Countdown to shutdown:

DHS names China, AI, cyber standards as key priorities for critical infrastructure

Agencies that oversee critical infrastructure are developing new sector risk management plans, with cybersecurity continuing to be a high priority.

Agencies that oversee critical infrastructure should address threats posed by China and work to establish baseline cybersecurity requirements over the next two years.

That’s according to new guidance signed out by Homeland Security Secretary Alejandro Mayorkas on June 14. The document lays out priorities over the next two years for sector risk management agencies. SRMAs are responsible for overseeing the security of specific critical infrastructure sectors.

“From the banking system to the electric grid, from healthcare to our nation’s water systems and more, we depend on the reliable functioning of our critical infrastructure as a matter of national security, economic security, and public safety,” Mayorkas said in a statement. “The threats facing our critical infrastructure demand a whole of society response and the priorities set forth in this memo will guide that work.

The memo follows on the heels of a national security memorandum signed by President Joe Biden earlier this year. The memo seeks to expand federal oversight of the critical infrastructure sectors. It specifically directed SRMAs to develop new sector risk management plans in the coming year.

China, AI and space

In his memo this week, Mayorkas highlights “cyber and other threats” posed by China as a key priority risk area. U.S. officials earlier this year said Chinese hackers had breached the networks of multiple U.S. critical infrastructure networks.

“Attacks targeting infrastructure essential to protect, support, and sustain military forces and operations worldwide or that may cause potential disruptions to the delivery of key goods or services to the American people must be our top priority,” the memo states. “Leveraging timely and actionable intelligence and information and adopting best practices for security and resilience, SRMAs, critical infrastructure owners and operators, and other SL TT and private sector partners shall devise and implement effective mitigation approaches to identify and address threats from the PRC, including plans to address cross-sector and regional interdependencies.”

It also encourages agencies to work with their respective sectors to mitigate risks posed by artificial intelligence and emerging technologies. Mayorkas also highlights the need to address climate risks, supply chain vulnerabilities, and a growing reliance on space systems, respectively.

Critical infrastructure ‘resilience’

Meanwhile, the memo also highlights several specific mitigation strategies that SRMAs should work into their plans. It specifically states SRMAs should work with critical infrastructure owners and operators to “develop and adopt resilience measures, anticipate potential cascading impacts of adverse incidents, and devise response plans to quickly recover from all types of shocks and stressors.”

“While we cannot keep determined advanced persistent threats or ransomware actors completely at bay or prevent severe weather occurrences, we can minimize the consequences of incidents by understanding critical nodes, assessing dependencies within systems, and developing plans to ensure rapid recovery,” Mayorkas writes.

Furthermore, the memo continues the Biden administration’s push to set minimum cyber standards across critical infrastructure sectors.

“Individual critical infrastructure owners and operators must be encouraged by SRMAs and, where applicable, held accountable by regulators for implementing baseline controls that improve their security and resilience to cyber and all hazard threats,” the memo states. “Establishing minimum cybersecurity requirements as part of these efforts to secure critical infrastructure also aligns with the 2023 National Cybersecurity Strategy.”

Mayorkas points to the Cybersecurity and Infrastructure Security Agency’s Cyber Performance Goals, as well as the National Institute of Standards and Technology’s Cybersecurity Framework 2.0, as models for cyber protection standards.

“DHS will work with SRMAs, regulators and private sector entities to ensure that baseline requirements are risk informed, performance-based and to the extent feasible, harmonized and to develop tools that support the adoption of such requirements,” Mayorkas adds.

The memo also encourages agencies to incentivize shared service providers to adopt stronger security measures. And it highlights the need to “identify areas of concentrated risk and systemically important entities.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Getty Images/iStockphoto/Andrii Panchykcybersecurity

    Amid rising threats to critical infrastructure, CISA developing ‘physical security’ goals

    Read more