President Biden on Wednesday signed a national security directive that intends to set performance standards for technology and systems used by critical infrastructure, which includes the food sector.
The directive instructs federal agencies of jurisdiction, including the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Commerce’s National Institute of Standards and Technology (NIST), to work with other federal agencies to develop voluntary cybersecurity standards for companies that operate critical infrastructure.
“Currently, federal cybersecurity regulation in the United States is sectoral,” the directive said. “We have a patchwork of sector-specific statutes that have been adopted piecemeal, as data security threats in particular sectors have gained public attention. Given the evolving threat we face today, we must consider new approaches, both voluntary and mandatory. We look to responsible critical infrastructure owners and operators to follow voluntary guidance as well as mandatory requirements in order to ensure that the critical services the American people rely on are protected from cyber threats.”
Specifically, the directive also formally establishes the President’s “Industrial Control System Cybersecurity (ICS) Initiative.” The ICS initiative is a “voluntary, collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections, and warnings.” The directive noted that the ICS initiative began in mid-April with the Electricity Subsector, has expanded to natural gas pipelines, and additional initiatives for other sectors “will follow later this year.”
Following the Colonial Pipeline cyber incident, DHS issued a Security Directive to pipeline owners and operators that included certain mandates such as reporting a cyber incident within 24 hours to appropriate federal agencies and appointing a 24/7 cyber coordinator to liaise with the government.
DHS on July 20 issued a second directive that required pipeline owners and operators to implement further security measures. The text of the second directive was not released, but a White House fact sheet noted that the directive required pipeline owners and operators to implement “specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems within prescribed timeframes” as well as to develop and implement “a cybersecurity contingency and recovery plan” and conduct an “annual cybersecurity architecture design review.”
President Biden in May signed an Executive Order that established standards for U.S. agencies and their contractors, which included mandates to use practices like multi-factor authentication (MFA) and data encryption as well as mandatory data disclosure standards in the event of hacks.