Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

Unpacking the U.S. National Security Memorandum on Improving Cybersecurity for Critical Infrastructure

Unpacking the U.S. National Security Memorandum on Improving Cybersecurity for Critical Infrastructure

Recent activity from the Biden Administration represents a watershed moment in the establishment of baseline standards for preparing, mitigating and responding to attacks that impact the critical infrastructure we all rely on.

On July 28, the Biden Administration issued the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. Given the recent increase in attacks on critical infrastructure and industrial operations, this is a much-needed step to protect U.S. critical infrastructure from cyberattacks, and comes on the heels of the Cybersecurity and Infrastructure Security Agency (CISA) guidance on Ransomware for OT issued in June 2021.

In the July 28 memorandum, the White House calls for a "whole-of-nation" effort to secure critical infrastructure from "growing, persistent, and sophisticated cyber threats" that could have "cascading physical consequences [and] . . . a debilitating effect on national security, economic security, and the public health and safety of the American people."   

The memorandum and the earlier CISA guidance on ransomware for OT represent a watershed moment in the establishment of baseline standards for preparing, mitigating and responding to attacks that can emanate from a variety of attack paths. With the rapid convergence of IT and OT infrastructures, new paths for attacks are emerging and have already been proven to directly impact the critical infrastructure we all rely on.  

What it means

The most substantive thrust of these government actions is recognizing and acting on the accelerated trend of reconnaissance and attack by establishing the Industrial Control Systems (ICS) Cybersecurity Initiative. The ICS Initiative is a voluntary, collaborative effort between the federal government and the critical infrastructure community to protect U.S. critical infrastructure "by encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks," with a primary goal of "greatly expand[ing] deployment of these technologies across priority critical infrastructure."

Under the Initiative, the federal government will work with industry to share threat information for priority control system critical infrastructure, and sector risk management agencies will work with critical infrastructure stakeholders to implement the principles and policy outlined in the July 28 memorandum. 

The Initiative began in mid-April with an electricity subsector pilot. Over 150 electricity utilities representing almost 90 million residential customers are either deploying or have agreed to deploy control system cybersecurity technologies, a move that will be instrumental in stopping future attacks on our critical infrastructure.  In light of some of the most recent global attacks targeting oil and gas pipelines, a new action plan for natural gas pipelines is underway, and additional initiatives for other sectors will follow later this year.  The pilot plan for the electricity subsector could serve as an effective model. 

The bar is set

The memorandum calls for the creation of cyber performance goals for critical infrastructure companies, including the establishment of baseline cybersecurity performance standards and goals consistent across all critical infrastructure sectors that would be  jointly developed by CISA and the National Institute of Standards and Technology (NIST). Looking into the immediate future, the U.S. Department of Homeland Security (DHS) will issue preliminary goals for control systems across critical infrastructure sectors by September 22, 2021, followed by final cross-sector control system goals, and sector-specific goals, by July 28, 2022. 

In summary

Tenable encourages CISA and the U.S. government to take an open, technology-neutral, standards-based approach in the development of these goals. Core elements for consideration as the most appropriate and successful methods of disrupting attack paths and securing critical infrastructure and OT environments revolve around three key pillars:

  • Visibility: Gain full visibility and deep situational awareness across your converged IT/OT environment.

  • Security: Protect your industrial infrastructure from advanced cyberthreats and risks posed by hackers and malicious insiders.

  • Control: Take full control of your operations network by continuously tracking ALL changes to any ICS device.


Security professionals tasked with protecting critical infrastructure should use government guidance, such as the most recent memos, to proactively address new and emerging risks that can impact their OT environment and core mission of their organization. 

Learn more 

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.