The critical infrastructure executive order is strictly voluntary.

Edward Gately, Senior News Editor

July 29, 2021

4 Min Read
Executive Order
Shutterstock

President Biden on Wednesday signed a cybersecurity executive order aimed at better protecting critical infrastructure from ransomware and other attacks.

The Industrial Control System Cybersecurity Initiative sets performance standards for technology and systems used by private companies in food, energy, water and power. However, it can’t force those companies to comply.

“The primary objective of this initiative is to defend the United States’ critical infrastructure by encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks,” Biden said. “The goal of the Initiative is to greatly expand deployment of these technologies across priority critical infrastructure.”

This action follows recent ransomware attacks on Colonial Pipeline and JBS USA.

Initiative Recognizes Need to Protect Critical Infrastructure

Nachreiner-Corey_WatchGuard-Technologies.jpeg

WatchGuard’s Corey Nachreiner

Corey Nachreiner is WatchGuard Technologies‘ chief security officer. He said the initiative recognizes the “very real need to defend against threats to critical infrastructure like our electrical grid, gas pipelines and water treatment facilities.”

“I believe the federal government should help to protect critical infrastructure,” he said. “It’s important to note, however, that the [initiative] is a voluntary collaborative effort in which federal cybersecurity agencies will advise the ICS community on the technical security controls they should deploy to help thwart, monitor, detect and alert against threats to their systems. Ultimately its success or failure will depend on two things: the actual technical details of the government’s recommendations and the fines or impacts imposed if the recommendations aren’t followed.”

So far, the administration hasn’t shared any specific recommendations, just that they will collaborate to help, Nachreiner said.

“The initiative will start with electricity companies before expanding to include other critical infrastructure providers,” he said. “While the administration intends to have performance goals for this initiative, they haven’t defined them yet. Also, since the initiative is voluntary for now, there are no consequences for private ICS businesses that choose to ignore it. Without the details and more teeth, it’s hard to say if this program will have any impact.”

Congress Considering Similar Initiatives

Clemenson-Jon_TokenEx.jpg

TokenEx’s Jon Clemenson

Jon Clemenson is director of information security at TokenEx. He said it’s “great to see measured steps in the right direction.”

“There are several, similar initiatives also working through Congress at the moment,” he said. “An incident reporting bill, a bill to establish a civilian cyber reserve [and] another that removes punitive damages levied against organizations with appropriate cyber controls in place, essentially a carrot to incentivize the positive action of organizations versus the stick of litigation or being made example of. All good initiatives to bring cybersecurity and data protection process and technology to the forefront of actions for all organizations, not just federal.”

Often in cybersecurity, the government does something first and then efforts trickle down to private sector organizations, Clemenson said.

“My challenge to organizations is why wait when the solution is deceptively simple and right in front of you?” he said. “Concerned about breaches? Then consider tokenization in addition to encryption. Building trust with clients, showing insurance companies that your organization is taking proactive action above and beyond the basics, and enabling data flow while simultaneously protecting the data, the list of benefits goes on.”

Promoting Technological Advancements

Jones-Neil_Egnyte.jpg

Egnyte’s Neil Jones

Neil Jones is cybersecurity evangelist at Egnyte.

“In reviewing the details of the Biden administration’s new cybersecurity memorandum, the term ‘cybersecurity performance goals for critical infrastructure’ was music to my ears,” he said. “For far too long, organizations have been able to view cybersecurity protection as a nice-to-have, rather than as a mission-critical imperative that’s subject to associated performance metrics. I am also excited to see that the … initiative will promote technological enhancements that enable organizations to view, detect and respond to threats more quickly and effectively.”

The only potential downside is that it’s a voluntary program, “so we will need to monitor future participation, or the program may not make a meaningful impact,” Jones said.

“Finally, the second TSA directive for critical pipeline owners and operators should significantly improve protection from ransomware attacks such as Colonial Pipeline, and the directive’s cybersecurity contingency and recovery plan will allow affected organizations to rebound more rapidly,” he said.

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.

Read more about:

MSPsVARs/SIs

About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like