United States: President Biden Issues National Security Memorandum On Improving Cybersecurity For Critical Infrastructure Control Systems

On July 28, 2021, President Biden issued a “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems” (the “ICS Memo”). The ICS Memo—a product of the 100-day cybersecurity initiative we covered here—is a further step by the Biden-Harris administration to safeguard United States' critical infrastructure, including that of the electric power sector, from “growing, persistent, and sophisticated cyber threats” that could have “cascading physical consequences [and] . . . a debilitating effect on national security, economic security, and the public health and safety of the American people.”¹

The ICS Memo establishes an “Industrial Control Systems Cybersecurity Initiative” (the “ICS Initiative”) as “a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems.”² The ICS Initiative's primary objective is to defend U.S. critical infrastructure “by encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks,” with a primary goal of “greatly expand[ing] deployment of these technologies across priority critical infrastructure.”³

Work on what would become the ICS Initiative began in April 2021 with an “Electricity Subsector pilot,” and the administration has noted that “already over 150 electricity utilities representing almost 90 million residential customers are either deploying or have agreed to deploy control system cybersecurity technologies.”⁴ An “action plan for natural gas pipelines is underway, and additional initiatives for other sectors will follow later this year.”⁵

The ICS Memo directs the Secretary of Homeland Security, in coordination with the Secretary of Commerce (through the Director of the National Institute of Standards and Technology (NIST)) “and other agencies, as appropriate, [to] develop and issue cybersecurity performance goals for critical infrastructure to further a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety.”⁶ The administration “expect[s] those standards will assist companies responsible for providing essential services like power, water, and transportation to strengthen their cybersecurity.”⁷

Regarding timing, the ICS Memo directs the Secretary of Homeland Security to issue “preliminary goals for control systems across critical infrastructure sectors no later than September 22, 2021, followed by . . . final cross-sector control system goals” by July 28, 2022.⁸ In addition, “following consultations with relevant agencies, the Secretary of Homeland Security shall issue sector-specific critical infrastructure cybersecurity performance goals” by July 28, 2022.⁹ Thus, the precise contours of the electric power section goals/standards remain to be determined.

Finally, the ICS Memo states that, as part of the ICS Initiative, the federal government “will work with industry to share threat information for priority control system critical infrastructure throughout the country,”¹⁰ and directs “Sector Risk Management Agencies . . . and other executive departments and agencies . . . , as appropriate and consistent with applicable law, [to] work with critical infrastructure stakeholders and owners and operators to implement the principles and policy outlined” in the ICS Memo.¹¹ So, there will be more to come in this important and rapidly developing area.

Footnotes

1. Fact Sheet: Biden Administration Announces Further Actions to Protect U.S. Critical Infrastructure (July 28, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/fact-sheet-biden-administration-announces-further-actions-to-protect-u-s-critical-infrastructure (“Fact Sheet”).

2. ICS Memo § 2.

3. Id.

4. Fact Sheet at 2.

5. Id.

6. ICS Memo § 4(a).

7. Fact Sheet at 1.

8. ICS Memo § 4(b).

9. Id.

10. Id. § 3.

11. Id. § 3(b).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.