CISA deepens coordination with agencies on ‘systemic’ risks

CISA is still on the hook to define "systemically important entities" as it responds to critical infrastructure risks ranging from cyber attacks to hurricanes.

The Cybersecurity and Infrastructure Security Agency is still analyzing the key cogs in U.S. critical infrastructure, as it ramps up its messaging during the agency’s “critical infrastructure security and resilience month.”

CISA has been in the news lately for its work on election security. But the agency this month is also pushing for all aspects of U.S. “critical infrastructure” — which includes water utilities, power grids, communications networks and more — to focus on security and resilience.

David Mussington, executive assistant director for infrastructure security at CISA, said the recent damage caused by hurricanes across the southeastern United States “emphasizes the importance of infrastructure resilience” from both man-made and natural threats.

“Cyber and physical risks and vulnerabilities are of concern. The natural environment, climate change and increasingly energetic storms that stress or potentially overturn hard won progress in building new infrastructure, that’s a concern,” Mussington said in an interview. “Making sure the communities have the best practices and knowledge that can be made available to them to protect themselves and the investments they make in infrastructure, resilience and recovery, those are the key themes that we have in mind for this year.”

CISA was designated the “national coordinator” for critical infrastructure under a national security memorandum issued by President Joe Biden earlier this year. In reality, it’s a role CISA has been playing for several years. But the memo formalized the designation and set several key deadlines for how agencies should approach their duties in managing risks to critical infrastructure.

Before the end of October, sector risk management agencies (SRMAs) — such as the Energy Department for the energy sector — were required to submit draft sector risk management plans to CISA to help inform the first “cross-sector risk assessment,” according to the memo.

And Biden’s memo also directs CISA to develop a list of “systemically important entities” based on the cross-sector assessment and other agency inputs.

An entity can be designated an SIE “based on the potential for its disruption or malfunction to cause nationally significant and cascading negative impacts to national security (including national defense and continuity of government), national economic security, or national public health or safety.”

The SIE list will “inform prioritization of federal activities, including the provision of risk mitigation information and other operational resources to non-federal entities,” the memo states.

Mussington said CISA’s National Risk Management Center is “underway” with its analysis of SIEs. The center established an office to serve as a focal point for the SIE analysis last year.

“What this is really about is making sure the systemically important entities that control or are responsible for key critical infrastructure assets are maximally known in terms of their criticality and that they’re properly supported by national policy and by the SRMA,” Mussington said.

While some have debated whether designated SIEs should be provided with additional resources or need to meet more stringent security requirements, Mussington said it’s also key for agencies to contextualize and monitor systemic risks.

“It’s not as simple as saying an entity is systemically important, therefore, do ‘X, Y, Z,’” Mussington said. “It’s about understanding systemically important entities in the context of what threat actors are trying to do, in terms of the vulnerabilities that exist, and in terms of how to best do an integrated plan to remediate risk over time, not instantaneously.”

The China-linked threat group Volt Typhoon has elevated concerns around the cybersecurity of key critical infrastructure like water and power. U.S. officials say Volt Typhoon has hacked into some critical infrastructure systems to pre-position for potentially destructive attacks.

Mussington said CISA is focused on studying the actions of groups like Volt Typhoon and combining those insights with known risks and vulnerabilities to help inform security and resilience initiatives, such as the agency’s cybersecurity guidance.

For instance, CISA’s advisory on Volt Typhoon highlighted the group’s “living off the land” technique of using built-in network administration tools to infiltrate IT networks.

“We can think about threats such as Volt Typhoon and others, where you have nation states, criminals and others who are targeting specific infrastructures in specific ways, addressing vulnerabilities in that light, in that context, is the best way to make lessons learned usable across infrastructures,” Mussington said. “And to allow the federal government to be a net value add to private sector and state and local governments that have the primary responsibility for assets that they own and know best.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories