CISA) is identifying what critical infrastructure would most impact U.S. national security and economy if hacked, according to CISA Director Jen Easterly during a virtual Center for Strategic and International Studies event. CISA is basing its analysis on economic and network centrality, and "logical dominance in the national critical functions," she said. 
  • CISA joins the Cyberspace Solarium Commission (CSC) in efforts to identify systematically important critical infrastructure (SICI), which CISA refers to as primary systemically important entities (PSIE). CSC recommended that Congress "codify the concept of" SICI, in its inaugural report last year.
  • "We're going to move forward and do it, whether it ends up in legislation or not," Easterly said. Though if PSIE- or SICI-related proposals end up in law, "it will be very helpful in continuing to bring the private sector to the table … We're in a state right now where critical infrastructure is much more vulnerable than it should be."

Dive Insight:

CISA is fast-tracking critical infrastructure categorization, and the companies most vulnerable to cyberattacks. The CSC wants Congress, after identifying these organizations, to ensure "the full support of the U.S. government and shoulder additional security requirements" to suit their "unique status and importance." 

In October, Rep. John Katko, R-N.Y., and Rep. Abigail Spanberger D-Va., proposed the Securing Systemically Important Critical Infrastructure Act, which would direct CISA to prioritize benefits for the owners and operators of specified critical infrastructure. Katko could see the bill included in the FY2022 National Defense Authorization Act (NDAA), he said during the webcast. 

Under Katko and Spanberger's bill, CISA would have to consult with the heads of Sector Risk Management Agencies (SRMAs) and create a methodology for determining what elements of critical infrastructure meet the threshold of maximum national security and economic impact. 

The bill also asks for identified critical infrastructure companies to have prioritized representation in CISA's Joint Cyber Defense Collaborative (JCDC)

The proposal is in line with what the CSC asked for, where the government is "assured that these companies are taking their security responsibilities seriously, honoring the public trust that appertains to the services and functions they provide," the report said. 

What the government is working toward is something the private sector needs — different treatments based on the uniqueness of each critical infrastructure sector. In March, the White House announced it was reviewing OT/ICS operators, and prioritizing bigger utilities impacting larger populations. And in July, the Biden administration signed the National Security Memorandum, which tasked CISA with developing performance goals for critical infrastructure. 

Cyberattacks on critical infrastructure this year — particularly Colonial Pipeline and JBS USA — already led to firsts in cybersecurity requirements. In May, the Transportation Security Administration (TSA) announced two pipeline-specific cybersecurity directives. The TSA gave aggressive timelines for pipeline owners and operators to meet, though administrators said the TSA is willing to work with companies if they submit alternative procedures. 

Owners and operators using OT and industrial control systems (ICS) worry that the new requirements could impact the safety of their equipment if they move too rapidly. Meanwhile, the TSA admittedly is understaffed in cybersecurity

A similar announcement was made for railroad and airport operators in October. Secretary of Homeland Security Alejandro Mayorkas announced the TSA will also issue mandatory requirements for transportation sectors operating in the air, land or sea. Owners and operators will have to report incidents to CISA, though the complete published regulations are expected by the end of the year. 

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell