Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog


Cybersecurity for Critical Infrastructure: How CISA Programs, New Legislation Can Help

Recent efforts by the U.S. Cybersecurity and Infrastructure Agency, combined with significant bills coming out of the House and Senate, are putting critical infrastructure operators on a path towards achieving cross-sector visibility and strong operational technology security.

Nearly six months ago, the global coronavirus pandemic necessitated a massive, sudden pivot to remote work. Organizations and industries that never planned to enable employees to work from home found themselves scrambling to adapt. That pivot came with cybersecurity ramifications, forcing organizations to reevaluate their threat landscape and risk environment. For critical infrastructure owners and operators in sectors such as  healthcare, communications, defense and energy the shift to remote work was particularly concerning.

For instance, during this time, the pharmaceutical industry has been hard at work to develop treatments and vaccines for COVID-19, the illness caused by the novel coronavirus — a key step towards a return to normal. But as organizations focused on this work, bad actors, foreign adversaries and criminal organizations have stepped up cyberattacks against the industry. The risks of an attack on the development, manufacture and distribution of a vaccine pose significant national security, economic and societal dangers that put the importance of secure critical infrastructure into perspective.

In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) has been working to protect federal and critical infrastructure IT systems from exploitation by malicious actors during COVID-19.  But even before the pandemic, CISA had been working to secure industrial control systems (ICS) connected to critical infrastructure, including commercial manufacturing plants. In July, CISA released its ICS Strategy, which calls for empowering and educating ICS operators to secure their operations against cyberthreats. This is key: Operators from all sectors need tools, resources and expertise to defend themselves using basic cyber hygiene and vulnerability management practices. Galvanizing the ICS community to work across sectors and with government agencies will have a tangible impact on their security posture. CISA is leading the way in that plan.

But cyber hygiene and vulnerability management aren't enough to completely mitigate today's advanced threats. We also need cross-sector visibility and strong overall OT security and collaboration to help manage threats. CISA is currently in the process of refreshing the National Infrastructure Protection Plan, which was last updated in 2013. CISA is engaging with public and private stakeholders across all critical infrastructure sectors and from all levels of government in the update to this plan. Cross sector collaboration should be a key feature in the updated plan. In the instance of grid security, electric utilities should work together, not against each other, on security. Pharmaceutical companies should be sharing best practices to keep COVID-19 vaccine information and manufacturing plants secure.

CISA has also released cybersecurity best practices through its Cyber Essentials toolkits series. The most recent release, Essential Elements: Your Systems, leads with the essential action of learning what is on your network. This inventory of hardware and software assets is crucial because an organization's security team can't effectively protect connected assets if it's unaware of their existence.

As I noted in August during a webinar with Barak Perelman, Tenable's VP of OT Security, several of the security issues for critical infrastructure industries right now stem from a lack of awareness, and many OT operators don't know where to start. These measures will help to bridge that gap.

While CISA makes important strides on OT security through the agency process, Congress is also keenly aware of the threat. The Senate is working on the American Energy Innovation Act, which contains several provisions, including the PROTECT Act, the Enhancing Grid Security through Public-Private Partnership Act and the Energy Cybersecurity Act, that would help make significant strides towards securing the electric grid and the nation's energy infrastructure. Here's a closer look at some of these recent efforts:

  • The PROTECT Act, introduced by Sens. Lisa Murkowski (R-Alaska) and Joe Manchin (D-W.Va.), would establish a grant program within the Department of Energy (DOE) to help improve the cyber defenses of rural electric cooperatives — which are among our most vulnerable electric infrastructure — giving cooperatives the support they need to make vital cyber improvements. The act would also direct the Federal Energy Regulatory Commission (FERC) to use rate incentives to encourage electric utilities to invest in cybersecurity.  

  • The Enhancing Grid Security through Public-Private Partnership Act, introduced by Sens. Cory Gardner (R-Colo.) and Michael Bennet (D-Colo.) in the Senate, and Reps. Jerry McNerney (D-Calif.) and Bob Latta (R-Ohio) in the House, would give DOE the authority to provide cybersecurity assistance through a public-private partnership to resource-constrained electric utilities by providing tools for self-assessment, sharing of best practices and assistance with threat assessments and training.
  • The Energy Cybersecurity Act, introduced by Sens. Maria Cantwell (D-Wash.) and Martin Heinrich (D-N.M.), directs DOE to develop advanced cybersecurity applications and technologies for the energy sector through advancing the security of field devices and third-party control systems. DOE engagement with other appropriate federal agencies, the national laboratories and with industry stakeholders is a key component of this legislation.

In addition to the above measures, the House is currently considering the Clean Economy Jobs and Innovation Act, which includes cybersecurity provisions associated with electric grid modernization, smart buildings and smart manufacturing. It also incorporates cybersecurity research and development legislation sponsored by Reps. Ami Bera (D-Calif.) and Randy Weber (R-Texas), including important sections on grid resilience and vulnerability testing to improve energy sector cybersecurity.

This agency work and these aforementioned bills coming out of the House and Senate are all important and thoughtful steps towards securing the nation's energy infrastructure, but we shouldn't stop innovating and improving. For instance, energy cybersecurity legislation should require DOE to work closely with CISA on interoperable information sharing.

The American Energy Innovation Act and the Clean Economy Jobs and Innovation Act have several vital energy cybersecurity components and Congress should work quickly to further refine and pass this legislation.

As Perelman noted in our discussion last month, 15 years ago, we had to convince people that the threat to the electric grid was real. Now, Congress is taking important steps towards securing our OT infrastructure. I look forward to working with my colleagues and government partners on this important issue as industry co-chair of the Control Systems Working Group (CSWG). In this role, I'm thrilled to help develop the CSWG's strategy and work with industry and government stakeholders to implement our plans for collaboration and information sharing across sectors and fields to improve OT security and ensure we have a strong critical infrastructure foundation for years to come.

Learn more:

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.


Continuously detect and respond to Active Directory attacks. No agents. No privileges. On-prem and in the cloud.