Amid rising threats to critical infrastructure, CISA developing ‘physical security’ goals

CISA is working on 'physical security' goals as officials warn about rising threats to critical infrastructure, such as attacks on the electric grid.

The Cybersecurity and Infrastructure Security Agency is known for putting out cybersecurity advisories and guidance that help network defenders stay aware of the latest digital threats and best practices.

But the infrastructure security division at CISA is also working on ways to raise awareness about all-encompassing “physical security” threats to critical infrastructure sectors.

David Mussington, CISA’s executive assistant director for infrastructure security, said the agency is now developing “physical security performance goals,” analogous to the cross-sector cybersecurity performance goals CISA published for critical infrastructure last year.

“Right now, they’re in interagency coordination,” Mussington said in an interview. “At some point in the future, after the interagency has their say, we’ll be doing coordination with stakeholders in different industry domains, to try and make sure that we have customized goals and practices that are refined in the context of specific industry needs.”

“It’s one thing to be general and say, yes, ‘one should manage insider threats.’ It’s quite another to say how to do that in a particular industry,” he added. “And that’s what we’re trying to try to work towards.”

One of CISA’s primary roles is serving as the “national coordinator” for critical infrastructure security and resilience. And Mussington noted that insider threats and other risks to the 16 critical infrastructure sectors are “worsening.”

Government officials have warned about an increase in both cyber and physical threats to U.S. critical infrastructure in recent years.

A 2023 assessment by the North American Electric Reliability Corporation (NERC) highlighted an increase in security incidents impacting electric infrastructure, including ballistic attacks, vandalism, intrusions and theft. It flagged threats from both foreign nations and domestic extremists.

NERC’s assessment also called for the development of cyber and physical standards for electric infrastructure.

In a follow-up email after Federal News Network’s interview with Mussington, a CISA spokeswoman described said once the physical security performance goals are finalized, the agency will work with other agencies and the private sector to determine whether sector-specific goals are necessary.

“The PSPGs will enable critical infrastructure owners and operators — particularly those with limited resources — to effectively identify and manage physical security risks, implement holistic security planning, and, when applicable, communicate funding needs for security enhancements,” the spokeswoman wrote. “It will also provide options to enhance security that are tailorable to the needs of each individual facility; this is important given the varying levels of funds available for security and tolerance for risk across organizations.”

Meanwhile, this past December, CISA released physical security performance goals specifically for faith-based institutions. The agency released the guidance after threats to religious institutions escalated following the onset of the Israel-Hamas war.

The document details steps those institutions could take to increase their security. They range from prevention and detection measures, like incorporating video surveillance and strong cyber hygiene, to response and recovery steps, such as having an emergency response plan.

Mussington said CISA’s objective with the faith-based guidance was to offer religious institutions concrete options for improving their physical security in an easy-to-understand format, instead of relying on the jargon of security professionals.

“It’s translated into a language that non-security professionals can understand in terms of infusing expertise into a program that the entities can create themselves,” Mussington said. “So it’s not sort of seeking to impose a single model on people, but it’s trying to give people access to abstract away from very complicated literature that may be in sources that people wouldn’t generally go to.”

As CISA develops security performance goals for broader critical infrastructure, Mussington said the agency’s follow-up work to translate high-level goals into specific practices for different industries and sectors will be crucial.

“There will be a general version, but goals applied to a specific business setting that allow you to put metrics together for your programs to see how you’re doing against best practices and against industry benchmarks,” Mussington said. “So benchmarking, lessons learned, and revisiting and refreshing familiarity with best practices through training of staff, training of managers, to make sure that they’re cognizant of what the risk situation is.”

‘National Safety Month’

The development of the goals comes as CISA prepares to raise public awareness of physical security during “National Safety Month” in June. The agency is pointing to its existing work in the physical security space, such as its bomb threat guide and insider threat mitigation guidance.

“It’s time for us to focus on how we keep working environments safe and free from danger,” Mussington said. “When it comes to running workplace safety, planning is central to what we need to do to avoid foreseeable and unforeseeable risks.”

Mussington also serves as chairman of the Interagency Security Committee, responsible for addressing governmentwide security for federal facilities. Much like with CISA’s cybersecurity work, the agency’s federal facility security messaging focuses not just on defenses, but on “resilience.”

“I think placing emphasis on resilience — the resilience of the federal ability to deliver services and the ability to maintain the safety and security of facilities — is key,” Mussington said. “That means that bounce back from disruptions is a central feature of these programs as well. It means that coming back with diminished service for a time while we restore full services in a security environment that unfortunately suffered an incident, is a part of our planning focus as well.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Stacy Bostjanick and Jennifer Henderson

    Risk and Compliance Exchange 2024: DoD’ Stacy Bostjanick, DCMA’s Jennifer Henderson on finding ‘any means possible’ to help small biz with CMMC

    Read more
    Amelia Brust/Federal News Networkcybersecurity

    How should software producers be held accountable for shoddy cybersecurity products?

    Read more